1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. getPolicyDocument
HashiCorp Vault v6.7.0 published on Thursday, Apr 24, 2025 by Pulumi

vault.getPolicyDocument

Explore with Pulumi AI

HashiCorp Vault v6.7.0 published on Thursday, Apr 24, 2025 by Pulumi

This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the vault.Policy resource.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = vault.getPolicyDocument({
    rules: [{
        path: "secret/*",
        capabilities: [
            "create",
            "read",
            "update",
            "delete",
            "list",
        ],
        description: "allow all on secrets",
    }],
});
const examplePolicy = new vault.Policy("example", {
    name: "example_policy",
    policy: example.then(example => example.hcl),
});
Copy
import pulumi
import pulumi_vault as vault

example = vault.get_policy_document(rules=[{
    "path": "secret/*",
    "capabilities": [
        "create",
        "read",
        "update",
        "delete",
        "list",
    ],
    "description": "allow all on secrets",
}])
example_policy = vault.Policy("example",
    name="example_policy",
    policy=example.hcl)
Copy
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := vault.GetPolicyDocument(ctx, &vault.GetPolicyDocumentArgs{
			Rules: []vault.GetPolicyDocumentRule{
				{
					Path: "secret/*",
					Capabilities: []string{
						"create",
						"read",
						"update",
						"delete",
						"list",
					},
					Description: pulumi.StringRef("allow all on secrets"),
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = vault.NewPolicy(ctx, "example", &vault.PolicyArgs{
			Name:   pulumi.String("example_policy"),
			Policy: pulumi.String(example.Hcl),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = Vault.GetPolicyDocument.Invoke(new()
    {
        Rules = new[]
        {
            new Vault.Inputs.GetPolicyDocumentRuleInputArgs
            {
                Path = "secret/*",
                Capabilities = new[]
                {
                    "create",
                    "read",
                    "update",
                    "delete",
                    "list",
                },
                Description = "allow all on secrets",
            },
        },
    });

    var examplePolicy = new Vault.Policy("example", new()
    {
        Name = "example_policy",
        PolicyContents = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Hcl),
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.VaultFunctions;
import com.pulumi.vault.inputs.GetPolicyDocumentArgs;
import com.pulumi.vault.Policy;
import com.pulumi.vault.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = VaultFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .rules(GetPolicyDocumentRuleArgs.builder()
                .path("secret/*")
                .capabilities(                
                    "create",
                    "read",
                    "update",
                    "delete",
                    "list")
                .description("allow all on secrets")
                .build())
            .build());

        var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
            .name("example_policy")
            .policy(example.hcl())
            .build());

    }
}
Copy
resources:
  examplePolicy:
    type: vault:Policy
    name: example
    properties:
      name: example_policy
      policy: ${example.hcl}
variables:
  example:
    fn::invoke:
      function: vault:getPolicyDocument
      arguments:
        rules:
          - path: secret/*
            capabilities:
              - create
              - read
              - update
              - delete
              - list
            description: allow all on secrets
Copy

Using getPolicyDocument

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>
Copy
def get_policy_document(namespace: Optional[str] = None,
                        rules: Optional[Sequence[GetPolicyDocumentRule]] = None,
                        opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(namespace: Optional[pulumi.Input[str]] = None,
                        rules: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentRuleArgs]]]] = None,
                        opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]
Copy
func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput
Copy

> Note: This function is named GetPolicyDocument in the Go SDK.

public static class GetPolicyDocument 
{
    public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
    public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: vault:index/getPolicyDocument:getPolicyDocument
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Namespace Changes to this property will trigger replacement. string
Rules List<GetPolicyDocumentRule>
Namespace Changes to this property will trigger replacement. string
Rules []GetPolicyDocumentRule
namespace Changes to this property will trigger replacement. String
rules List<GetPolicyDocumentRule>
namespace Changes to this property will trigger replacement. string
rules GetPolicyDocumentRule[]
namespace Changes to this property will trigger replacement. str
rules Sequence[GetPolicyDocumentRule]
namespace Changes to this property will trigger replacement. String
rules List<Property Map>

getPolicyDocument Result

The following output properties are available:

Hcl string
The above arguments serialized as a standard Vault HCL policy document.
Id string
The provider-assigned unique ID for this managed resource.
Rules List<GetPolicyDocumentRule>
Namespace string
Hcl string
The above arguments serialized as a standard Vault HCL policy document.
Id string
The provider-assigned unique ID for this managed resource.
Rules []GetPolicyDocumentRule
Namespace string
hcl String
The above arguments serialized as a standard Vault HCL policy document.
id String
The provider-assigned unique ID for this managed resource.
rules List<GetPolicyDocumentRule>
namespace String
hcl string
The above arguments serialized as a standard Vault HCL policy document.
id string
The provider-assigned unique ID for this managed resource.
rules GetPolicyDocumentRule[]
namespace string
hcl str
The above arguments serialized as a standard Vault HCL policy document.
id str
The provider-assigned unique ID for this managed resource.
rules Sequence[GetPolicyDocumentRule]
namespace str
hcl String
The above arguments serialized as a standard Vault HCL policy document.
id String
The provider-assigned unique ID for this managed resource.
rules List<Property Map>
namespace String

Supporting Types

GetPolicyDocumentRule

Capabilities This property is required. List<string>
A list of capabilities that this rule apply to path. For example, ["read", "write"].
Path This property is required. string
A path in Vault that this rule applies to.
AllowedParameters List<GetPolicyDocumentRuleAllowedParameter>
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
DeniedParameters List<GetPolicyDocumentRuleDeniedParameter>
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
Description string
Description of the rule. Will be added as a comment to rendered rule.
MaxWrappingTtl string
The maximum allowed TTL that clients can specify for a wrapped response.
MinWrappingTtl string
The minimum allowed TTL that clients can specify for a wrapped response.
RequiredParameters List<string>
A list of parameters that must be specified.
SubscribeEventTypes List<string>
A list of event types to subscribe to when using subscribe capability.
Capabilities This property is required. []string
A list of capabilities that this rule apply to path. For example, ["read", "write"].
Path This property is required. string
A path in Vault that this rule applies to.
AllowedParameters []GetPolicyDocumentRuleAllowedParameter
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
DeniedParameters []GetPolicyDocumentRuleDeniedParameter
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
Description string
Description of the rule. Will be added as a comment to rendered rule.
MaxWrappingTtl string
The maximum allowed TTL that clients can specify for a wrapped response.
MinWrappingTtl string
The minimum allowed TTL that clients can specify for a wrapped response.
RequiredParameters []string
A list of parameters that must be specified.
SubscribeEventTypes []string
A list of event types to subscribe to when using subscribe capability.
capabilities This property is required. List<String>
A list of capabilities that this rule apply to path. For example, ["read", "write"].
path This property is required. String
A path in Vault that this rule applies to.
allowedParameters List<GetPolicyDocumentRuleAllowedParameter>
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
deniedParameters List<GetPolicyDocumentRuleDeniedParameter>
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description String
Description of the rule. Will be added as a comment to rendered rule.
maxWrappingTtl String
The maximum allowed TTL that clients can specify for a wrapped response.
minWrappingTtl String
The minimum allowed TTL that clients can specify for a wrapped response.
requiredParameters List<String>
A list of parameters that must be specified.
subscribeEventTypes List<String>
A list of event types to subscribe to when using subscribe capability.
capabilities This property is required. string[]
A list of capabilities that this rule apply to path. For example, ["read", "write"].
path This property is required. string
A path in Vault that this rule applies to.
allowedParameters GetPolicyDocumentRuleAllowedParameter[]
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
deniedParameters GetPolicyDocumentRuleDeniedParameter[]
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description string
Description of the rule. Will be added as a comment to rendered rule.
maxWrappingTtl string
The maximum allowed TTL that clients can specify for a wrapped response.
minWrappingTtl string
The minimum allowed TTL that clients can specify for a wrapped response.
requiredParameters string[]
A list of parameters that must be specified.
subscribeEventTypes string[]
A list of event types to subscribe to when using subscribe capability.
capabilities This property is required. Sequence[str]
A list of capabilities that this rule apply to path. For example, ["read", "write"].
path This property is required. str
A path in Vault that this rule applies to.
allowed_parameters Sequence[GetPolicyDocumentRuleAllowedParameter]
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
denied_parameters Sequence[GetPolicyDocumentRuleDeniedParameter]
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description str
Description of the rule. Will be added as a comment to rendered rule.
max_wrapping_ttl str
The maximum allowed TTL that clients can specify for a wrapped response.
min_wrapping_ttl str
The minimum allowed TTL that clients can specify for a wrapped response.
required_parameters Sequence[str]
A list of parameters that must be specified.
subscribe_event_types Sequence[str]
A list of event types to subscribe to when using subscribe capability.
capabilities This property is required. List<String>
A list of capabilities that this rule apply to path. For example, ["read", "write"].
path This property is required. String
A path in Vault that this rule applies to.
allowedParameters List<Property Map>
Whitelists a list of keys and values that are permitted on the given path. See Parameters below.
deniedParameters List<Property Map>
Blacklists a list of parameter and values. Any values specified here take precedence over allowed_parameter. See Parameters below.
description String
Description of the rule. Will be added as a comment to rendered rule.
maxWrappingTtl String
The maximum allowed TTL that clients can specify for a wrapped response.
minWrappingTtl String
The minimum allowed TTL that clients can specify for a wrapped response.
requiredParameters List<String>
A list of parameters that must be specified.
subscribeEventTypes List<String>
A list of event types to subscribe to when using subscribe capability.

GetPolicyDocumentRuleAllowedParameter

Key This property is required. string
Name of permitted key.
Values This property is required. List<string>
A list of values what are permitted by policy rule.
Key This property is required. string
Name of permitted key.
Values This property is required. []string
A list of values what are permitted by policy rule.
key This property is required. String
Name of permitted key.
values This property is required. List<String>
A list of values what are permitted by policy rule.
key This property is required. string
Name of permitted key.
values This property is required. string[]
A list of values what are permitted by policy rule.
key This property is required. str
Name of permitted key.
values This property is required. Sequence[str]
A list of values what are permitted by policy rule.
key This property is required. String
Name of permitted key.
values This property is required. List<String>
A list of values what are permitted by policy rule.

GetPolicyDocumentRuleDeniedParameter

Key This property is required. string
Name of denied key.
Values This property is required. List<string>
A list of values what are denied by policy rule.
Key This property is required. string
Name of denied key.
Values This property is required. []string
A list of values what are denied by policy rule.
key This property is required. String
Name of denied key.
values This property is required. List<String>
A list of values what are denied by policy rule.
key This property is required. string
Name of denied key.
values This property is required. string[]
A list of values what are denied by policy rule.
key This property is required. str
Name of denied key.
values This property is required. Sequence[str]
A list of values what are denied by policy rule.
key This property is required. String
Name of denied key.
values This property is required. List<String>
A list of values what are denied by policy rule.

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.
HashiCorp Vault v6.7.0 published on Thursday, Apr 24, 2025 by Pulumi