azurermMediaContentKeyPolicy
Manages a Content Key Policy.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "media-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "examplestoracc",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermMediaServicesAccountExample =
new azurerm.mediaServicesAccount.MediaServicesAccount(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "examplemediaacc",
resource_group_name: azurermResourceGroupExample.name,
storage_account: [
{
id: azurermStorageAccountExample.id,
is_primary: true,
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMediaServicesAccountExample.overrideLogicalId("example");
const azurermMediaContentKeyPolicyExample =
new azurerm.mediaContentKeyPolicy.MediaContentKeyPolicy(this, "example_3", {
media_services_account_name: azurermMediaServicesAccountExample.name,
name: "example",
policy_option: [
{
fairplay_configuration: [
{
ask: "bb566284cc124a21c435a92cd3c108c4",
pfx: "MIIG7gIBAzCCBqoGCSqGSIb3DQEHAaCCBpsEggaXMIIGkzCCA7wGCSqGSIb3DQEHAaCCA60EggOpMIIDpTCCA6EGCyqGSIb3DQEMCgECoIICtjCCArIwHAYKKoZIhvcNAQwBAzAOBAiV65vFfxLDVgICB9AEggKQx2dxWefICYodVhRLSQVMJRYy5QkM1VySPAXGP744JHrb+s0Y8i/6a+a5itZGlXw3kvxyflHtSsuuBCaYJ1WOCp9jspixJEliFHXTcel96AgZlT5tB7vC6pdZnz8rb+lyxFs99x2CW52EsadoDlRsYrmkmKdnB0cx2JHJbLeXuKV/fjuRJSqCFcDa6Nre8AlBX0zKGIYGLJ1Cfpora4kNTXxu0AwEowzGmoCxqrpKbO1QDi1hZ1qHrtZ1ienAKfiTXaGH4AMQzyut0AaymxalrRbXibJYuefLRvXqx0oLZKVLAX8fR1gnac6Mrr7GkdHaKCsk4eOi98acR7bjiyRRVYYS4B6Y0tCeRJNe6zeYVmLdtatuOlOEVDT6AKrJJMFMyITVS+2D771ge6m37FbJ36K3/eT/HRq1YDsxfD/BY+X7eMIwQrVnD5nK7avXfbIni57n5oWLkE9Vco8uBlMdrx4xHt9vpe42Pz2Yh2O4WtvxcgxrAknvPpV1ZsAJCfvm9TTcg8qZpjyePn3B9TvFVSXMJHn/rzu6OJAgFgVFAe1tPGLh1XBxAvwpB8EqcycIIUUFUBy4HgYCicjI2jp6s8Kk293Uc/TA2623LrWgP/Xm5hVB7lP1k6W9LDivOlAA96D0Cbk08Yv6arkCYj7ONFO8VZbO0zKAAOLHMw/ZQRIutGLrDlqgTDeRXRuReX7TNjDBxp2rzJBY0uU5g9BMFxQrbQwEx9HsnO4dVFG4KLbHmYWhlwS2V2uZtY6D6elOXY3SX50RwhC4+0trUMi/ODtOxAc+lMQk2FNDcNeKIX5wHwFRS+sFBu5Um4Jfj6Ua4w1izmu2KiPfDd3vJsm5Dgcci3fPfdSfpIq4uR6d3JQxgdcwEwYJKoZIhvcNAQkVMQYEBAEAAAAwWwYJKoZIhvcNAQkUMU4eTAB7ADcAMQAxADAANABBADgARgAtADQAQgBFADAALQA0AEEAMgA4AC0AOAAyADIANQAtAEYANwBBADcAMwBGAEMAQQAwAEMARABEAH0wYwYJKwYBBAGCNxEBMVYeVABNAGkAYwByAG8AcwBvAGYAdAAgAEIAYQBzAGUAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMDCCAs8GCSqGSIb3DQEHBqCCAsAwggK8AgEAMIICtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQISS7mG/riQJkCAgfQgIICiPSGg5axP4JM+GmiVEqOHTVAPw2AM8OPnn1q0mIw54oC2WOJw3FFThYHmxTQzQ1feVmnkVCv++eFp+BYTcWTa+ehl/3/Nvr5uLTzDxmCShacKwoWXOKtSLh6mmgydvMqSf6xv1bPsloodtrRxhprI2lBNBW2uw8az9eLdvURYmhjGPf9klEy/6OCA5jDT5XZMunwiQT5mYNMF7wAQ5PCz2dJQqm1n72A6nUHPkHEusN7iH/+mv5d3iaKxn7/ShxLKHfjMd+r/gv27ylshVHiN4mVStAg+MiLrVvr5VH46p6oosImvS3ZO4D5wTmh/6wtus803qN4QB/Y9n4rqEJ4Dn619h+6O7FChzWkx7kvYIzIxvfnj1PCFTEjUwc7jbuF013W/z9zQi2YEq9AzxMcGro0zjdt2sf30zXSfaRNt0UHHRDkLo7yFUJG5Ka1uWU8paLuXUUiiMUf24Bsfdg2A2n+3Qa7g25OvAM1QTpMwmMWL9sY2hxVUGIKVrnj8c4EKuGJjVDXrze5g9O/LfZr5VSjGu5KsN0eYI3mcePF7XM0azMtTNQYVRmeWxYW+XvK5MaoLEkrFG8C5+JccIlN588jowVIPqP321S/EyFiAmrRdAWkqrc9KH+/eINCFqjut2YPkCaTM9mnJAAqWgggUWkrOKT/ByS6IAQwyEBNFbY0TWyxKt6vZL1EW/6HgZCsxeYycNhnPr2qJNZZMNzmdMRp2GRLcfBH8KFw1rAyua0VJoTLHb23ZAsEY74BrEEiK9e/oOjXkHzQjlmrfQ9rSN2eQpRrn0W8I229WmBO2suG+AQ3aY8kDtBMkjmJno7txUh1K5D6tJTO7MQp343A2AhyJkhYA7NPnDA7MB8wBwYFKw4DAhoEFPO82HDlCzlshWlnMoQPStm62TMEBBQsPmvwbZ5OlwC9+NDF1AC+t67WTgICB9A=",
pfx_password: "password",
rental_and_lease_key_type: "PersistentUnlimited",
rental_duration_seconds: 2249,
},
],
name: "fairPlay",
open_restriction_enabled: true,
},
{
name: "playReady",
open_restriction_enabled: true,
playready_configuration_license: [
{
allow_test_devices: true,
begin_date: "2017-10-16T18:22:53Z",
content_key_location_from_header_enabled: true,
content_type: "UltraVioletDownload",
license_type: "Persistent",
play_right: [
{
allow_passing_video_content_to_unknown_output: "NotAllowed",
analog_video_opl: 150,
compressed_digital_audio_opl: 250,
compressed_digital_video_opl: 400,
digital_video_only_content_restriction: false,
explicit_analog_television_output_restriction: [
{
best_effort: true,
control_bits: 3,
},
],
image_constraint_for_analog_component_video_restriction: false,
image_constraint_for_analog_computer_monitor_restriction: false,
scms_restriction: 2,
uncompressed_digital_audio_opl: 100,
uncompressed_digital_video_opl: 100,
},
],
security_level: "SL150",
},
],
},
{
clear_key_configuration_enabled: true,
name: "clearKey",
token_restriction: [
{
alternate_key: [
{
rsa_token_key_exponent: "AQAB",
rsa_token_key_modulus: "AQAD",
},
{
symmetric_token_key: "BBAAAAAAAAAAAAAAAAAAAA==",
},
],
audience: "urn:audience",
issuer: "urn:issuer",
primary_symmetric_token_key: "AAAAAAAAAAAAAAAAAAAAAA==",
token_type: "Swt",
},
],
},
{
name: "widevine",
open_restriction_enabled: true,
widevine_configuration_template:
'${jsonencode({\n "allowed_track_types" : "SD_HD",\n "content_key_specs" : [{\n "track_type" : "SD",\n "security_level" : 1,\n "required_output_protection" : {\n "hdcp" : "HDCP_V2"\n },\n }],\n "policy_overrides" : {\n "can_play" : true,\n "can_persist" : true,\n "can_renew" : false,\n },\n })}',
},
],
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMediaContentKeyPolicyExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
mediaServicesAccountName
- (Required) The Media Services account name. Changing this forces a new Content Key Policy to be created. -
name
- (Required) The name which should be used for this Content Key Policy. Changing this forces a new Content Key Policy to be created. -
policyOption
- (Required) One or morepolicyOption
blocks as defined below. -
resourceGroupName
- (Required) The name of the Resource Group where the Content Key Policy should exist. Changing this forces a new Content Key Policy to be created.
description
- (Optional) A description for the Policy.
A alternateKey
block supports the following:
-
rsaTokenKeyExponent
- (Optional) The RSA parameter exponent. -
rsaTokenKeyModulus
- (Optional) The RSA parameter modulus. -
symmetricTokenKey
- (Optional) The key value of the key. Specifies a symmetric key for token validation. -
x509TokenKeyRaw
- (Optional) The raw data field of a certificate in PKCS 12 format (X509Certificate2 in .NET). Specifies a certificate for token validation.
-> NOTE: Each alternateKey
block can only have one type of primary verification key: if you want to use RSA you must provide rsaTokenKeyExponent
and rsaTokenKeyModulus
, if you want to use symmetric you need to provide symmetricTokenKey
and for x509 you must provide x509TokenKeyRaw
.
An explicitAnalogTelevisionOutputRestriction
block supports the following:
-
bestEffortEnforced
- (Optional) Indicates whether this restriction is enforced on a best effort basis. Possible values aretrue
orfalse
. Defaults tofalse
. -
controlBits
- (Required) The restriction control bits. Possible value is integer between0
and3
inclusive.
A fairplayConfiguration
block supports the following:
-
ask
- (Optional) The key that must be used as FairPlay Application Secret key. -
offlineRentalConfiguration
- (Optional) AofflineRentalConfiguration
block as defined below. -
pfx
- (Optional) The Base64 representation of FairPlay certificate in PKCS 12 (pfx) format (including private key). -
pfxPassword
- (Optional) The password encrypting FairPlay certificate in PKCS 12 (pfx) format. -
rentalAndLeaseKeyType
- (Optional) The rental and lease key type. Supported values aredualExpiry
,persistentLimited
,persistentUnlimited
orundefined
. -
rentalDurationSeconds
- (Optional) The rental duration. Must be greater than 0.
A offlineRentalConfiguration
block supports the following:
-
playbackDurationSeconds
- (Optional) Playback duration. -
storageDurationSeconds
- (Optional) Storage duration.
A playRight
block supports the following:
-
agcAndColorStripeRestriction
- (Optional) Configures Automatic Gain Control (AGC) and Color Stripe in the license. Must be between0
and3
inclusive. -
allowPassingVideoContentToUnknownOutput
- (Optional) Configures Unknown output handling settings of the license. Supported values areallowed
,allowedWithVideoConstriction
ornotAllowed
. -
analogVideoOpl
- (Optional) Specifies the output protection level for compressed digital audio. Supported values are100
,150
or200
. -
compressedDigitalAudioOpl
- (Optional) Specifies the output protection level for compressed digital audio.Supported values are100
,150
,200
,250
or300
. -
compressedDigitalVideoOpl
- (Optional) Specifies the output protection level for compressed digital video. Supported values are400
or500
. -
digitalVideoOnlyContentRestriction
- (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license. -
explicitAnalogTelevisionOutputRestriction
- (Optional) AnexplicitAnalogTelevisionOutputRestriction
block as defined above. -
firstPlayExpiration
- (Optional) The amount of time that the license is valid after the license is first used to play content. -
imageConstraintForAnalogComponentVideoRestriction
- (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license. -
imageConstraintForAnalogComputerMonitorRestriction
- (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license. -
scmsRestriction
- (Optional) Configures the Serial Copy Management System (SCMS) in the license. Must be between0
and3
inclusive. -
uncompressedDigitalAudioOpl
- (Optional) Specifies the output protection level for uncompressed digital audio. Supported values are100
,150
,200
,250
or300
. -
uncompressedDigitalVideoOpl
- (Optional) Specifies the output protection level for uncompressed digital video. Supported values are100
,250
,270
or300
.
A playreadyConfigurationLicense
block supports the following:
-
allowTestDevices
- (Optional) A flag indicating whether test devices can use the license. -
beginDate
- (Optional) The begin date of license. -
contentKeyLocationFromHeaderEnabled
- (Optional) Specifies that the content key ID is in the PlayReady header. -
contentKeyLocationFromKeyId
- (Optional) The content key ID. Specifies that the content key ID is specified in the PlayReady configuration.
-> NOTE: You can only specify one content key location. For example if you specify contentKeyLocationFromHeaderEnabled
in true, you shouldn't specify contentKeyLocationFromKeyId
and vice versa.
-
contentType
- (Optional) The PlayReady content type. Supported values areultraVioletDownload
,ultraVioletStreaming
orunspecified
. -
expirationDate
- (Optional) The expiration date of license. -
gracePeriod
- (Optional) The grace period of license. -
licenseType
- (Optional) The license type. Supported values arenonPersistent
orpersistent
. -
playRight
- (Optional) AplayRight
block as defined above. -
relativeBeginDate
- (Optional) The relative begin date of license. -
relativeExpirationDate
- (Optional) The relative expiration date of license. -
securityLevel
- (Optional) The security level of the PlayReady license. Possible values aresl150
,sl2000
andsl3000
. Please see this document for more information about security level. See this document for more information aboutsl3000
support.
A policyOption
block supports the following:
-
name
- (Required) The name which should be used for this Policy Option. -
clearKeyConfigurationEnabled
- (Optional) Enable a configuration for non-DRM keys. -
fairplayConfiguration
- (Optional) AfairplayConfiguration
block as defined above. Check license requirements here https://docs.microsoft.com/azure/media-services/latest/fairplay-license-overview. -
openRestrictionEnabled
- (Optional) Enable an open restriction. License or key will be delivered on every request. -
playreadyConfigurationLicense
- (Optional) One or moreplayreadyConfigurationLicense
blocks as defined above. -
playreadyResponseCustomData
- (Optional) The custom response data of the PlayReady configuration. This only applies whenplayreadyConfigurationLicense
is specified. -
tokenRestriction
- (Optional) AtokenRestriction
block as defined below. -
widevineConfigurationTemplate
- (Optional) The Widevine template.
-> NOTE: Each policy_option can only have one type of configuration: fairplayConfiguration
, clearKeyConfigurationEnabled
, playreadyConfigurationLicense
or widevineConfigurationTemplate
. And is possible to assign only one type of restriction: openRestrictionEnabled
or tokenRestriction
.
A requiredClaim
block supports the following:
-
type
- (Optional) Token claim type. -
value
- (Optional) Token claim value.
A tokenRestriction
block supports the following:
-
alternateKey
- (Optional) One or morealternateKey
block as defined above. -
audience
- (Optional) The audience for the token. -
issuer
- (Optional) The token issuer. -
openIdConnectDiscoveryDocument
- (Optional) The OpenID connect discovery document. -
primaryRsaTokenKeyExponent
- (Optional) The RSA parameter exponent. -
primaryRsaTokenKeyModulus
- (Optional) The RSA parameter modulus. -
primarySymmetricTokenKey
- (Optional) The key value of the key. Specifies a symmetric key for token validation. -
primaryX509TokenKeyRaw
- (Optional) The raw data field of a certificate in PKCS 12 format (X509Certificate2 in .NET). Specifies a certificate for token validation. -
requiredClaim
- (Optional) One or morerequiredClaim
blocks as defined above. -
tokenType
- (Optional) The type of token. Supported values arejwt
orswt
.
-> NOTE: Each token_restriction can only have one type of primary verification key: if you want to use RSA you must provide primaryRsaTokenKeyExponent
and primaryRsaTokenKeyModulus
, if you want to use symmetric you need to provide primarySymmetricTokenKey
and for x509 you must provide primaryX509TokenKeyRaw
. For more information about Token access please refer to https://docs.microsoft.com/azure/media-services/latest/content-protection-overview#controlling-content-access
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Content Key Policy.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Content Key Policy.read
- (Defaults to 5 minutes) Used when retrieving the Content Key Policy.update
- (Defaults to 30 minutes) Used when updating the Content Key Policy.delete
- (Defaults to 30 minutes) Used when deleting the Content Key Policy.
Import
Content Key Policy can be imported using the resourceId
, e.g.