Skip to content

azurermMediaContentKeyPolicy

Manages a Content Key Policy.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "media-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_replication_type: "GRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "examplestoracc",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermMediaServicesAccountExample =
  new azurerm.mediaServicesAccount.MediaServicesAccount(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "examplemediaacc",
    resource_group_name: azurermResourceGroupExample.name,
    storage_account: [
      {
        id: azurermStorageAccountExample.id,
        is_primary: true,
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMediaServicesAccountExample.overrideLogicalId("example");
const azurermMediaContentKeyPolicyExample =
  new azurerm.mediaContentKeyPolicy.MediaContentKeyPolicy(this, "example_3", {
    media_services_account_name: azurermMediaServicesAccountExample.name,
    name: "example",
    policy_option: [
      {
        fairplay_configuration: [
          {
            ask: "bb566284cc124a21c435a92cd3c108c4",
            pfx: "MIIG7gIBAzCCBqoGCSqGSIb3DQEHAaCCBpsEggaXMIIGkzCCA7wGCSqGSIb3DQEHAaCCA60EggOpMIIDpTCCA6EGCyqGSIb3DQEMCgECoIICtjCCArIwHAYKKoZIhvcNAQwBAzAOBAiV65vFfxLDVgICB9AEggKQx2dxWefICYodVhRLSQVMJRYy5QkM1VySPAXGP744JHrb+s0Y8i/6a+a5itZGlXw3kvxyflHtSsuuBCaYJ1WOCp9jspixJEliFHXTcel96AgZlT5tB7vC6pdZnz8rb+lyxFs99x2CW52EsadoDlRsYrmkmKdnB0cx2JHJbLeXuKV/fjuRJSqCFcDa6Nre8AlBX0zKGIYGLJ1Cfpora4kNTXxu0AwEowzGmoCxqrpKbO1QDi1hZ1qHrtZ1ienAKfiTXaGH4AMQzyut0AaymxalrRbXibJYuefLRvXqx0oLZKVLAX8fR1gnac6Mrr7GkdHaKCsk4eOi98acR7bjiyRRVYYS4B6Y0tCeRJNe6zeYVmLdtatuOlOEVDT6AKrJJMFMyITVS+2D771ge6m37FbJ36K3/eT/HRq1YDsxfD/BY+X7eMIwQrVnD5nK7avXfbIni57n5oWLkE9Vco8uBlMdrx4xHt9vpe42Pz2Yh2O4WtvxcgxrAknvPpV1ZsAJCfvm9TTcg8qZpjyePn3B9TvFVSXMJHn/rzu6OJAgFgVFAe1tPGLh1XBxAvwpB8EqcycIIUUFUBy4HgYCicjI2jp6s8Kk293Uc/TA2623LrWgP/Xm5hVB7lP1k6W9LDivOlAA96D0Cbk08Yv6arkCYj7ONFO8VZbO0zKAAOLHMw/ZQRIutGLrDlqgTDeRXRuReX7TNjDBxp2rzJBY0uU5g9BMFxQrbQwEx9HsnO4dVFG4KLbHmYWhlwS2V2uZtY6D6elOXY3SX50RwhC4+0trUMi/ODtOxAc+lMQk2FNDcNeKIX5wHwFRS+sFBu5Um4Jfj6Ua4w1izmu2KiPfDd3vJsm5Dgcci3fPfdSfpIq4uR6d3JQxgdcwEwYJKoZIhvcNAQkVMQYEBAEAAAAwWwYJKoZIhvcNAQkUMU4eTAB7ADcAMQAxADAANABBADgARgAtADQAQgBFADAALQA0AEEAMgA4AC0AOAAyADIANQAtAEYANwBBADcAMwBGAEMAQQAwAEMARABEAH0wYwYJKwYBBAGCNxEBMVYeVABNAGkAYwByAG8AcwBvAGYAdAAgAEIAYQBzAGUAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMDCCAs8GCSqGSIb3DQEHBqCCAsAwggK8AgEAMIICtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQISS7mG/riQJkCAgfQgIICiPSGg5axP4JM+GmiVEqOHTVAPw2AM8OPnn1q0mIw54oC2WOJw3FFThYHmxTQzQ1feVmnkVCv++eFp+BYTcWTa+ehl/3/Nvr5uLTzDxmCShacKwoWXOKtSLh6mmgydvMqSf6xv1bPsloodtrRxhprI2lBNBW2uw8az9eLdvURYmhjGPf9klEy/6OCA5jDT5XZMunwiQT5mYNMF7wAQ5PCz2dJQqm1n72A6nUHPkHEusN7iH/+mv5d3iaKxn7/ShxLKHfjMd+r/gv27ylshVHiN4mVStAg+MiLrVvr5VH46p6oosImvS3ZO4D5wTmh/6wtus803qN4QB/Y9n4rqEJ4Dn619h+6O7FChzWkx7kvYIzIxvfnj1PCFTEjUwc7jbuF013W/z9zQi2YEq9AzxMcGro0zjdt2sf30zXSfaRNt0UHHRDkLo7yFUJG5Ka1uWU8paLuXUUiiMUf24Bsfdg2A2n+3Qa7g25OvAM1QTpMwmMWL9sY2hxVUGIKVrnj8c4EKuGJjVDXrze5g9O/LfZr5VSjGu5KsN0eYI3mcePF7XM0azMtTNQYVRmeWxYW+XvK5MaoLEkrFG8C5+JccIlN588jowVIPqP321S/EyFiAmrRdAWkqrc9KH+/eINCFqjut2YPkCaTM9mnJAAqWgggUWkrOKT/ByS6IAQwyEBNFbY0TWyxKt6vZL1EW/6HgZCsxeYycNhnPr2qJNZZMNzmdMRp2GRLcfBH8KFw1rAyua0VJoTLHb23ZAsEY74BrEEiK9e/oOjXkHzQjlmrfQ9rSN2eQpRrn0W8I229WmBO2suG+AQ3aY8kDtBMkjmJno7txUh1K5D6tJTO7MQp343A2AhyJkhYA7NPnDA7MB8wBwYFKw4DAhoEFPO82HDlCzlshWlnMoQPStm62TMEBBQsPmvwbZ5OlwC9+NDF1AC+t67WTgICB9A=",
            pfx_password: "password",
            rental_and_lease_key_type: "PersistentUnlimited",
            rental_duration_seconds: 2249,
          },
        ],
        name: "fairPlay",
        open_restriction_enabled: true,
      },
      {
        name: "playReady",
        open_restriction_enabled: true,
        playready_configuration_license: [
          {
            allow_test_devices: true,
            begin_date: "2017-10-16T18:22:53Z",
            content_key_location_from_header_enabled: true,
            content_type: "UltraVioletDownload",
            license_type: "Persistent",
            play_right: [
              {
                allow_passing_video_content_to_unknown_output: "NotAllowed",
                analog_video_opl: 150,
                compressed_digital_audio_opl: 250,
                compressed_digital_video_opl: 400,
                digital_video_only_content_restriction: false,
                explicit_analog_television_output_restriction: [
                  {
                    best_effort: true,
                    control_bits: 3,
                  },
                ],
                image_constraint_for_analog_component_video_restriction: false,
                image_constraint_for_analog_computer_monitor_restriction: false,
                scms_restriction: 2,
                uncompressed_digital_audio_opl: 100,
                uncompressed_digital_video_opl: 100,
              },
            ],
            security_level: "SL150",
          },
        ],
      },
      {
        clear_key_configuration_enabled: true,
        name: "clearKey",
        token_restriction: [
          {
            alternate_key: [
              {
                rsa_token_key_exponent: "AQAB",
                rsa_token_key_modulus: "AQAD",
              },
              {
                symmetric_token_key: "BBAAAAAAAAAAAAAAAAAAAA==",
              },
            ],
            audience: "urn:audience",
            issuer: "urn:issuer",
            primary_symmetric_token_key: "AAAAAAAAAAAAAAAAAAAAAA==",
            token_type: "Swt",
          },
        ],
      },
      {
        name: "widevine",
        open_restriction_enabled: true,
        widevine_configuration_template:
          '${jsonencode({\n      "allowed_track_types" : "SD_HD",\n      "content_key_specs" : [{\n        "track_type" : "SD",\n        "security_level" : 1,\n        "required_output_protection" : {\n          "hdcp" : "HDCP_V2"\n        },\n      }],\n      "policy_overrides" : {\n        "can_play" : true,\n        "can_persist" : true,\n        "can_renew" : false,\n      },\n    })}',
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMediaContentKeyPolicyExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • mediaServicesAccountName - (Required) The Media Services account name. Changing this forces a new Content Key Policy to be created.

  • name - (Required) The name which should be used for this Content Key Policy. Changing this forces a new Content Key Policy to be created.

  • policyOption - (Required) One or more policyOption blocks as defined below.

  • resourceGroupName - (Required) The name of the Resource Group where the Content Key Policy should exist. Changing this forces a new Content Key Policy to be created.

  • description - (Optional) A description for the Policy.

A alternateKey block supports the following:

  • rsaTokenKeyExponent - (Optional) The RSA parameter exponent.

  • rsaTokenKeyModulus - (Optional) The RSA parameter modulus.

  • symmetricTokenKey - (Optional) The key value of the key. Specifies a symmetric key for token validation.

  • x509TokenKeyRaw - (Optional) The raw data field of a certificate in PKCS 12 format (X509Certificate2 in .NET). Specifies a certificate for token validation.

-> NOTE: Each alternateKey block can only have one type of primary verification key: if you want to use RSA you must provide rsaTokenKeyExponent and rsaTokenKeyModulus, if you want to use symmetric you need to provide symmetricTokenKey and for x509 you must provide x509TokenKeyRaw.

An explicitAnalogTelevisionOutputRestriction block supports the following:

  • bestEffortEnforced - (Optional) Indicates whether this restriction is enforced on a best effort basis. Possible values are true or false. Defaults to false.

  • controlBits - (Required) The restriction control bits. Possible value is integer between 0 and 3 inclusive.

A fairplayConfiguration block supports the following:

  • ask - (Optional) The key that must be used as FairPlay Application Secret key.

  • offlineRentalConfiguration - (Optional) A offlineRentalConfiguration block as defined below.

  • pfx - (Optional) The Base64 representation of FairPlay certificate in PKCS 12 (pfx) format (including private key).

  • pfxPassword - (Optional) The password encrypting FairPlay certificate in PKCS 12 (pfx) format.

  • rentalAndLeaseKeyType - (Optional) The rental and lease key type. Supported values are dualExpiry, persistentLimited, persistentUnlimited or undefined.

  • rentalDurationSeconds - (Optional) The rental duration. Must be greater than 0.

A offlineRentalConfiguration block supports the following:

  • playbackDurationSeconds - (Optional) Playback duration.

  • storageDurationSeconds - (Optional) Storage duration.

A playRight block supports the following:

  • agcAndColorStripeRestriction - (Optional) Configures Automatic Gain Control (AGC) and Color Stripe in the license. Must be between 0 and 3 inclusive.

  • allowPassingVideoContentToUnknownOutput - (Optional) Configures Unknown output handling settings of the license. Supported values are allowed, allowedWithVideoConstriction or notAllowed.

  • analogVideoOpl - (Optional) Specifies the output protection level for compressed digital audio. Supported values are 100, 150 or 200.

  • compressedDigitalAudioOpl - (Optional) Specifies the output protection level for compressed digital audio.Supported values are 100, 150, 200, 250 or 300.

  • compressedDigitalVideoOpl - (Optional) Specifies the output protection level for compressed digital video. Supported values are 400 or 500.

  • digitalVideoOnlyContentRestriction - (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license.

  • explicitAnalogTelevisionOutputRestriction - (Optional) An explicitAnalogTelevisionOutputRestriction block as defined above.

  • firstPlayExpiration - (Optional) The amount of time that the license is valid after the license is first used to play content.

  • imageConstraintForAnalogComponentVideoRestriction - (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license.

  • imageConstraintForAnalogComputerMonitorRestriction - (Optional) Enables the Image Constraint For Analog Component Video Restriction in the license.

  • scmsRestriction - (Optional) Configures the Serial Copy Management System (SCMS) in the license. Must be between 0 and 3 inclusive.

  • uncompressedDigitalAudioOpl - (Optional) Specifies the output protection level for uncompressed digital audio. Supported values are 100, 150, 200, 250 or 300.

  • uncompressedDigitalVideoOpl - (Optional) Specifies the output protection level for uncompressed digital video. Supported values are 100, 250, 270 or 300.

A playreadyConfigurationLicense block supports the following:

  • allowTestDevices - (Optional) A flag indicating whether test devices can use the license.

  • beginDate - (Optional) The begin date of license.

  • contentKeyLocationFromHeaderEnabled - (Optional) Specifies that the content key ID is in the PlayReady header.

  • contentKeyLocationFromKeyId - (Optional) The content key ID. Specifies that the content key ID is specified in the PlayReady configuration.

-> NOTE: You can only specify one content key location. For example if you specify contentKeyLocationFromHeaderEnabled in true, you shouldn't specify contentKeyLocationFromKeyId and vice versa.

  • contentType - (Optional) The PlayReady content type. Supported values are ultraVioletDownload, ultraVioletStreaming or unspecified.

  • expirationDate - (Optional) The expiration date of license.

  • gracePeriod - (Optional) The grace period of license.

  • licenseType - (Optional) The license type. Supported values are nonPersistent or persistent.

  • playRight - (Optional) A playRight block as defined above.

  • relativeBeginDate - (Optional) The relative begin date of license.

  • relativeExpirationDate - (Optional) The relative expiration date of license.

  • securityLevel - (Optional) The security level of the PlayReady license. Possible values are sl150, sl2000 and sl3000. Please see this document for more information about security level. See this document for more information about sl3000 support.

A policyOption block supports the following:

  • name - (Required) The name which should be used for this Policy Option.

  • clearKeyConfigurationEnabled - (Optional) Enable a configuration for non-DRM keys.

  • fairplayConfiguration - (Optional) A fairplayConfiguration block as defined above. Check license requirements here https://docs.microsoft.com/azure/media-services/latest/fairplay-license-overview.

  • openRestrictionEnabled - (Optional) Enable an open restriction. License or key will be delivered on every request.

  • playreadyConfigurationLicense - (Optional) One or more playreadyConfigurationLicense blocks as defined above.

  • playreadyResponseCustomData - (Optional) The custom response data of the PlayReady configuration. This only applies when playreadyConfigurationLicense is specified.

  • tokenRestriction - (Optional) A tokenRestriction block as defined below.

  • widevineConfigurationTemplate - (Optional) The Widevine template.

-> NOTE: Each policy_option can only have one type of configuration: fairplayConfiguration, clearKeyConfigurationEnabled, playreadyConfigurationLicense or widevineConfigurationTemplate. And is possible to assign only one type of restriction: openRestrictionEnabled or tokenRestriction.

A requiredClaim block supports the following:

  • type - (Optional) Token claim type.

  • value - (Optional) Token claim value.

A tokenRestriction block supports the following:

  • alternateKey - (Optional) One or more alternateKey block as defined above.

  • audience - (Optional) The audience for the token.

  • issuer - (Optional) The token issuer.

  • openIdConnectDiscoveryDocument - (Optional) The OpenID connect discovery document.

  • primaryRsaTokenKeyExponent - (Optional) The RSA parameter exponent.

  • primaryRsaTokenKeyModulus - (Optional) The RSA parameter modulus.

  • primarySymmetricTokenKey - (Optional) The key value of the key. Specifies a symmetric key for token validation.

  • primaryX509TokenKeyRaw - (Optional) The raw data field of a certificate in PKCS 12 format (X509Certificate2 in .NET). Specifies a certificate for token validation.

  • requiredClaim - (Optional) One or more requiredClaim blocks as defined above.

  • tokenType - (Optional) The type of token. Supported values are jwt or swt.

-> NOTE: Each token_restriction can only have one type of primary verification key: if you want to use RSA you must provide primaryRsaTokenKeyExponent and primaryRsaTokenKeyModulus, if you want to use symmetric you need to provide primarySymmetricTokenKey and for x509 you must provide primaryX509TokenKeyRaw. For more information about Token access please refer to https://docs.microsoft.com/azure/media-services/latest/content-protection-overview#controlling-content-access

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Content Key Policy.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Content Key Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Content Key Policy.
  • update - (Defaults to 30 minutes) Used when updating the Content Key Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Content Key Policy.

Import

Content Key Policy can be imported using the resourceId, e.g.

terraform import azurerm_media_content_key_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Media/mediaServices/account1/contentKeyPolicies/policy1