@pierskarsenbarg/sdm 1.11.0 → 1.13.0

package/types/output.d.ts

@@ -57,6 +57,10 @@ export interface GetAccountAccount {
      * A Service is a service account that can connect to resources they are granted directly, or granted via roles. Services are typically automated jobs.
      */
     services: outputs.GetAccountAccountService[];
+    /**
+     * A Token is an account providing tokenized access for automation or integration use. Tokens include admin tokens, API keys, and SCIM tokens.
+     */
+    tokens: outputs.GetAccountAccountToken[];
     /**
      * A User can connect to resources they are granted directly, or granted via roles.
      */
@@ -68,11 +72,51 @@ export interface GetAccountAccountService {
      */
     id?: string;
     /**
-     * Unique human-readable name of the Service.
+     * Unique human-readable name of the Token.
      */
     name?: string;
     /**
-     * The Service's suspended state.
+     * Reserved for future use.  Always false for tokens.
+     */
+    suspended?: boolean;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface GetAccountAccountToken {
+    /**
+     * Corresponds to the type of token, e.g. api or admin-token.
+     */
+    accountType?: string;
+    /**
+     * The timestamp when the Token will expire.
+     */
+    deadline?: string;
+    /**
+     * Duration from token creation to expiration.
+     */
+    duration?: string;
+    /**
+     * Unique identifier of the User.
+     */
+    id?: string;
+    /**
+     * Unique human-readable name of the Token.
+     */
+    name?: string;
+    /**
+     * Permissions assigned to the token, e.g. role:create.
+     */
+    permissions?: string[];
+    /**
+     * The timestamp when the Token was last rekeyed.
+     */
+    rekeyed?: string;
+    /**
+     * Reserved for future use.  Always false for tokens.
      */
     suspended?: boolean;
     /**
@@ -112,7 +156,7 @@ export interface GetAccountAccountUser {
      */
     permissionLevel?: string;
     /**
-     * The Service's suspended state.
+     * Reserved for future use.  Always false for tokens.
      */
     suspended: boolean;
     /**
@@ -186,6 +230,34 @@ export interface GetApprovalWorkflowStepApprovalWorkflowStep {
      */
     id?: string;
 }
+export interface GetIdentityAliasIdentityAlias {
+    /**
+     * The account for this identity alias.
+     */
+    accountId?: string;
+    /**
+     * Unique identifier of the IdentityAlias.
+     */
+    id?: string;
+    /**
+     * The identity set.
+     */
+    identitySetId?: string;
+    /**
+     * The username to be used as the identity alias for this account.
+     */
+    username?: string;
+}
+export interface GetIdentitySetIdentitySet {
+    /**
+     * Unique identifier of the IdentitySet.
+     */
+    id?: string;
+    /**
+     * Unique human-readable name of the IdentitySet.
+     */
+    name?: string;
+}
 export interface GetNodeNode {
     /**
      * Gateway represents a StrongDM CLI installation running in gateway mode.
@@ -467,6 +539,14 @@ export interface GetResourceResourceAk {
      * The key to authenticate TLS connections with.
      */
     clientKey?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -483,6 +563,14 @@ export interface GetResourceResourceAk {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -495,14 +583,6 @@ export interface GetResourceResourceAk {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -579,6 +659,14 @@ export interface GetResourceResourceAksServiceAccount {
      * The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
      */
     bindInterface?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -595,6 +683,14 @@ export interface GetResourceResourceAksServiceAccount {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -607,14 +703,6 @@ export interface GetResourceResourceAksServiceAccount {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -825,6 +913,14 @@ export interface GetResourceResourceAmazonEk {
      * The name of the cluster to connect to.
      */
     clusterName?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -841,6 +937,14 @@ export interface GetResourceResourceAmazonEk {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -853,14 +957,6 @@ export interface GetResourceResourceAmazonEk {
      * The AWS region to connect to.
      */
     region?: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -901,6 +997,14 @@ export interface GetResourceResourceAmazonEksInstanceProfile {
      * The name of the cluster to connect to.
      */
     clusterName?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -917,6 +1021,14 @@ export interface GetResourceResourceAmazonEksInstanceProfile {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -929,14 +1041,6 @@ export interface GetResourceResourceAmazonEksInstanceProfile {
      * The AWS region to connect to.
      */
     region?: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -1001,14 +1105,6 @@ export interface GetResourceResourceAmazonEksInstanceProfileUserImpersonation {
      * The AWS region to connect to.
      */
     region?: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -1481,6 +1577,14 @@ export interface GetResourceResourceAwsConsole {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -1493,14 +1597,6 @@ export interface GetResourceResourceAwsConsole {
      * The AWS region to connect to.
      */
     region?: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -1545,6 +1641,14 @@ export interface GetResourceResourceAwsConsoleStaticKeyPair {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -1557,14 +1661,6 @@ export interface GetResourceResourceAwsConsoleStaticKeyPair {
      * The AWS region to connect to.
      */
     region?: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -2679,6 +2775,14 @@ export interface GetResourceResourceGoogleGke {
      * The CA to authenticate TLS connections with.
      */
     certificateAuthority?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -2696,21 +2800,21 @@ export interface GetResourceResourceGoogleGke {
      */
     id?: string;
     /**
-     * Unique human-readable name of the Resource.
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
      */
-    name?: string;
+    identityAliasHealthcheckUsername?: string;
     /**
-     * The local port used by clients to connect to this resource.
+     * The ID of the identity set to use for identity connections.
      */
-    portOverride?: number;
+    identitySetId?: string;
     /**
-     * The ID of the remote identity group to use for remote identity connections.
+     * Unique human-readable name of the Resource.
      */
-    remoteIdentityGroupId?: string;
+    name?: string;
     /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
+     * The local port used by clients to connect to this resource.
      */
-    remoteIdentityHealthcheckUsername?: string;
+    portOverride?: number;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -3030,6 +3134,14 @@ export interface GetResourceResourceKubernete {
      * The key to authenticate TLS connections with.
      */
     clientKey?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -3046,6 +3158,14 @@ export interface GetResourceResourceKubernete {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -3058,14 +3178,6 @@ export interface GetResourceResourceKubernete {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -3142,6 +3254,14 @@ export interface GetResourceResourceKubernetesServiceAccount {
      * The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
      */
     bindInterface?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -3158,6 +3278,14 @@ export interface GetResourceResourceKubernetesServiceAccount {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -3170,14 +3298,6 @@ export interface GetResourceResourceKubernetesServiceAccount {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -4484,6 +4604,14 @@ export interface GetResourceResourceRdpCert {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -4496,14 +4624,6 @@ export interface GetResourceResourceRdpCert {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -5173,6 +5293,14 @@ export interface GetResourceResourceSshCert {
      * Unique identifier of the Resource.
      */
     id?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * The key type to use e.g. rsa-2048 or ed25519
      */
@@ -5193,14 +5321,6 @@ export interface GetResourceResourceSshCert {
      * The local port used by clients to connect to this resource.
      */
     portOverride?: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -5527,9 +5647,13 @@ export interface GetSecretStoreSecretStore {
     delineaStores: outputs.GetSecretStoreSecretStoreDelineaStore[];
     gcpCertX509Stores: outputs.GetSecretStoreSecretStoreGcpCertX509Store[];
     gcpStores: outputs.GetSecretStoreSecretStoreGcpStore[];
+    keyfactorSshStores: outputs.GetSecretStoreSecretStoreKeyfactorSshStore[];
+    keyfactorX509Stores: outputs.GetSecretStoreSecretStoreKeyfactorX509Store[];
     vaultApproleCertSshes: outputs.GetSecretStoreSecretStoreVaultApproleCertSsh[];
     vaultApproleCertX509s: outputs.GetSecretStoreSecretStoreVaultApproleCertX509[];
     vaultApproles: outputs.GetSecretStoreSecretStoreVaultApprole[];
+    vaultAwsEc2s: outputs.GetSecretStoreSecretStoreVaultAwsEc2[];
+    vaultAwsIams: outputs.GetSecretStoreSecretStoreVaultAwsIam[];
     vaultTls: outputs.GetSecretStoreSecretStoreVaultTl[];
     vaultTlsCertSshes: outputs.GetSecretStoreSecretStoreVaultTlsCertSsh[];
     vaultTlsCertX509s: outputs.GetSecretStoreSecretStoreVaultTlsCertX509[];
@@ -5775,6 +5899,110 @@ export interface GetSecretStoreSecretStoreGcpStore {
         [key: string]: string;
     };
 }
+export interface GetSecretStoreSecretStoreKeyfactorSshStore {
+    /**
+     * Path to the root CA that signed the certificate passed to the client for HTTPS connection. This is not required if the CA is trusted by the host operating system. This should be a PEM formatted certificate, and doesn't necessarily have to be the CA that signed CertificateFile.
+     */
+    caFilePath?: string;
+    /**
+     * Path to client certificate in PEM format. This certificate must contain a client certificate that is recognized by the EJBCA instance represented by Hostname. This PEM file may also contain the private key associated with the certificate, but KeyFile can also be set to configure the private key.
+     */
+    certificateFilePath?: string;
+    /**
+     * Name of EJBCA certificate authority that will enroll CSR.
+     */
+    defaultCertificateAuthorityName?: string;
+    /**
+     * Certificate profile name that EJBCA will enroll the CSR with.
+     */
+    defaultCertificateProfileName?: string;
+    /**
+     * End entity profile that EJBCA will enroll the CSR with.
+     */
+    defaultEndEntityProfileName?: string;
+    /**
+     * code used by EJBCA during enrollment. May be left blank if no code is required.
+     */
+    enrollmentCodeEnvVar?: string;
+    /**
+     * username that used by the EJBCA during enrollment. This can be left out.  If so, the username must be auto-generated on the Keyfactor side.
+     */
+    enrollmentUsernameEnvVar?: string;
+    /**
+     * Unique identifier of the SecretStore.
+     */
+    id?: string;
+    /**
+     * Path to private key in PEM format. This file should contain the private key associated with the client certificate configured in CertificateFile.
+     */
+    keyFilePath?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress?: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface GetSecretStoreSecretStoreKeyfactorX509Store {
+    /**
+     * Path to the root CA that signed the certificate passed to the client for HTTPS connection. This is not required if the CA is trusted by the host operating system. This should be a PEM formatted certificate, and doesn't necessarily have to be the CA that signed CertificateFile.
+     */
+    caFilePath?: string;
+    /**
+     * Path to client certificate in PEM format. This certificate must contain a client certificate that is recognized by the EJBCA instance represented by Hostname. This PEM file may also contain the private key associated with the certificate, but KeyFile can also be set to configure the private key.
+     */
+    certificateFilePath?: string;
+    /**
+     * Name of EJBCA certificate authority that will enroll CSR.
+     */
+    defaultCertificateAuthorityName?: string;
+    /**
+     * Certificate profile name that EJBCA will enroll the CSR with.
+     */
+    defaultCertificateProfileName?: string;
+    /**
+     * End entity profile that EJBCA will enroll the CSR with.
+     */
+    defaultEndEntityProfileName?: string;
+    /**
+     * code used by EJBCA during enrollment. May be left blank if no code is required.
+     */
+    enrollmentCodeEnvVar?: string;
+    /**
+     * username that used by the EJBCA during enrollment. This can be left out.  If so, the username must be auto-generated on the Keyfactor side.
+     */
+    enrollmentUsernameEnvVar?: string;
+    /**
+     * Unique identifier of the SecretStore.
+     */
+    id?: string;
+    /**
+     * Path to private key in PEM format. This file should contain the private key associated with the client certificate configured in CertificateFile.
+     */
+    keyFilePath?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress?: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
 export interface GetSecretStoreSecretStoreVaultApprole {
     /**
      * Unique identifier of the SecretStore.
@@ -5871,9 +6099,57 @@ export interface GetSecretStoreSecretStoreVaultApproleCertX509 {
         [key: string]: string;
     };
 }
-export interface GetSecretStoreSecretStoreVaultTl {
+export interface GetSecretStoreSecretStoreVaultAwsEc2 {
     /**
-     * A path to a CA file accessible by a Node
+     * Unique identifier of the SecretStore.
+     */
+    id?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name?: string;
+    /**
+     * The namespace to make requests within
+     */
+    namespace?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress?: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface GetSecretStoreSecretStoreVaultAwsIam {
+    /**
+     * Unique identifier of the SecretStore.
+     */
+    id?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name?: string;
+    /**
+     * The namespace to make requests within
+     */
+    namespace?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress?: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface GetSecretStoreSecretStoreVaultTl {
+    /**
+     * A path to a CA file accessible by a Node
      */
     caCertPath?: string;
     /**
@@ -6264,6 +6540,14 @@ export interface ResourceAks {
      * The key to authenticate TLS connections with.
      */
     clientKey?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -6276,6 +6560,14 @@ export interface ResourceAks {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -6288,14 +6580,6 @@ export interface ResourceAks {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -6368,6 +6652,14 @@ export interface ResourceAksServiceAccount {
      * The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
      */
     bindInterface: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -6380,6 +6672,14 @@ export interface ResourceAksServiceAccount {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -6392,14 +6692,6 @@ export interface ResourceAksServiceAccount {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -6542,6 +6834,14 @@ export interface ResourceAmazonEks {
      * The name of the cluster to connect to.
      */
     clusterName: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -6554,6 +6854,14 @@ export interface ResourceAmazonEks {
      * The path used to check the health of your connection.  Defaults to `default`.  This field is required, and is only marked as optional for backwards compatibility.
      */
     healthcheckNamespace: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -6566,14 +6874,6 @@ export interface ResourceAmazonEks {
      * The AWS region to connect to.
      */
     region: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -6614,6 +6914,14 @@ export interface ResourceAmazonEksInstanceProfile {
      * The name of the cluster to connect to.
      */
     clusterName: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -6626,6 +6934,14 @@ export interface ResourceAmazonEksInstanceProfile {
      * The path used to check the health of your connection.  Defaults to `default`.  This field is required, and is only marked as optional for backwards compatibility.
      */
     healthcheckNamespace: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -6638,14 +6954,6 @@ export interface ResourceAmazonEksInstanceProfile {
      * The AWS region to connect to.
      */
     region: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -6706,14 +7014,6 @@ export interface ResourceAmazonEksInstanceProfileUserImpersonation {
      * The AWS region to connect to.
      */
     region: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -7210,6 +7510,14 @@ export interface ResourceAwsConsole {
      * If true, prefer environment variables to authenticate connection even if EC2 roles are configured.
      */
     enableEnvVariables?: boolean;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -7222,14 +7530,6 @@ export interface ResourceAwsConsole {
      * The AWS region to connect to.
      */
     region: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -7270,6 +7570,14 @@ export interface ResourceAwsConsoleStaticKeyPair {
      * A filter applied to the routing logic to pin datasource to nodes.
      */
     egressFilter?: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -7282,14 +7590,6 @@ export interface ResourceAwsConsoleStaticKeyPair {
      * The AWS region to connect to.
      */
     region: string;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * The role to assume after logging in.
      */
@@ -8328,6 +8628,14 @@ export interface ResourceGoogleGke {
      * The CA to authenticate TLS connections with.
      */
     certificateAuthority?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -8341,21 +8649,21 @@ export interface ResourceGoogleGke {
      */
     healthcheckNamespace: string;
     /**
-     * Unique human-readable name of the Resource.
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
      */
-    name: string;
+    identityAliasHealthcheckUsername?: string;
     /**
-     * The local port used by clients to connect to this resource.
+     * The ID of the identity set to use for identity connections.
      */
-    portOverride: number;
+    identitySetId?: string;
     /**
-     * The ID of the remote identity group to use for remote identity connections.
+     * Unique human-readable name of the Resource.
      */
-    remoteIdentityGroupId?: string;
+    name: string;
     /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
+     * The local port used by clients to connect to this resource.
      */
-    remoteIdentityHealthcheckUsername?: string;
+    portOverride: number;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -8655,6 +8963,14 @@ export interface ResourceKubernetes {
      * The key to authenticate TLS connections with.
      */
     clientKey?: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -8667,6 +8983,14 @@ export interface ResourceKubernetes {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -8679,14 +9003,6 @@ export interface ResourceKubernetes {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -8759,6 +9075,14 @@ export interface ResourceKubernetesServiceAccount {
      * The bind interface is the IP address to which the port override of a resource is bound (for example, 127.0.0.1). It is automatically generated if not provided.
      */
     bindInterface: string;
+    /**
+     * If true, configures discovery of a cluster to be run from a node.
+     */
+    discoveryEnabled?: boolean;
+    /**
+     * If a cluster is configured for user impersonation, this is the user to impersonate when running discovery.
+     */
+    discoveryUsername?: string;
     /**
      * A filter applied to the routing logic to pin datasource to nodes.
      */
@@ -8771,6 +9095,14 @@ export interface ResourceKubernetesServiceAccount {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -8783,14 +9115,6 @@ export interface ResourceKubernetesServiceAccount {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -10009,6 +10333,14 @@ export interface ResourceRdpCert {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * Unique human-readable name of the Resource.
      */
@@ -10021,14 +10353,6 @@ export interface ResourceRdpCert {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -10654,6 +10978,14 @@ export interface ResourceSshCert {
      * The host to dial to initiate a connection from the egress node to this resource.
      */
     hostname: string;
+    /**
+     * The username to use for healthchecks, when clients otherwise connect with their own identity alias username.
+     */
+    identityAliasHealthcheckUsername?: string;
+    /**
+     * The ID of the identity set to use for identity connections.
+     */
+    identitySetId?: string;
     /**
      * The key type to use e.g. rsa-2048 or ed25519
      */
@@ -10674,14 +11006,6 @@ export interface ResourceSshCert {
      * The local port used by clients to connect to this resource.
      */
     portOverride: number;
-    /**
-     * The ID of the remote identity group to use for remote identity connections.
-     */
-    remoteIdentityGroupId?: string;
-    /**
-     * The username to use for healthchecks, when clients otherwise connect with their own remote identity username.
-     */
-    remoteIdentityHealthcheckUsername?: string;
     /**
      * ID of the secret store containing credentials for this resource, if any.
      */
@@ -11151,6 +11475,102 @@ export interface SecretStoreGcpStore {
         [key: string]: string;
     };
 }
+export interface SecretStoreKeyfactorSshStore {
+    /**
+     * Path to the root CA that signed the certificate passed to the client for HTTPS connection. This is not required if the CA is trusted by the host operating system. This should be a PEM formatted certificate, and doesn't necessarily have to be the CA that signed CertificateFile.
+     */
+    caFilePath?: string;
+    /**
+     * Path to client certificate in PEM format. This certificate must contain a client certificate that is recognized by the EJBCA instance represented by Hostname. This PEM file may also contain the private key associated with the certificate, but KeyFile can also be set to configure the private key.
+     */
+    certificateFilePath: string;
+    /**
+     * Name of EJBCA certificate authority that will enroll CSR.
+     */
+    defaultCertificateAuthorityName: string;
+    /**
+     * Certificate profile name that EJBCA will enroll the CSR with.
+     */
+    defaultCertificateProfileName: string;
+    /**
+     * End entity profile that EJBCA will enroll the CSR with.
+     */
+    defaultEndEntityProfileName: string;
+    /**
+     * code used by EJBCA during enrollment. May be left blank if no code is required.
+     */
+    enrollmentCodeEnvVar?: string;
+    /**
+     * username that used by the EJBCA during enrollment. This can be left out.  If so, the username must be auto-generated on the Keyfactor side.
+     */
+    enrollmentUsernameEnvVar?: string;
+    /**
+     * Path to private key in PEM format. This file should contain the private key associated with the client certificate configured in CertificateFile.
+     */
+    keyFilePath?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface SecretStoreKeyfactorX509Store {
+    /**
+     * Path to the root CA that signed the certificate passed to the client for HTTPS connection. This is not required if the CA is trusted by the host operating system. This should be a PEM formatted certificate, and doesn't necessarily have to be the CA that signed CertificateFile.
+     */
+    caFilePath?: string;
+    /**
+     * Path to client certificate in PEM format. This certificate must contain a client certificate that is recognized by the EJBCA instance represented by Hostname. This PEM file may also contain the private key associated with the certificate, but KeyFile can also be set to configure the private key.
+     */
+    certificateFilePath: string;
+    /**
+     * Name of EJBCA certificate authority that will enroll CSR.
+     */
+    defaultCertificateAuthorityName: string;
+    /**
+     * Certificate profile name that EJBCA will enroll the CSR with.
+     */
+    defaultCertificateProfileName: string;
+    /**
+     * End entity profile that EJBCA will enroll the CSR with.
+     */
+    defaultEndEntityProfileName: string;
+    /**
+     * code used by EJBCA during enrollment. May be left blank if no code is required.
+     */
+    enrollmentCodeEnvVar?: string;
+    /**
+     * username that used by the EJBCA during enrollment. This can be left out.  If so, the username must be auto-generated on the Keyfactor side.
+     */
+    enrollmentUsernameEnvVar?: string;
+    /**
+     * Path to private key in PEM format. This file should contain the private key associated with the client certificate configured in CertificateFile.
+     */
+    keyFilePath?: string;
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
 export interface SecretStoreVaultApprole {
     /**
      * Unique human-readable name of the SecretStore.
@@ -11235,6 +11655,46 @@ export interface SecretStoreVaultApproleCertX509 {
         [key: string]: string;
     };
 }
+export interface SecretStoreVaultAwsEc2 {
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name: string;
+    /**
+     * The namespace to make requests within
+     */
+    namespace?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
+export interface SecretStoreVaultAwsIam {
+    /**
+     * Unique human-readable name of the SecretStore.
+     */
+    name: string;
+    /**
+     * The namespace to make requests within
+     */
+    namespace?: string;
+    /**
+     * The URL of the Vault to target
+     */
+    serverAddress: string;
+    /**
+     * Tags is a map of key, value pairs.
+     */
+    tags?: {
+        [key: string]: string;
+    };
+}
 export interface SecretStoreVaultTls {
     /**
      * A path to a CA file accessible by a Node