@pulumi/vault 5.6.0 → 5.7.1

package/kubernetes/secretBackend.d.ts

@@ -0,0 +1,303 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     defaultLeaseTtlSeconds: 43200,
+ *     maxLeaseTtlSeconds: 86400,
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The Kubernetes secret backend can be imported using its `path` e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes
+ * ```
+ */
+export declare class SecretBackend extends pulumi.CustomResource {
+    /**
+     * Get an existing SecretBackend resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendState, opts?: pulumi.CustomResourceOptions): SecretBackend;
+    /**
+     * Returns true if the given object is an instance of SecretBackend.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is SecretBackend;
+    /**
+     * Accessor of the mount
+     */
+    readonly accessor: pulumi.Output<string>;
+    /**
+     * List of managed key registry entry names that the mount in question is allowed to access
+     */
+    readonly allowedManagedKeys: pulumi.Output<string[] | undefined>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+     */
+    readonly auditNonHmacRequestKeys: pulumi.Output<string[]>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+     */
+    readonly auditNonHmacResponseKeys: pulumi.Output<string[]>;
+    /**
+     * Default lease duration for tokens and secrets in seconds
+     */
+    readonly defaultLeaseTtlSeconds: pulumi.Output<number>;
+    /**
+     * Human-friendly description of the mount
+     */
+    readonly description: pulumi.Output<string | undefined>;
+    /**
+     * Disable defaulting to the local CA certificate and
+     * service account JWT when Vault is running in a Kubernetes pod.
+     */
+    readonly disableLocalCaJwt: pulumi.Output<boolean | undefined>;
+    /**
+     * Enable the secrets engine to access Vault's external entropy source
+     */
+    readonly externalEntropyAccess: pulumi.Output<boolean | undefined>;
+    /**
+     * A PEM-encoded CA certificate used by the
+     * secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+     * pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+     * Vault is running.
+     */
+    readonly kubernetesCaCert: pulumi.Output<string | undefined>;
+    /**
+     * The Kubernetes API URL to connect to. Required if the
+     * standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
+     * are not set on the host that Vault is running on.
+     */
+    readonly kubernetesHost: pulumi.Output<string | undefined>;
+    /**
+     * Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+     */
+    readonly local: pulumi.Output<boolean | undefined>;
+    /**
+     * Maximum possible lease duration for tokens and secrets in seconds
+     */
+    readonly maxLeaseTtlSeconds: pulumi.Output<number>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    readonly namespace: pulumi.Output<string | undefined>;
+    /**
+     * Specifies mount type specific options that are passed to the backend
+     */
+    readonly options: pulumi.Output<{
+        [key: string]: any;
+    } | undefined>;
+    /**
+     * Where the secret backend will be mounted
+     */
+    readonly path: pulumi.Output<string>;
+    /**
+     * Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+     */
+    readonly sealWrap: pulumi.Output<boolean>;
+    /**
+     * The JSON web token of the service account used by the
+     * secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
+     * is running in Kubernetes.
+     */
+    readonly serviceAccountJwt: pulumi.Output<string | undefined>;
+    /**
+     * Create a SecretBackend resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: SecretBackendArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering SecretBackend resources.
+ */
+export interface SecretBackendState {
+    /**
+     * Accessor of the mount
+     */
+    accessor?: pulumi.Input<string>;
+    /**
+     * List of managed key registry entry names that the mount in question is allowed to access
+     */
+    allowedManagedKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+     */
+    auditNonHmacRequestKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+     */
+    auditNonHmacResponseKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Default lease duration for tokens and secrets in seconds
+     */
+    defaultLeaseTtlSeconds?: pulumi.Input<number>;
+    /**
+     * Human-friendly description of the mount
+     */
+    description?: pulumi.Input<string>;
+    /**
+     * Disable defaulting to the local CA certificate and
+     * service account JWT when Vault is running in a Kubernetes pod.
+     */
+    disableLocalCaJwt?: pulumi.Input<boolean>;
+    /**
+     * Enable the secrets engine to access Vault's external entropy source
+     */
+    externalEntropyAccess?: pulumi.Input<boolean>;
+    /**
+     * A PEM-encoded CA certificate used by the
+     * secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+     * pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+     * Vault is running.
+     */
+    kubernetesCaCert?: pulumi.Input<string>;
+    /**
+     * The Kubernetes API URL to connect to. Required if the
+     * standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
+     * are not set on the host that Vault is running on.
+     */
+    kubernetesHost?: pulumi.Input<string>;
+    /**
+     * Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+     */
+    local?: pulumi.Input<boolean>;
+    /**
+     * Maximum possible lease duration for tokens and secrets in seconds
+     */
+    maxLeaseTtlSeconds?: pulumi.Input<number>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * Specifies mount type specific options that are passed to the backend
+     */
+    options?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+    /**
+     * Where the secret backend will be mounted
+     */
+    path?: pulumi.Input<string>;
+    /**
+     * Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+     */
+    sealWrap?: pulumi.Input<boolean>;
+    /**
+     * The JSON web token of the service account used by the
+     * secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
+     * is running in Kubernetes.
+     */
+    serviceAccountJwt?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a SecretBackend resource.
+ */
+export interface SecretBackendArgs {
+    /**
+     * List of managed key registry entry names that the mount in question is allowed to access
+     */
+    allowedManagedKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+     */
+    auditNonHmacRequestKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+     */
+    auditNonHmacResponseKeys?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Default lease duration for tokens and secrets in seconds
+     */
+    defaultLeaseTtlSeconds?: pulumi.Input<number>;
+    /**
+     * Human-friendly description of the mount
+     */
+    description?: pulumi.Input<string>;
+    /**
+     * Disable defaulting to the local CA certificate and
+     * service account JWT when Vault is running in a Kubernetes pod.
+     */
+    disableLocalCaJwt?: pulumi.Input<boolean>;
+    /**
+     * Enable the secrets engine to access Vault's external entropy source
+     */
+    externalEntropyAccess?: pulumi.Input<boolean>;
+    /**
+     * A PEM-encoded CA certificate used by the
+     * secrets engine to verify the Kubernetes API server certificate. Defaults to the local
+     * pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
+     * Vault is running.
+     */
+    kubernetesCaCert?: pulumi.Input<string>;
+    /**
+     * The Kubernetes API URL to connect to. Required if the
+     * standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
+     * are not set on the host that Vault is running on.
+     */
+    kubernetesHost?: pulumi.Input<string>;
+    /**
+     * Local mount flag that can be explicitly set to true to enforce local mount in HA environment
+     */
+    local?: pulumi.Input<boolean>;
+    /**
+     * Maximum possible lease duration for tokens and secrets in seconds
+     */
+    maxLeaseTtlSeconds?: pulumi.Input<number>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * Specifies mount type specific options that are passed to the backend
+     */
+    options?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+    /**
+     * Where the secret backend will be mounted
+     */
+    path: pulumi.Input<string>;
+    /**
+     * Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+     */
+    sealWrap?: pulumi.Input<boolean>;
+    /**
+     * The JSON web token of the service account used by the
+     * secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
+     * is running in Kubernetes.
+     */
+    serviceAccountJwt?: pulumi.Input<string>;
+}

package/kubernetes/secretBackend.js

@@ -0,0 +1,114 @@
+"use strict";
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretBackend = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     defaultLeaseTtlSeconds: 43200,
+ *     maxLeaseTtlSeconds: 86400,
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The Kubernetes secret backend can be imported using its `path` e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes
+ * ```
+ */
+class SecretBackend extends pulumi.CustomResource {
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["accessor"] = state ? state.accessor : undefined;
+            resourceInputs["allowedManagedKeys"] = state ? state.allowedManagedKeys : undefined;
+            resourceInputs["auditNonHmacRequestKeys"] = state ? state.auditNonHmacRequestKeys : undefined;
+            resourceInputs["auditNonHmacResponseKeys"] = state ? state.auditNonHmacResponseKeys : undefined;
+            resourceInputs["defaultLeaseTtlSeconds"] = state ? state.defaultLeaseTtlSeconds : undefined;
+            resourceInputs["description"] = state ? state.description : undefined;
+            resourceInputs["disableLocalCaJwt"] = state ? state.disableLocalCaJwt : undefined;
+            resourceInputs["externalEntropyAccess"] = state ? state.externalEntropyAccess : undefined;
+            resourceInputs["kubernetesCaCert"] = state ? state.kubernetesCaCert : undefined;
+            resourceInputs["kubernetesHost"] = state ? state.kubernetesHost : undefined;
+            resourceInputs["local"] = state ? state.local : undefined;
+            resourceInputs["maxLeaseTtlSeconds"] = state ? state.maxLeaseTtlSeconds : undefined;
+            resourceInputs["namespace"] = state ? state.namespace : undefined;
+            resourceInputs["options"] = state ? state.options : undefined;
+            resourceInputs["path"] = state ? state.path : undefined;
+            resourceInputs["sealWrap"] = state ? state.sealWrap : undefined;
+            resourceInputs["serviceAccountJwt"] = state ? state.serviceAccountJwt : undefined;
+        }
+        else {
+            const args = argsOrState;
+            if ((!args || args.path === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'path'");
+            }
+            resourceInputs["allowedManagedKeys"] = args ? args.allowedManagedKeys : undefined;
+            resourceInputs["auditNonHmacRequestKeys"] = args ? args.auditNonHmacRequestKeys : undefined;
+            resourceInputs["auditNonHmacResponseKeys"] = args ? args.auditNonHmacResponseKeys : undefined;
+            resourceInputs["defaultLeaseTtlSeconds"] = args ? args.defaultLeaseTtlSeconds : undefined;
+            resourceInputs["description"] = args ? args.description : undefined;
+            resourceInputs["disableLocalCaJwt"] = args ? args.disableLocalCaJwt : undefined;
+            resourceInputs["externalEntropyAccess"] = args ? args.externalEntropyAccess : undefined;
+            resourceInputs["kubernetesCaCert"] = args ? args.kubernetesCaCert : undefined;
+            resourceInputs["kubernetesHost"] = args ? args.kubernetesHost : undefined;
+            resourceInputs["local"] = args ? args.local : undefined;
+            resourceInputs["maxLeaseTtlSeconds"] = args ? args.maxLeaseTtlSeconds : undefined;
+            resourceInputs["namespace"] = args ? args.namespace : undefined;
+            resourceInputs["options"] = args ? args.options : undefined;
+            resourceInputs["path"] = args ? args.path : undefined;
+            resourceInputs["sealWrap"] = args ? args.sealWrap : undefined;
+            resourceInputs["serviceAccountJwt"] = (args === null || args === void 0 ? void 0 : args.serviceAccountJwt) ? pulumi.secret(args.serviceAccountJwt) : undefined;
+            resourceInputs["accessor"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const secretOpts = { additionalSecretOutputs: ["serviceAccountJwt"] };
+        opts = pulumi.mergeOptions(opts, secretOpts);
+        super(SecretBackend.__pulumiType, name, resourceInputs, opts);
+    }
+    /**
+     * Get an existing SecretBackend resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new SecretBackend(name, state, Object.assign(Object.assign({}, opts), { id: id }));
+    }
+    /**
+     * Returns true if the given object is an instance of SecretBackend.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === SecretBackend.__pulumiType;
+    }
+}
+exports.SecretBackend = SecretBackend;
+/** @internal */
+SecretBackend.__pulumiType = 'vault:kubernetes/secretBackend:SecretBackend';
+//# sourceMappingURL=secretBackend.js.map

package/kubernetes/secretBackend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretBackend.js","sourceRoot":"","sources":["../../kubernetes/secretBackend.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAa,aAAc,SAAQ,MAAM,CAAC,cAAc;IAoHpD,YAAY,IAAY,EAAE,WAAoD,EAAE,IAAmC;QAC/G,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA6C,CAAC;YAC5D,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,yBAAyB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9F,cAAc,CAAC,0BAA0B,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChG,cAAc,CAAC,wBAAwB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5F,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,uBAAuB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1F,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5E,cAAc,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1D,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAClE,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;SACrF;aAAM;YACH,MAAM,IAAI,GAAG,WAA4C,CAAC;YAC1D,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACjD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;aACvD;YACD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,yBAAyB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5F,cAAc,CAAC,0BAA0B,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9F,cAAc,CAAC,wBAAwB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1F,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,uBAAuB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9E,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1E,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,mBAAmB,CAAC,GAAG,CAAA,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,iBAAiB,EAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAClH,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAClD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,EAAE,uBAAuB,EAAE,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACtE,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7C,KAAK,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAClE,CAAC;IApKD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA0B,EAAE,IAAmC;QACxH,OAAO,IAAI,aAAa,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IACpE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,aAAa,CAAC,YAAY,CAAC;IAC9D,CAAC;;AA1BL,sCAsKC;AAxJG,gBAAgB;AACO,0BAAY,GAAG,8CAA8C,CAAC"}