@pulumi/vault 5.6.0 → 5.7.1

package/kubernetes/secretBackendRole.d.ts

@@ -0,0 +1,367 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * ## Example Usage
+ *
+ * Example using `serviceAccountName` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     serviceAccountName: "test-service-account-with-generated-token",
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * Example using `kubernetesRoleName` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     kubernetesRoleName: "vault-k8s-secrets-role",
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * Example using `generatedRoleRules` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     kubernetesRoleType: "Role",
+ *     generatedRoleRules: `rules:
+ * - apiGroups: [""]
+ *   resources: ["pods"]
+ *   verbs: ["list"]
+ * `,
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The Kubernetes secret backend role can be imported using the full path to the role of the form`<backend_path>/roles/<role_name>` e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
+ * ```
+ */
+export declare class SecretBackendRole extends pulumi.CustomResource {
+    /**
+     * Get an existing SecretBackendRole resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendRoleState, opts?: pulumi.CustomResourceOptions): SecretBackendRole;
+    /**
+     * Returns true if the given object is an instance of SecretBackendRole.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is SecretBackendRole;
+    /**
+     * The list of Kubernetes namespaces this role
+     * can generate credentials for. If set to `*` all namespaces are allowed.
+     */
+    readonly allowedKubernetesNamespaces: pulumi.Output<string[]>;
+    /**
+     * The path of the Kubernetes Secrets Engine backend mount to create
+     * the role in.
+     */
+    readonly backend: pulumi.Output<string>;
+    /**
+     * Additional annotations to apply to all generated
+     * Kubernetes objects.
+     */
+    readonly extraAnnotations: pulumi.Output<{
+        [key: string]: string;
+    } | undefined>;
+    /**
+     * Additional labels to apply to all generated Kubernetes
+     * objects.
+     */
+    readonly extraLabels: pulumi.Output<{
+        [key: string]: string;
+    } | undefined>;
+    /**
+     * The Role or ClusterRole rules to use when generating
+     * a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
+     * and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
+     * when credentials are requested.
+     */
+    readonly generatedRoleRules: pulumi.Output<string | undefined>;
+    /**
+     * The pre-existing Role or ClusterRole to bind a
+     * generated service account to. Mutually exclusive with `serviceAccountName` and
+     * `generatedRoleRules`. If set, Kubernetes token, service account, and role
+     * binding objects will be created when credentials are requested.
+     */
+    readonly kubernetesRoleName: pulumi.Output<string | undefined>;
+    /**
+     * Specifies whether the Kubernetes role is a Role or
+     * ClusterRole.
+     */
+    readonly kubernetesRoleType: pulumi.Output<string | undefined>;
+    /**
+     * The name of the role.
+     */
+    readonly name: pulumi.Output<string>;
+    /**
+     * The name template to use when generating service accounts,
+     * roles and role bindings. If unset, a default template is used.
+     */
+    readonly nameTemplate: pulumi.Output<string | undefined>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    readonly namespace: pulumi.Output<string | undefined>;
+    /**
+     * The pre-existing service account to generate tokens for.
+     * Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
+     * Kubernetes token will be created when credentials are requested.
+     */
+    readonly serviceAccountName: pulumi.Output<string | undefined>;
+    /**
+     * The default TTL for generated Kubernetes tokens in seconds.
+     */
+    readonly tokenDefaultTtl: pulumi.Output<number | undefined>;
+    /**
+     * The maximum TTL for generated Kubernetes tokens in seconds.
+     */
+    readonly tokenMaxTtl: pulumi.Output<number | undefined>;
+    /**
+     * Create a SecretBackendRole resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: SecretBackendRoleArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering SecretBackendRole resources.
+ */
+export interface SecretBackendRoleState {
+    /**
+     * The list of Kubernetes namespaces this role
+     * can generate credentials for. If set to `*` all namespaces are allowed.
+     */
+    allowedKubernetesNamespaces?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The path of the Kubernetes Secrets Engine backend mount to create
+     * the role in.
+     */
+    backend?: pulumi.Input<string>;
+    /**
+     * Additional annotations to apply to all generated
+     * Kubernetes objects.
+     */
+    extraAnnotations?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * Additional labels to apply to all generated Kubernetes
+     * objects.
+     */
+    extraLabels?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * The Role or ClusterRole rules to use when generating
+     * a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
+     * and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
+     * when credentials are requested.
+     */
+    generatedRoleRules?: pulumi.Input<string>;
+    /**
+     * The pre-existing Role or ClusterRole to bind a
+     * generated service account to. Mutually exclusive with `serviceAccountName` and
+     * `generatedRoleRules`. If set, Kubernetes token, service account, and role
+     * binding objects will be created when credentials are requested.
+     */
+    kubernetesRoleName?: pulumi.Input<string>;
+    /**
+     * Specifies whether the Kubernetes role is a Role or
+     * ClusterRole.
+     */
+    kubernetesRoleType?: pulumi.Input<string>;
+    /**
+     * The name of the role.
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * The name template to use when generating service accounts,
+     * roles and role bindings. If unset, a default template is used.
+     */
+    nameTemplate?: pulumi.Input<string>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * The pre-existing service account to generate tokens for.
+     * Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
+     * Kubernetes token will be created when credentials are requested.
+     */
+    serviceAccountName?: pulumi.Input<string>;
+    /**
+     * The default TTL for generated Kubernetes tokens in seconds.
+     */
+    tokenDefaultTtl?: pulumi.Input<number>;
+    /**
+     * The maximum TTL for generated Kubernetes tokens in seconds.
+     */
+    tokenMaxTtl?: pulumi.Input<number>;
+}
+/**
+ * The set of arguments for constructing a SecretBackendRole resource.
+ */
+export interface SecretBackendRoleArgs {
+    /**
+     * The list of Kubernetes namespaces this role
+     * can generate credentials for. If set to `*` all namespaces are allowed.
+     */
+    allowedKubernetesNamespaces: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The path of the Kubernetes Secrets Engine backend mount to create
+     * the role in.
+     */
+    backend: pulumi.Input<string>;
+    /**
+     * Additional annotations to apply to all generated
+     * Kubernetes objects.
+     */
+    extraAnnotations?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * Additional labels to apply to all generated Kubernetes
+     * objects.
+     */
+    extraLabels?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    /**
+     * The Role or ClusterRole rules to use when generating
+     * a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
+     * and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
+     * when credentials are requested.
+     */
+    generatedRoleRules?: pulumi.Input<string>;
+    /**
+     * The pre-existing Role or ClusterRole to bind a
+     * generated service account to. Mutually exclusive with `serviceAccountName` and
+     * `generatedRoleRules`. If set, Kubernetes token, service account, and role
+     * binding objects will be created when credentials are requested.
+     */
+    kubernetesRoleName?: pulumi.Input<string>;
+    /**
+     * Specifies whether the Kubernetes role is a Role or
+     * ClusterRole.
+     */
+    kubernetesRoleType?: pulumi.Input<string>;
+    /**
+     * The name of the role.
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * The name template to use when generating service accounts,
+     * roles and role bindings. If unset, a default template is used.
+     */
+    nameTemplate?: pulumi.Input<string>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * The pre-existing service account to generate tokens for.
+     * Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
+     * Kubernetes token will be created when credentials are requested.
+     */
+    serviceAccountName?: pulumi.Input<string>;
+    /**
+     * The default TTL for generated Kubernetes tokens in seconds.
+     */
+    tokenDefaultTtl?: pulumi.Input<number>;
+    /**
+     * The maximum TTL for generated Kubernetes tokens in seconds.
+     */
+    tokenMaxTtl?: pulumi.Input<number>;
+}

package/kubernetes/secretBackendRole.js

@@ -0,0 +1,191 @@
+"use strict";
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretBackendRole = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * ## Example Usage
+ *
+ * Example using `serviceAccountName` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     serviceAccountName: "test-service-account-with-generated-token",
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * Example using `kubernetesRoleName` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     kubernetesRoleName: "vault-k8s-secrets-role",
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * Example using `generatedRoleRules` mode:
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as fs from "fs";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const config = new vault.kubernetes.SecretBackend("config", {
+ *     path: "kubernetes",
+ *     description: "kubernetes secrets engine description",
+ *     kubernetesHost: "https://127.0.0.1:61233",
+ *     kubernetesCaCert: fs.readFileSync("/path/to/cert"),
+ *     serviceAccountJwt: fs.readFileSync("/path/to/token"),
+ *     disableLocalCaJwt: false,
+ * });
+ * const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
+ *     backend: config.path,
+ *     allowedKubernetesNamespaces: ["*"],
+ *     tokenMaxTtl: 43200,
+ *     tokenDefaultTtl: 21600,
+ *     kubernetesRoleType: "Role",
+ *     generatedRoleRules: `rules:
+ * - apiGroups: [""]
+ *   resources: ["pods"]
+ *   verbs: ["list"]
+ * `,
+ *     extraLabels: {
+ *         id: "abc123",
+ *         name: "some_name",
+ *     },
+ *     extraAnnotations: {
+ *         env: "development",
+ *         location: "earth",
+ *     },
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * The Kubernetes secret backend role can be imported using the full path to the role of the form`<backend_path>/roles/<role_name>` e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
+ * ```
+ */
+class SecretBackendRole extends pulumi.CustomResource {
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["allowedKubernetesNamespaces"] = state ? state.allowedKubernetesNamespaces : undefined;
+            resourceInputs["backend"] = state ? state.backend : undefined;
+            resourceInputs["extraAnnotations"] = state ? state.extraAnnotations : undefined;
+            resourceInputs["extraLabels"] = state ? state.extraLabels : undefined;
+            resourceInputs["generatedRoleRules"] = state ? state.generatedRoleRules : undefined;
+            resourceInputs["kubernetesRoleName"] = state ? state.kubernetesRoleName : undefined;
+            resourceInputs["kubernetesRoleType"] = state ? state.kubernetesRoleType : undefined;
+            resourceInputs["name"] = state ? state.name : undefined;
+            resourceInputs["nameTemplate"] = state ? state.nameTemplate : undefined;
+            resourceInputs["namespace"] = state ? state.namespace : undefined;
+            resourceInputs["serviceAccountName"] = state ? state.serviceAccountName : undefined;
+            resourceInputs["tokenDefaultTtl"] = state ? state.tokenDefaultTtl : undefined;
+            resourceInputs["tokenMaxTtl"] = state ? state.tokenMaxTtl : undefined;
+        }
+        else {
+            const args = argsOrState;
+            if ((!args || args.allowedKubernetesNamespaces === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'allowedKubernetesNamespaces'");
+            }
+            if ((!args || args.backend === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'backend'");
+            }
+            resourceInputs["allowedKubernetesNamespaces"] = args ? args.allowedKubernetesNamespaces : undefined;
+            resourceInputs["backend"] = args ? args.backend : undefined;
+            resourceInputs["extraAnnotations"] = args ? args.extraAnnotations : undefined;
+            resourceInputs["extraLabels"] = args ? args.extraLabels : undefined;
+            resourceInputs["generatedRoleRules"] = args ? args.generatedRoleRules : undefined;
+            resourceInputs["kubernetesRoleName"] = args ? args.kubernetesRoleName : undefined;
+            resourceInputs["kubernetesRoleType"] = args ? args.kubernetesRoleType : undefined;
+            resourceInputs["name"] = args ? args.name : undefined;
+            resourceInputs["nameTemplate"] = args ? args.nameTemplate : undefined;
+            resourceInputs["namespace"] = args ? args.namespace : undefined;
+            resourceInputs["serviceAccountName"] = args ? args.serviceAccountName : undefined;
+            resourceInputs["tokenDefaultTtl"] = args ? args.tokenDefaultTtl : undefined;
+            resourceInputs["tokenMaxTtl"] = args ? args.tokenMaxTtl : undefined;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(SecretBackendRole.__pulumiType, name, resourceInputs, opts);
+    }
+    /**
+     * Get an existing SecretBackendRole resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new SecretBackendRole(name, state, Object.assign(Object.assign({}, opts), { id: id }));
+    }
+    /**
+     * Returns true if the given object is an instance of SecretBackendRole.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === SecretBackendRole.__pulumiType;
+    }
+}
+exports.SecretBackendRole = SecretBackendRole;
+/** @internal */
+SecretBackendRole.__pulumiType = 'vault:kubernetes/secretBackendRole:SecretBackendRole';
+//# sourceMappingURL=secretBackendRole.js.map

package/kubernetes/secretBackendRole.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretBackendRole.js","sourceRoot":"","sources":["../../kubernetes/secretBackendRole.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+GG;AACH,MAAa,iBAAkB,SAAQ,MAAM,CAAC,cAAc;IA0GxD,YAAY,IAAY,EAAE,WAA4D,EAAE,IAAmC;QACvH,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAiD,CAAC;YAChE,cAAc,CAAC,6BAA6B,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC,SAAS,CAAC;YACtG,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,cAAc,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAClE,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9E,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;SACzE;aAAM;YACH,MAAM,IAAI,GAAG,WAAgD,CAAC;YAC9D,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,2BAA2B,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACxE,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;aAC9E;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;aAC1D;YACD,cAAc,CAAC,6BAA6B,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,SAAS,CAAC;YACpG,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9E,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5E,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;SACvE;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,iBAAiB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACtE,CAAC;IAnJD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA8B,EAAE,IAAmC;QAC5H,OAAO,IAAI,iBAAiB,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IACxE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,iBAAiB,CAAC,YAAY,CAAC;IAClE,CAAC;;AA1BL,8CAqJC;AAvIG,gBAAgB;AACO,8BAAY,GAAG,sDAAsD,CAAC"}

package/kv/getSecret.d.ts

@@ -0,0 +1,104 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const kvv1 = new vault.Mount("kvv1", {
+ *     path: "kvv1",
+ *     type: "kv",
+ *     options: {
+ *         version: "1",
+ *     },
+ *     description: "KV Version 1 secret engine mount",
+ * });
+ * const secret = new vault.kv.Secret("secret", {
+ *     path: pulumi.interpolate`${kvv1.path}/secret`,
+ *     dataJson: JSON.stringify({
+ *         zip: "zap",
+ *         foo: "bar",
+ *     }),
+ * });
+ * const secretData = vault.kv.getSecretOutput({
+ *     path: secret.path,
+ * });
+ * ```
+ * ## Required Vault Capabilities
+ *
+ * Use of this resource requires the `read` capability on the given path.
+ */
+export declare function getSecret(args: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult>;
+/**
+ * A collection of arguments for invoking getSecret.
+ */
+export interface GetSecretArgs {
+    /**
+     * The namespace of the target resource.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: string;
+    /**
+     * Full path of the KV-V1 secret.
+     */
+    path: string;
+}
+/**
+ * A collection of values returned by getSecret.
+ */
+export interface GetSecretResult {
+    /**
+     * A mapping whose keys are the top-level data keys returned from
+     * Vault and whose values are the corresponding values. This map can only
+     * represent string data, so any non-string values returned from Vault are
+     * serialized as JSON.
+     */
+    readonly data: {
+        [key: string]: any;
+    };
+    /**
+     * JSON-encoded string that that is
+     * read as the secret data at the given path.
+     */
+    readonly dataJson: string;
+    /**
+     * The provider-assigned unique ID for this managed resource.
+     */
+    readonly id: string;
+    /**
+     * The duration of the secret lease, in seconds. Once
+     * this time has passed any plan generated with this data may fail to apply.
+     */
+    readonly leaseDuration: number;
+    /**
+     * The lease identifier assigned by Vault, if any.
+     */
+    readonly leaseId: string;
+    /**
+     * True if the duration of this lease can be extended
+     * through renewal.
+     */
+    readonly leaseRenewable: boolean;
+    readonly namespace?: string;
+    readonly path: string;
+}
+export declare function getSecretOutput(args: GetSecretOutputArgs, opts?: pulumi.InvokeOptions): pulumi.Output<GetSecretResult>;
+/**
+ * A collection of arguments for invoking getSecret.
+ */
+export interface GetSecretOutputArgs {
+    /**
+     * The namespace of the target resource.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * Full path of the KV-V1 secret.
+     */
+    path: pulumi.Input<string>;
+}