@pulumi/vault 5.6.0 → 5.7.1

package/kv/secretBackendV2.js

@@ -0,0 +1,103 @@
+"use strict";
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretBackendV2 = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * Configures KV-V2 backend level settings that are applied to
+ * every key in the key-value store.
+ *
+ * For more information on Vault's KV-V2 secret backend
+ * [see here](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const kvv2 = new vault.Mount("kvv2", {
+ *     path: "kvv2",
+ *     type: "kv",
+ *     options: {
+ *         version: "2",
+ *     },
+ *     description: "KV Version 2 secret engine mount",
+ * });
+ * const config = new vault.kv.SecretBackendV2("config", {
+ *     mount: kvv2.path,
+ *     maxVersions: 5,
+ *     deleteVersionAfter: 12600,
+ *     casRequired: true,
+ * });
+ * ```
+ * ## Required Vault Capabilities
+ *
+ * Use of this resource requires the `create` or `update` capability
+ * (depending on whether the resource already exists) on the given path,
+ * the `delete` capability if the resource is removed from configuration,
+ * and the `read` capability for drift detection (by default).
+ *
+ * ## Import
+ *
+ * The KV-V2 secret backend can be imported using the `path`, e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kv/secretBackendV2:SecretBackendV2 config kvv2/config
+ * ```
+ */
+class SecretBackendV2 extends pulumi.CustomResource {
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["casRequired"] = state ? state.casRequired : undefined;
+            resourceInputs["deleteVersionAfter"] = state ? state.deleteVersionAfter : undefined;
+            resourceInputs["maxVersions"] = state ? state.maxVersions : undefined;
+            resourceInputs["mount"] = state ? state.mount : undefined;
+            resourceInputs["namespace"] = state ? state.namespace : undefined;
+        }
+        else {
+            const args = argsOrState;
+            if ((!args || args.mount === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'mount'");
+            }
+            resourceInputs["casRequired"] = args ? args.casRequired : undefined;
+            resourceInputs["deleteVersionAfter"] = args ? args.deleteVersionAfter : undefined;
+            resourceInputs["maxVersions"] = args ? args.maxVersions : undefined;
+            resourceInputs["mount"] = args ? args.mount : undefined;
+            resourceInputs["namespace"] = args ? args.namespace : undefined;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(SecretBackendV2.__pulumiType, name, resourceInputs, opts);
+    }
+    /**
+     * Get an existing SecretBackendV2 resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new SecretBackendV2(name, state, Object.assign(Object.assign({}, opts), { id: id }));
+    }
+    /**
+     * Returns true if the given object is an instance of SecretBackendV2.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === SecretBackendV2.__pulumiType;
+    }
+}
+exports.SecretBackendV2 = SecretBackendV2;
+/** @internal */
+SecretBackendV2.__pulumiType = 'vault:kv/secretBackendV2:SecretBackendV2';
+//# sourceMappingURL=secretBackendV2.js.map

package/kv/secretBackendV2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretBackendV2.js","sourceRoot":"","sources":["../../kv/secretBackendV2.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAa,eAAgB,SAAQ,MAAM,CAAC,cAAc;IA8DtD,YAAY,IAAY,EAAE,WAAwD,EAAE,IAAmC;QACnH,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA+C,CAAC;YAC9D,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YACpF,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1D,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;SACrE;aAAM;YACH,MAAM,IAAI,GAAG,WAA8C,CAAC;YAC5D,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAClD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;aACxD;YACD,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;SACnE;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACpE,CAAC;IApFD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA4B,EAAE,IAAmC;QAC1H,OAAO,IAAI,eAAe,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IACtE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,eAAe,CAAC,YAAY,CAAC;IAChE,CAAC;;AA1BL,0CAsFC;AAxEG,gBAAgB;AACO,4BAAY,GAAG,0CAA0C,CAAC"}

package/kv/secretV2.d.ts

@@ -0,0 +1,257 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * Writes a KV-V2 secret to a given path in Vault.
+ *
+ * For more information on Vault's KV-V2 secret backend
+ * [see here](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const kvv2 = new vault.Mount("kvv2", {
+ *     path: "kvv2",
+ *     type: "kv",
+ *     options: {
+ *         version: "2",
+ *     },
+ *     description: "KV Version 2 secret engine mount",
+ * });
+ * const secret = new vault.kv.SecretV2("secret", {
+ *     mount: kvv2.path,
+ *     cas: 1,
+ *     deleteAllVersions: true,
+ *     dataJson: JSON.stringify({
+ *         zip: "zap",
+ *         foo: "bar",
+ *     }),
+ * });
+ * ```
+ * ## Required Vault Capabilities
+ *
+ * Use of this resource requires the `create` or `update` capability
+ * (depending on whether the resource already exists) on the given path,
+ * the `delete` capability if the resource is removed from configuration,
+ * and the `read` capability for drift detection (by default).
+ *
+ * ## Import
+ *
+ * KV-V2 secrets can be imported using the `path`, e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kv/secretV2:SecretV2 secret kvv2/data/secret
+ * ```
+ */
+export declare class SecretV2 extends pulumi.CustomResource {
+    /**
+     * Get an existing SecretV2 resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretV2State, opts?: pulumi.CustomResourceOptions): SecretV2;
+    /**
+     * Returns true if the given object is an instance of SecretV2.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is SecretV2;
+    /**
+     * This flag is required if `casRequired` is set to true
+     * on either the secret or the engine's config. In order for a
+     * write operation to be successful, cas must be set to the current version
+     * of the secret.
+     */
+    readonly cas: pulumi.Output<number | undefined>;
+    /**
+     * A mapping whose keys are the top-level data keys returned from
+     * Vault and whose values are the corresponding values. This map can only
+     * represent string data, so any non-string values returned from Vault are
+     * serialized as JSON.
+     */
+    readonly data: pulumi.Output<{
+        [key: string]: any;
+    }>;
+    /**
+     * JSON-encoded string that will be
+     * written as the secret data at the given path.
+     */
+    readonly dataJson: pulumi.Output<string>;
+    /**
+     * If set to true, permanently deletes all
+     * versions for the specified key.
+     */
+    readonly deleteAllVersions: pulumi.Output<boolean | undefined>;
+    /**
+     * If set to true, disables reading secret from Vault;
+     * note: drift won't be detected.
+     */
+    readonly disableRead: pulumi.Output<boolean | undefined>;
+    /**
+     * Metadata associated with this secret read from Vault.
+     */
+    readonly metadata: pulumi.Output<{
+        [key: string]: any;
+    }>;
+    /**
+     * Path where KV-V2 engine is mounted.
+     */
+    readonly mount: pulumi.Output<string>;
+    /**
+     * Full name of the secret. For a nested secret
+     * the name is the nested path excluding the mount and data
+     * prefix. For example, for a secret at `kvv2/data/foo/bar/baz`
+     * the name is `foo/bar/baz`.
+     */
+    readonly name: pulumi.Output<string>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    readonly namespace: pulumi.Output<string | undefined>;
+    /**
+     * An object that holds option settings.
+     */
+    readonly options: pulumi.Output<{
+        [key: string]: any;
+    } | undefined>;
+    /**
+     * Full path where the KV-V2 secret will be written.
+     */
+    readonly path: pulumi.Output<string>;
+    /**
+     * Create a SecretV2 resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: SecretV2Args, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering SecretV2 resources.
+ */
+export interface SecretV2State {
+    /**
+     * This flag is required if `casRequired` is set to true
+     * on either the secret or the engine's config. In order for a
+     * write operation to be successful, cas must be set to the current version
+     * of the secret.
+     */
+    cas?: pulumi.Input<number>;
+    /**
+     * A mapping whose keys are the top-level data keys returned from
+     * Vault and whose values are the corresponding values. This map can only
+     * represent string data, so any non-string values returned from Vault are
+     * serialized as JSON.
+     */
+    data?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+    /**
+     * JSON-encoded string that will be
+     * written as the secret data at the given path.
+     */
+    dataJson?: pulumi.Input<string>;
+    /**
+     * If set to true, permanently deletes all
+     * versions for the specified key.
+     */
+    deleteAllVersions?: pulumi.Input<boolean>;
+    /**
+     * If set to true, disables reading secret from Vault;
+     * note: drift won't be detected.
+     */
+    disableRead?: pulumi.Input<boolean>;
+    /**
+     * Metadata associated with this secret read from Vault.
+     */
+    metadata?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+    /**
+     * Path where KV-V2 engine is mounted.
+     */
+    mount?: pulumi.Input<string>;
+    /**
+     * Full name of the secret. For a nested secret
+     * the name is the nested path excluding the mount and data
+     * prefix. For example, for a secret at `kvv2/data/foo/bar/baz`
+     * the name is `foo/bar/baz`.
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * An object that holds option settings.
+     */
+    options?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+    /**
+     * Full path where the KV-V2 secret will be written.
+     */
+    path?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a SecretV2 resource.
+ */
+export interface SecretV2Args {
+    /**
+     * This flag is required if `casRequired` is set to true
+     * on either the secret or the engine's config. In order for a
+     * write operation to be successful, cas must be set to the current version
+     * of the secret.
+     */
+    cas?: pulumi.Input<number>;
+    /**
+     * JSON-encoded string that will be
+     * written as the secret data at the given path.
+     */
+    dataJson: pulumi.Input<string>;
+    /**
+     * If set to true, permanently deletes all
+     * versions for the specified key.
+     */
+    deleteAllVersions?: pulumi.Input<boolean>;
+    /**
+     * If set to true, disables reading secret from Vault;
+     * note: drift won't be detected.
+     */
+    disableRead?: pulumi.Input<boolean>;
+    /**
+     * Path where KV-V2 engine is mounted.
+     */
+    mount: pulumi.Input<string>;
+    /**
+     * Full name of the secret. For a nested secret
+     * the name is the nested path excluding the mount and data
+     * prefix. For example, for a secret at `kvv2/data/foo/bar/baz`
+     * the name is `foo/bar/baz`.
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
+    /**
+     * An object that holds option settings.
+     */
+    options?: pulumi.Input<{
+        [key: string]: any;
+    }>;
+}

package/kv/secretV2.js

@@ -0,0 +1,122 @@
+"use strict";
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretV2 = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * Writes a KV-V2 secret to a given path in Vault.
+ *
+ * For more information on Vault's KV-V2 secret backend
+ * [see here](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as vault from "@pulumi/vault";
+ *
+ * const kvv2 = new vault.Mount("kvv2", {
+ *     path: "kvv2",
+ *     type: "kv",
+ *     options: {
+ *         version: "2",
+ *     },
+ *     description: "KV Version 2 secret engine mount",
+ * });
+ * const secret = new vault.kv.SecretV2("secret", {
+ *     mount: kvv2.path,
+ *     cas: 1,
+ *     deleteAllVersions: true,
+ *     dataJson: JSON.stringify({
+ *         zip: "zap",
+ *         foo: "bar",
+ *     }),
+ * });
+ * ```
+ * ## Required Vault Capabilities
+ *
+ * Use of this resource requires the `create` or `update` capability
+ * (depending on whether the resource already exists) on the given path,
+ * the `delete` capability if the resource is removed from configuration,
+ * and the `read` capability for drift detection (by default).
+ *
+ * ## Import
+ *
+ * KV-V2 secrets can be imported using the `path`, e.g.
+ *
+ * ```sh
+ *  $ pulumi import vault:kv/secretV2:SecretV2 secret kvv2/data/secret
+ * ```
+ */
+class SecretV2 extends pulumi.CustomResource {
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["cas"] = state ? state.cas : undefined;
+            resourceInputs["data"] = state ? state.data : undefined;
+            resourceInputs["dataJson"] = state ? state.dataJson : undefined;
+            resourceInputs["deleteAllVersions"] = state ? state.deleteAllVersions : undefined;
+            resourceInputs["disableRead"] = state ? state.disableRead : undefined;
+            resourceInputs["metadata"] = state ? state.metadata : undefined;
+            resourceInputs["mount"] = state ? state.mount : undefined;
+            resourceInputs["name"] = state ? state.name : undefined;
+            resourceInputs["namespace"] = state ? state.namespace : undefined;
+            resourceInputs["options"] = state ? state.options : undefined;
+            resourceInputs["path"] = state ? state.path : undefined;
+        }
+        else {
+            const args = argsOrState;
+            if ((!args || args.dataJson === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'dataJson'");
+            }
+            if ((!args || args.mount === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'mount'");
+            }
+            resourceInputs["cas"] = args ? args.cas : undefined;
+            resourceInputs["dataJson"] = (args === null || args === void 0 ? void 0 : args.dataJson) ? pulumi.secret(args.dataJson) : undefined;
+            resourceInputs["deleteAllVersions"] = args ? args.deleteAllVersions : undefined;
+            resourceInputs["disableRead"] = args ? args.disableRead : undefined;
+            resourceInputs["mount"] = args ? args.mount : undefined;
+            resourceInputs["name"] = args ? args.name : undefined;
+            resourceInputs["namespace"] = args ? args.namespace : undefined;
+            resourceInputs["options"] = args ? args.options : undefined;
+            resourceInputs["data"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["path"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const secretOpts = { additionalSecretOutputs: ["data", "dataJson"] };
+        opts = pulumi.mergeOptions(opts, secretOpts);
+        super(SecretV2.__pulumiType, name, resourceInputs, opts);
+    }
+    /**
+     * Get an existing SecretV2 resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new SecretV2(name, state, Object.assign(Object.assign({}, opts), { id: id }));
+    }
+    /**
+     * Returns true if the given object is an instance of SecretV2.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === SecretV2.__pulumiType;
+    }
+}
+exports.SecretV2 = SecretV2;
+/** @internal */
+SecretV2.__pulumiType = 'vault:kv/secretV2:SecretV2';
+//# sourceMappingURL=secretV2.js.map

package/kv/secretV2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretV2.js","sourceRoot":"","sources":["../../kv/secretV2.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,MAAa,QAAS,SAAQ,MAAM,CAAC,cAAc;IAgG/C,YAAY,IAAY,EAAE,WAA0C,EAAE,IAAmC;QACrG,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAwC,CAAC;YACvD,cAAc,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAClF,cAAc,CAAC,aAAa,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1D,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAClE,cAAc,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;SAC3D;aAAM;YACH,MAAM,IAAI,GAAG,WAAuC,CAAC;YACrD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACrD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;aAC3D;YACD,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAClD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;aACxD;YACD,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACpD,cAAc,CAAC,UAAU,CAAC,GAAG,CAAA,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,QAAQ,EAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACvF,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;YAChF,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,cAAc,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YACxD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACtD,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAChE,cAAc,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC3C,cAAc,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/C,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC9C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,EAAE,uBAAuB,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,CAAC;QACrE,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7C,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC7D,CAAC;IAvID;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAqB,EAAE,IAAmC;QACnH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAO,KAAK,kCAAO,IAAI,KAAE,EAAE,EAAE,EAAE,IAAG,CAAC;IAC/D,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,YAAY,CAAC;IACzD,CAAC;;AA1BL,4BAyIC;AA3HG,gBAAgB;AACO,qBAAY,GAAG,4BAA4B,CAAC"}

package/ldap/authBackend.d.ts

@@ -71,6 +71,11 @@ export declare class AuthBackend extends pulumi.CustomResource {
      * Description for the LDAP auth backend mount
      */
     readonly description: pulumi.Output<string>;
+    /**
+     * If set, opts out of mount migration on path updates.
+     * See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+     */
+    readonly disableRemount: pulumi.Output<boolean | undefined>;
     readonly discoverdn: pulumi.Output<boolean>;
     /**
      * LDAP attribute to follow on objects returned by groupfilter
@@ -92,6 +97,13 @@ export declare class AuthBackend extends pulumi.CustomResource {
      * Specifies if the auth method is local only.
      */
     readonly local: pulumi.Output<boolean | undefined>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    readonly namespace: pulumi.Output<string | undefined>;
     /**
      * Path to mount the LDAP auth backend under
      */
@@ -185,6 +197,10 @@ export declare class AuthBackend extends pulumi.CustomResource {
      * LDAP user search filter
      */
     readonly userfilter: pulumi.Output<string>;
+    /**
+     * Force the auth method to use the username passed by the user as the alias name.
+     */
+    readonly usernameAsAlias: pulumi.Output<boolean>;
     /**
      * Create a AuthBackend resource with the given unique name, arguments, and options.
      *
@@ -225,6 +241,11 @@ export interface AuthBackendState {
      * Description for the LDAP auth backend mount
      */
     description?: pulumi.Input<string>;
+    /**
+     * If set, opts out of mount migration on path updates.
+     * See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+     */
+    disableRemount?: pulumi.Input<boolean>;
     discoverdn?: pulumi.Input<boolean>;
     /**
      * LDAP attribute to follow on objects returned by groupfilter
@@ -246,6 +267,13 @@ export interface AuthBackendState {
      * Specifies if the auth method is local only.
      */
     local?: pulumi.Input<boolean>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
     /**
      * Path to mount the LDAP auth backend under
      */
@@ -339,6 +367,10 @@ export interface AuthBackendState {
      * LDAP user search filter
      */
     userfilter?: pulumi.Input<string>;
+    /**
+     * Force the auth method to use the username passed by the user as the alias name.
+     */
+    usernameAsAlias?: pulumi.Input<boolean>;
 }
 /**
  * The set of arguments for constructing a AuthBackend resource.
@@ -367,6 +399,11 @@ export interface AuthBackendArgs {
      * Description for the LDAP auth backend mount
      */
     description?: pulumi.Input<string>;
+    /**
+     * If set, opts out of mount migration on path updates.
+     * See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+     */
+    disableRemount?: pulumi.Input<boolean>;
     discoverdn?: pulumi.Input<boolean>;
     /**
      * LDAP attribute to follow on objects returned by groupfilter
@@ -388,6 +425,13 @@ export interface AuthBackendArgs {
      * Specifies if the auth method is local only.
      */
     local?: pulumi.Input<boolean>;
+    /**
+     * The namespace to provision the resource in.
+     * The value should not contain leading or trailing forward slashes.
+     * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+     * *Available only for Vault Enterprise*.
+     */
+    namespace?: pulumi.Input<string>;
     /**
      * Path to mount the LDAP auth backend under
      */
@@ -481,4 +525,8 @@ export interface AuthBackendArgs {
      * LDAP user search filter
      */
     userfilter?: pulumi.Input<string>;
+    /**
+     * Force the auth method to use the username passed by the user as the alias name.
+     */
+    usernameAsAlias?: pulumi.Input<boolean>;
 }

package/ldap/authBackend.js

@@ -49,12 +49,14 @@ class AuthBackend extends pulumi.CustomResource {
             resourceInputs["clientTlsKey"] = state ? state.clientTlsKey : undefined;
             resourceInputs["denyNullBind"] = state ? state.denyNullBind : undefined;
             resourceInputs["description"] = state ? state.description : undefined;
+            resourceInputs["disableRemount"] = state ? state.disableRemount : undefined;
             resourceInputs["discoverdn"] = state ? state.discoverdn : undefined;
             resourceInputs["groupattr"] = state ? state.groupattr : undefined;
             resourceInputs["groupdn"] = state ? state.groupdn : undefined;
             resourceInputs["groupfilter"] = state ? state.groupfilter : undefined;
             resourceInputs["insecureTls"] = state ? state.insecureTls : undefined;
             resourceInputs["local"] = state ? state.local : undefined;
+            resourceInputs["namespace"] = state ? state.namespace : undefined;
             resourceInputs["path"] = state ? state.path : undefined;
             resourceInputs["starttls"] = state ? state.starttls : undefined;
             resourceInputs["tlsMaxVersion"] = state ? state.tlsMaxVersion : undefined;
@@ -74,6 +76,7 @@ class AuthBackend extends pulumi.CustomResource {
             resourceInputs["userattr"] = state ? state.userattr : undefined;
             resourceInputs["userdn"] = state ? state.userdn : undefined;
             resourceInputs["userfilter"] = state ? state.userfilter : undefined;
+            resourceInputs["usernameAsAlias"] = state ? state.usernameAsAlias : undefined;
         }
         else {
             const args = argsOrState;
@@ -81,19 +84,21 @@ class AuthBackend extends pulumi.CustomResource {
                 throw new Error("Missing required property 'url'");
             }
             resourceInputs["binddn"] = args ? args.binddn : undefined;
-            resourceInputs["bindpass"] = args ? args.bindpass : undefined;
+            resourceInputs["bindpass"] = (args === null || args === void 0 ? void 0 : args.bindpass) ? pulumi.secret(args.bindpass) : undefined;
             resourceInputs["caseSensitiveNames"] = args ? args.caseSensitiveNames : undefined;
             resourceInputs["certificate"] = args ? args.certificate : undefined;
             resourceInputs["clientTlsCert"] = args ? args.clientTlsCert : undefined;
-            resourceInputs["clientTlsKey"] = args ? args.clientTlsKey : undefined;
+            resourceInputs["clientTlsKey"] = (args === null || args === void 0 ? void 0 : args.clientTlsKey) ? pulumi.secret(args.clientTlsKey) : undefined;
             resourceInputs["denyNullBind"] = args ? args.denyNullBind : undefined;
             resourceInputs["description"] = args ? args.description : undefined;
+            resourceInputs["disableRemount"] = args ? args.disableRemount : undefined;
             resourceInputs["discoverdn"] = args ? args.discoverdn : undefined;
             resourceInputs["groupattr"] = args ? args.groupattr : undefined;
             resourceInputs["groupdn"] = args ? args.groupdn : undefined;
             resourceInputs["groupfilter"] = args ? args.groupfilter : undefined;
             resourceInputs["insecureTls"] = args ? args.insecureTls : undefined;
             resourceInputs["local"] = args ? args.local : undefined;
+            resourceInputs["namespace"] = args ? args.namespace : undefined;
             resourceInputs["path"] = args ? args.path : undefined;
             resourceInputs["starttls"] = args ? args.starttls : undefined;
             resourceInputs["tlsMaxVersion"] = args ? args.tlsMaxVersion : undefined;
@@ -113,9 +118,12 @@ class AuthBackend extends pulumi.CustomResource {
             resourceInputs["userattr"] = args ? args.userattr : undefined;
             resourceInputs["userdn"] = args ? args.userdn : undefined;
             resourceInputs["userfilter"] = args ? args.userfilter : undefined;
+            resourceInputs["usernameAsAlias"] = args ? args.usernameAsAlias : undefined;
             resourceInputs["accessor"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const secretOpts = { additionalSecretOutputs: ["bindpass", "clientTlsKey"] };
+        opts = pulumi.mergeOptions(opts, secretOpts);
         super(AuthBackend.__pulumiType, name, resourceInputs, opts);
     }
     /**