pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0__py3-none-any.whl

pulumi_vault/secrets/sync_aws_destination.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
@@ -15,10 +20,13 @@ __all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
 class SyncAwsDestinationArgs:
     def __init__(__self__, *,
                  access_key_id: Optional[pulumi.Input[str]] = None,
-                 custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
+                 granularity: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None):
         """
@@ -26,14 +34,26 @@ class SyncAwsDestinationArgs:
         :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
-        :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource 
+               at the destination. Supports `secret-path` and `secret-key`.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -44,12 +64,18 @@ class SyncAwsDestinationArgs:
             pulumi.set(__self__, "access_key_id", access_key_id)
         if custom_tags is not None:
             pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
+        if granularity is not None:
+            pulumi.set(__self__, "granularity", granularity)
         if name is not None:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if region is not None:
             pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
         if secret_access_key is not None:
             pulumi.set(__self__, "secret_access_key", secret_access_key)
         if secret_name_template is not None:
@@ -71,16 +97,45 @@ class SyncAwsDestinationArgs:
 
     @property
     @pulumi.getter(name="customTags")
-    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Custom tags to set on the secret managed at the destination.
         """
         return pulumi.get(self, "custom_tags")
 
     @custom_tags.setter
-    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "custom_tags", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
+    @property
+    @pulumi.getter
+    def granularity(self) -> Optional[pulumi.Input[str]]:
+        """
+        Determines what level of information is synced as a distinct resource 
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+
+    @granularity.setter
+    def granularity(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "granularity", value)
+
     @property
     @pulumi.getter
     def name(self) -> Optional[pulumi.Input[str]]:
@@ -99,7 +154,7 @@ class SyncAwsDestinationArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -121,6 +176,22 @@ class SyncAwsDestinationArgs:
     def region(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "region", value)
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "role_arn", value)
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -153,10 +224,13 @@ class SyncAwsDestinationArgs:
 class _SyncAwsDestinationState:
     def __init__(__self__, *,
                  access_key_id: Optional[pulumi.Input[str]] = None,
-                 custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
+                 granularity: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  type: Optional[pulumi.Input[str]] = None):
@@ -165,14 +239,26 @@ class _SyncAwsDestinationState:
         :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
-        :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource 
+               at the destination. Supports `secret-path` and `secret-key`.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -184,12 +270,18 @@ class _SyncAwsDestinationState:
             pulumi.set(__self__, "access_key_id", access_key_id)
         if custom_tags is not None:
             pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
+        if granularity is not None:
+            pulumi.set(__self__, "granularity", granularity)
         if name is not None:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if region is not None:
             pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
         if secret_access_key is not None:
             pulumi.set(__self__, "secret_access_key", secret_access_key)
         if secret_name_template is not None:
@@ -213,16 +305,45 @@ class _SyncAwsDestinationState:
 
     @property
     @pulumi.getter(name="customTags")
-    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Custom tags to set on the secret managed at the destination.
         """
         return pulumi.get(self, "custom_tags")
 
     @custom_tags.setter
-    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "custom_tags", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
+    @property
+    @pulumi.getter
+    def granularity(self) -> Optional[pulumi.Input[str]]:
+        """
+        Determines what level of information is synced as a distinct resource 
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+
+    @granularity.setter
+    def granularity(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "granularity", value)
+
     @property
     @pulumi.getter
     def name(self) -> Optional[pulumi.Input[str]]:
@@ -241,7 +362,7 @@ class _SyncAwsDestinationState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -263,6 +384,22 @@ class _SyncAwsDestinationState:
     def region(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "region", value)
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "role_arn", value)
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -309,10 +446,13 @@ class SyncAwsDestination(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  access_key_id: Optional[pulumi.Input[str]] = None,
-                 custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
+                 granularity: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  __props__=None):
@@ -324,9 +464,12 @@ class SyncAwsDestination(pulumi.CustomResource):
         import pulumi_vault as vault
 
         aws = vault.secrets.SyncAwsDestination("aws",
-            access_key_id=var["access_key_id"],
-            secret_access_key=var["secret_access_key"],
+            name="aws-dest",
+            access_key_id=access_key_id,
+            secret_access_key=secret_access_key,
             region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
             secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
             custom_tags={
                 "foo": "bar",
@@ -338,7 +481,7 @@ class SyncAwsDestination(pulumi.CustomResource):
         AWS Secrets sync destinations can be imported using the `name`, e.g.
 
         ```sh
-         $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
+        $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
         ```
 
         :param str resource_name: The name of the resource.
@@ -346,14 +489,26 @@ class SyncAwsDestination(pulumi.CustomResource):
         :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
-        :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource 
+               at the destination. Supports `secret-path` and `secret-key`.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -374,9 +529,12 @@ class SyncAwsDestination(pulumi.CustomResource):
         import pulumi_vault as vault
 
         aws = vault.secrets.SyncAwsDestination("aws",
-            access_key_id=var["access_key_id"],
-            secret_access_key=var["secret_access_key"],
+            name="aws-dest",
+            access_key_id=access_key_id,
+            secret_access_key=secret_access_key,
             region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
             secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
             custom_tags={
                 "foo": "bar",
@@ -388,7 +546,7 @@ class SyncAwsDestination(pulumi.CustomResource):
         AWS Secrets sync destinations can be imported using the `name`, e.g.
 
         ```sh
-         $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
+        $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
         ```
 
         :param str resource_name: The name of the resource.
@@ -407,10 +565,13 @@ class SyncAwsDestination(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  access_key_id: Optional[pulumi.Input[str]] = None,
-                 custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
+                 granularity: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  __props__=None):
@@ -424,9 +585,12 @@ class SyncAwsDestination(pulumi.CustomResource):
 
             __props__.__dict__["access_key_id"] = access_key_id
             __props__.__dict__["custom_tags"] = custom_tags
+            __props__.__dict__["external_id"] = external_id
+            __props__.__dict__["granularity"] = granularity
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["region"] = region
+            __props__.__dict__["role_arn"] = role_arn
             __props__.__dict__["secret_access_key"] = None if secret_access_key is None else pulumi.Output.secret(secret_access_key)
             __props__.__dict__["secret_name_template"] = secret_name_template
             __props__.__dict__["type"] = None
@@ -443,10 +607,13 @@ class SyncAwsDestination(pulumi.CustomResource):
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
             access_key_id: Optional[pulumi.Input[str]] = None,
-            custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+            external_id: Optional[pulumi.Input[str]] = None,
+            granularity: Optional[pulumi.Input[str]] = None,
             name: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             region: Optional[pulumi.Input[str]] = None,
+            role_arn: Optional[pulumi.Input[str]] = None,
             secret_access_key: Optional[pulumi.Input[str]] = None,
             secret_name_template: Optional[pulumi.Input[str]] = None,
             type: Optional[pulumi.Input[str]] = None) -> 'SyncAwsDestination':
@@ -460,14 +627,26 @@ class SyncAwsDestination(pulumi.CustomResource):
         :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
-        :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource 
+               at the destination. Supports `secret-path` and `secret-key`.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -481,9 +660,12 @@ class SyncAwsDestination(pulumi.CustomResource):
 
         __props__.__dict__["access_key_id"] = access_key_id
         __props__.__dict__["custom_tags"] = custom_tags
+        __props__.__dict__["external_id"] = external_id
+        __props__.__dict__["granularity"] = granularity
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["region"] = region
+        __props__.__dict__["role_arn"] = role_arn
         __props__.__dict__["secret_access_key"] = secret_access_key
         __props__.__dict__["secret_name_template"] = secret_name_template
         __props__.__dict__["type"] = type
@@ -501,12 +683,33 @@ class SyncAwsDestination(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="customTags")
-    def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Custom tags to set on the secret managed at the destination.
         """
         return pulumi.get(self, "custom_tags")
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> pulumi.Output[Optional[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
+    @property
+    @pulumi.getter
+    def granularity(self) -> pulumi.Output[Optional[str]]:
+        """
+        Determines what level of information is synced as a distinct resource 
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+
     @property
     @pulumi.getter
     def name(self) -> pulumi.Output[str]:
@@ -521,7 +724,7 @@ class SyncAwsDestination(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -535,6 +738,18 @@ class SyncAwsDestination(pulumi.CustomResource):
         """
         return pulumi.get(self, "region")
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> pulumi.Output[Optional[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> pulumi.Output[Optional[str]]: