pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0__py3-none-any.whl

pulumi_vault/ssh/secret_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 from . import outputs
 from ._inputs import *
@@ -20,6 +25,7 @@ class SecretBackendRoleArgs:
                  key_type: pulumi.Input[str],
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -29,12 +35,11 @@ class SecretBackendRoleArgs:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -49,6 +54,9 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[str] key_type: Specifies the type of credentials generated by this role. This can be either `otp`, `dynamic` or `ca`.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -61,14 +69,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -76,7 +81,7 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -87,6 +92,8 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -105,11 +112,6 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -185,6 +187,20 @@ class SecretBackendRoleArgs:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
+
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -296,23 +312,6 @@ class SecretBackendRoleArgs:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -351,26 +350,26 @@ class SecretBackendRoleArgs:
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
 
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
 
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
 
     @property
@@ -439,7 +438,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -478,6 +477,7 @@ class _SecretBackendRoleState:
     def __init__(__self__, *,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -487,13 +487,12 @@ class _SecretBackendRoleState:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -507,6 +506,9 @@ class _SecretBackendRoleState:
         Input properties used for looking up and filtering SecretBackendRole resources.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -519,15 +521,12 @@ class _SecretBackendRoleState:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -536,7 +535,7 @@ class _SecretBackendRoleState:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -545,6 +544,8 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -563,11 +564,6 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -623,6 +619,20 @@ class _SecretBackendRoleState:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
+
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -734,23 +744,6 @@ class _SecretBackendRoleState:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -801,26 +794,26 @@ class _SecretBackendRoleState:
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
 
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
 
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
 
     @property
@@ -901,7 +894,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -942,6 +935,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -950,14 +944,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -980,10 +973,12 @@ class SecretBackendRole(pulumi.CustomResource):
 
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
@@ -996,13 +991,16 @@ class SecretBackendRole(pulumi.CustomResource):
         SSH secret backend roles can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role
+        $ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role
         ```
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -1012,18 +1010,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1032,7 +1027,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1055,10 +1050,12 @@ class SecretBackendRole(pulumi.CustomResource):
 
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
@@ -1071,7 +1068,7 @@ class SecretBackendRole(pulumi.CustomResource):
         SSH secret backend roles can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role
+        $ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role
         ```
 
         :param str resource_name: The name of the resource.
@@ -1091,6 +1088,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1099,14 +1097,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1127,6 +1124,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
             __props__.__dict__["algorithm_signer"] = algorithm_signer
             __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+            __props__.__dict__["allow_empty_principals"] = allow_empty_principals
             __props__.__dict__["allow_host_certificates"] = allow_host_certificates
             __props__.__dict__["allow_subdomains"] = allow_subdomains
             __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1136,7 +1134,6 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["allowed_domains_template"] = allowed_domains_template
             __props__.__dict__["allowed_extensions"] = allowed_extensions
             __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-            __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
             __props__.__dict__["allowed_users"] = allowed_users
             __props__.__dict__["allowed_users_template"] = allowed_users_template
             if backend is None and not opts.urn:
@@ -1168,6 +1165,7 @@ class SecretBackendRole(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             algorithm_signer: Optional[pulumi.Input[str]] = None,
             allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+            allow_empty_principals: Optional[pulumi.Input[bool]] = None,
             allow_host_certificates: Optional[pulumi.Input[bool]] = None,
             allow_subdomains: Optional[pulumi.Input[bool]] = None,
             allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1176,14 +1174,13 @@ class SecretBackendRole(pulumi.CustomResource):
             allowed_domains: Optional[pulumi.Input[str]] = None,
             allowed_domains_template: Optional[pulumi.Input[bool]] = None,
             allowed_extensions: Optional[pulumi.Input[str]] = None,
-            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-            allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
             allowed_users: Optional[pulumi.Input[str]] = None,
             allowed_users_template: Optional[pulumi.Input[bool]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             cidr_list: Optional[pulumi.Input[str]] = None,
-            default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-            default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+            default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             default_user: Optional[pulumi.Input[str]] = None,
             default_user_template: Optional[pulumi.Input[bool]] = None,
             key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1202,6 +1199,9 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -1211,18 +1211,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1231,7 +1228,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1242,6 +1239,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         __props__.__dict__["algorithm_signer"] = algorithm_signer
         __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+        __props__.__dict__["allow_empty_principals"] = allow_empty_principals
         __props__.__dict__["allow_host_certificates"] = allow_host_certificates
         __props__.__dict__["allow_subdomains"] = allow_subdomains
         __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1251,7 +1249,6 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["allowed_domains_template"] = allowed_domains_template
         __props__.__dict__["allowed_extensions"] = allowed_extensions
         __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-        __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
         __props__.__dict__["allowed_users"] = allowed_users
         __props__.__dict__["allowed_users_template"] = allowed_users_template
         __props__.__dict__["backend"] = backend
@@ -1285,6 +1282,16 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allow_bare_domains")
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> pulumi.Output[Optional[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> pulumi.Output[Optional[bool]]:
@@ -1360,19 +1367,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allowed_user_key_configs")
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> pulumi.Output[Optional[Mapping[str, int]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> pulumi.Output[Optional[str]]:
@@ -1407,7 +1401,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
@@ -1415,7 +1409,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
@@ -1475,7 +1469,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")