pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi_vault/azure/_inputs.py

@@ -4,16 +4,32 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = [
     'BackendRoleAzureGroupArgs',
+    'BackendRoleAzureGroupArgsDict',
     'BackendRoleAzureRoleArgs',
+    'BackendRoleAzureRoleArgsDict',
 ]
 
+MYPY = False
+
+if not MYPY:
+    class BackendRoleAzureGroupArgsDict(TypedDict):
+        group_name: pulumi.Input[str]
+        object_id: NotRequired[pulumi.Input[str]]
+elif False:
+    BackendRoleAzureGroupArgsDict: TypeAlias = Mapping[str, Any]
+
 @pulumi.input_type
 class BackendRoleAzureGroupArgs:
     def __init__(__self__, *,
@@ -42,6 +58,14 @@ class BackendRoleAzureGroupArgs:
         pulumi.set(self, "object_id", value)
 
 
+if not MYPY:
+    class BackendRoleAzureRoleArgsDict(TypedDict):
+        scope: pulumi.Input[str]
+        role_id: NotRequired[pulumi.Input[str]]
+        role_name: NotRequired[pulumi.Input[str]]
+elif False:
+    BackendRoleAzureRoleArgsDict: TypeAlias = Mapping[str, Any]
+
 @pulumi.input_type
 class BackendRoleAzureRoleArgs:
     def __init__(__self__, *,

pulumi_vault/azure/auth_backend_config.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['AuthBackendConfigArgs', 'AuthBackendConfig']
@@ -20,6 +25,8 @@ class AuthBackendConfigArgs:
                  client_id: Optional[pulumi.Input[str]] = None,
                  client_secret: Optional[pulumi.Input[str]] = None,
                  environment: Optional[pulumi.Input[str]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a AuthBackendConfig resource.
@@ -36,9 +43,12 @@ class AuthBackendConfigArgs:
         :param pulumi.Input[str] environment: The Azure cloud environment. Valid values:
                AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
                AzureGermanCloud.  Defaults to `AzurePublicCloud`.
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+               *Available only for Vault Enterprise*
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         """
         pulumi.set(__self__, "resource", resource)
@@ -51,6 +61,10 @@ class AuthBackendConfigArgs:
             pulumi.set(__self__, "client_secret", client_secret)
         if environment is not None:
             pulumi.set(__self__, "environment", environment)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
 
@@ -133,13 +147,38 @@ class AuthBackendConfigArgs:
     def environment(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "environment", value)
 
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+        *Available only for Vault Enterprise*
+        """
+        return pulumi.get(self, "identity_token_audience")
+
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated identity tokens in seconds.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
+
     @property
     @pulumi.getter
     def namespace(self) -> Optional[pulumi.Input[str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -156,6 +195,8 @@ class _AuthBackendConfigState:
                  client_id: Optional[pulumi.Input[str]] = None,
                  client_secret: Optional[pulumi.Input[str]] = None,
                  environment: Optional[pulumi.Input[str]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  resource: Optional[pulumi.Input[str]] = None,
                  tenant_id: Optional[pulumi.Input[str]] = None):
@@ -170,9 +211,12 @@ class _AuthBackendConfigState:
         :param pulumi.Input[str] environment: The Azure cloud environment. Valid values:
                AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
                AzureGermanCloud.  Defaults to `AzurePublicCloud`.
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+               *Available only for Vault Enterprise*
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] resource: The configured URL for the application registered in
                Azure Active Directory.
@@ -187,6 +231,10 @@ class _AuthBackendConfigState:
             pulumi.set(__self__, "client_secret", client_secret)
         if environment is not None:
             pulumi.set(__self__, "environment", environment)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if resource is not None:
@@ -247,13 +295,38 @@ class _AuthBackendConfigState:
     def environment(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "environment", value)
 
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+        *Available only for Vault Enterprise*
+        """
+        return pulumi.get(self, "identity_token_audience")
+
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated identity tokens in seconds.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
+
     @property
     @pulumi.getter
     def namespace(self) -> Optional[pulumi.Input[str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -298,6 +371,8 @@ class AuthBackendConfig(pulumi.CustomResource):
                  client_id: Optional[pulumi.Input[str]] = None,
                  client_secret: Optional[pulumi.Input[str]] = None,
                  environment: Optional[pulumi.Input[str]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  resource: Optional[pulumi.Input[str]] = None,
                  tenant_id: Optional[pulumi.Input[str]] = None,
@@ -305,13 +380,29 @@ class AuthBackendConfig(pulumi.CustomResource):
         """
         ## Example Usage
 
+        You can setup the Azure auth engine with Workload Identity Federation (WIF) for a secret-less configuration:
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        example = vault.AuthBackend("example",
+            type="azure",
+            identity_token_key="example-key")
+        example_auth_backend_config = vault.azure.AuthBackendConfig("example",
+            backend=example.path,
+            tenant_id="11111111-2222-3333-4444-555555555555",
+            client_id="11111111-2222-3333-4444-555555555555",
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            identity_token_ttl="<TOKEN_TTL>")
+        ```
+
         ```python
         import pulumi
         import pulumi_vault as vault
 
-        example_auth_backend = vault.AuthBackend("exampleAuthBackend", type="azure")
-        example_auth_backend_config = vault.azure.AuthBackendConfig("exampleAuthBackendConfig",
-            backend=example_auth_backend.path,
+        example = vault.AuthBackend("example", type="azure")
+        example_auth_backend_config = vault.azure.AuthBackendConfig("example",
+            backend=example.path,
             tenant_id="11111111-2222-3333-4444-555555555555",
             client_id="11111111-2222-3333-4444-555555555555",
             client_secret="01234567890123456789",
@@ -323,7 +414,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         Azure auth backends can be imported using `auth/`, the `backend` path, and `/config` e.g.
 
         ```sh
-         $ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/config
+        $ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/config
         ```
 
         :param str resource_name: The name of the resource.
@@ -337,9 +428,12 @@ class AuthBackendConfig(pulumi.CustomResource):
         :param pulumi.Input[str] environment: The Azure cloud environment. Valid values:
                AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
                AzureGermanCloud.  Defaults to `AzurePublicCloud`.
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+               *Available only for Vault Enterprise*
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] resource: The configured URL for the application registered in
                Azure Active Directory.
@@ -355,13 +449,29 @@ class AuthBackendConfig(pulumi.CustomResource):
         """
         ## Example Usage
 
+        You can setup the Azure auth engine with Workload Identity Federation (WIF) for a secret-less configuration:
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        example = vault.AuthBackend("example",
+            type="azure",
+            identity_token_key="example-key")
+        example_auth_backend_config = vault.azure.AuthBackendConfig("example",
+            backend=example.path,
+            tenant_id="11111111-2222-3333-4444-555555555555",
+            client_id="11111111-2222-3333-4444-555555555555",
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            identity_token_ttl="<TOKEN_TTL>")
+        ```
+
         ```python
         import pulumi
         import pulumi_vault as vault
 
-        example_auth_backend = vault.AuthBackend("exampleAuthBackend", type="azure")
-        example_auth_backend_config = vault.azure.AuthBackendConfig("exampleAuthBackendConfig",
-            backend=example_auth_backend.path,
+        example = vault.AuthBackend("example", type="azure")
+        example_auth_backend_config = vault.azure.AuthBackendConfig("example",
+            backend=example.path,
             tenant_id="11111111-2222-3333-4444-555555555555",
             client_id="11111111-2222-3333-4444-555555555555",
             client_secret="01234567890123456789",
@@ -373,7 +483,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         Azure auth backends can be imported using `auth/`, the `backend` path, and `/config` e.g.
 
         ```sh
-         $ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/config
+        $ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/config
         ```
 
         :param str resource_name: The name of the resource.
@@ -395,6 +505,8 @@ class AuthBackendConfig(pulumi.CustomResource):
                  client_id: Optional[pulumi.Input[str]] = None,
                  client_secret: Optional[pulumi.Input[str]] = None,
                  environment: Optional[pulumi.Input[str]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  resource: Optional[pulumi.Input[str]] = None,
                  tenant_id: Optional[pulumi.Input[str]] = None,
@@ -411,6 +523,8 @@ class AuthBackendConfig(pulumi.CustomResource):
             __props__.__dict__["client_id"] = None if client_id is None else pulumi.Output.secret(client_id)
             __props__.__dict__["client_secret"] = None if client_secret is None else pulumi.Output.secret(client_secret)
             __props__.__dict__["environment"] = environment
+            __props__.__dict__["identity_token_audience"] = identity_token_audience
+            __props__.__dict__["identity_token_ttl"] = identity_token_ttl
             __props__.__dict__["namespace"] = namespace
             if resource is None and not opts.urn:
                 raise TypeError("Missing required property 'resource'")
@@ -434,6 +548,8 @@ class AuthBackendConfig(pulumi.CustomResource):
             client_id: Optional[pulumi.Input[str]] = None,
             client_secret: Optional[pulumi.Input[str]] = None,
             environment: Optional[pulumi.Input[str]] = None,
+            identity_token_audience: Optional[pulumi.Input[str]] = None,
+            identity_token_ttl: Optional[pulumi.Input[int]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             resource: Optional[pulumi.Input[str]] = None,
             tenant_id: Optional[pulumi.Input[str]] = None) -> 'AuthBackendConfig':
@@ -453,9 +569,12 @@ class AuthBackendConfig(pulumi.CustomResource):
         :param pulumi.Input[str] environment: The Azure cloud environment. Valid values:
                AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,
                AzureGermanCloud.  Defaults to `AzurePublicCloud`.
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+               *Available only for Vault Enterprise*
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] resource: The configured URL for the application registered in
                Azure Active Directory.
@@ -470,6 +589,8 @@ class AuthBackendConfig(pulumi.CustomResource):
         __props__.__dict__["client_id"] = client_id
         __props__.__dict__["client_secret"] = client_secret
         __props__.__dict__["environment"] = environment
+        __props__.__dict__["identity_token_audience"] = identity_token_audience
+        __props__.__dict__["identity_token_ttl"] = identity_token_ttl
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["resource"] = resource
         __props__.__dict__["tenant_id"] = tenant_id
@@ -512,13 +633,30 @@ class AuthBackendConfig(pulumi.CustomResource):
         """
         return pulumi.get(self, "environment")
 
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
+        """
+        The audience claim value for plugin identity tokens. Requires Vault 1.17+.
+        *Available only for Vault Enterprise*
+        """
+        return pulumi.get(self, "identity_token_audience")
+
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> pulumi.Output[int]:
+        """
+        The TTL of generated identity tokens in seconds.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+
     @property
     @pulumi.getter
     def namespace(self) -> pulumi.Output[Optional[str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")