pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from . import _utilities
|
11
16
|
|
12
17
|
__all__ = ['CertAuthBackendRoleArgs', 'CertAuthBackendRole']
|
@@ -19,7 +24,6 @@ class CertAuthBackendRoleArgs:
|
|
19
24
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
20
25
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
21
26
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
22
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
23
27
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
24
28
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
25
29
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -49,14 +53,13 @@ class CertAuthBackendRoleArgs:
|
|
49
53
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
50
54
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
51
55
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
52
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
53
56
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
54
57
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
55
58
|
:param pulumi.Input[str] display_name: The name to display on tokens issued under this role.
|
56
59
|
:param pulumi.Input[str] name: Name of the role
|
57
60
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
58
61
|
The value should not contain leading or trailing forward slashes.
|
59
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
62
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
60
63
|
*Available only for Vault Enterprise*.
|
61
64
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
62
65
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -77,34 +80,15 @@ class CertAuthBackendRoleArgs:
|
|
77
80
|
Requires Vault version 1.13+.
|
78
81
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
79
82
|
client certificates
|
80
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
81
|
-
|
82
|
-
|
83
|
-
:param pulumi.Input[
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
:param pulumi.Input[int]
|
88
|
-
|
89
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
90
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
91
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
92
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
93
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
94
|
-
token generated using this role should never expire. The token should be renewed within the
|
95
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
96
|
-
value of this field. Specified in seconds.
|
97
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
98
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
99
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
100
|
-
Its current value will be referenced at renewal time.
|
101
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
102
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
103
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
104
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
105
|
-
requests a different type at generation time.
|
106
|
-
|
107
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
83
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
84
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
85
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
86
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
87
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
88
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
89
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
90
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
91
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
108
92
|
"""
|
109
93
|
pulumi.set(__self__, "certificate", certificate)
|
110
94
|
if allowed_common_names is not None:
|
@@ -115,11 +99,6 @@ class CertAuthBackendRoleArgs:
|
|
115
99
|
pulumi.set(__self__, "allowed_email_sans", allowed_email_sans)
|
116
100
|
if allowed_names is not None:
|
117
101
|
pulumi.set(__self__, "allowed_names", allowed_names)
|
118
|
-
if allowed_organization_units is not None:
|
119
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
120
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
121
|
-
if allowed_organization_units is not None:
|
122
|
-
pulumi.set(__self__, "allowed_organization_units", allowed_organization_units)
|
123
102
|
if allowed_organizational_units is not None:
|
124
103
|
pulumi.set(__self__, "allowed_organizational_units", allowed_organizational_units)
|
125
104
|
if allowed_uri_sans is not None:
|
@@ -223,24 +202,11 @@ class CertAuthBackendRoleArgs:
|
|
223
202
|
def allowed_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
224
203
|
pulumi.set(self, "allowed_names", value)
|
225
204
|
|
226
|
-
@property
|
227
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
228
|
-
def allowed_organization_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
229
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
230
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
231
|
-
|
232
|
-
return pulumi.get(self, "allowed_organization_units")
|
233
|
-
|
234
|
-
@allowed_organization_units.setter
|
235
|
-
def allowed_organization_units(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
236
|
-
pulumi.set(self, "allowed_organization_units", value)
|
237
|
-
|
238
205
|
@property
|
239
206
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
240
207
|
def allowed_organizational_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
241
208
|
"""
|
242
209
|
Allowed organization units for authenticated client certificates.
|
243
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
244
210
|
"""
|
245
211
|
return pulumi.get(self, "allowed_organizational_units")
|
246
212
|
|
@@ -302,7 +268,7 @@ class CertAuthBackendRoleArgs:
|
|
302
268
|
"""
|
303
269
|
The namespace to provision the resource in.
|
304
270
|
The value should not contain leading or trailing forward slashes.
|
305
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
271
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
306
272
|
*Available only for Vault Enterprise*.
|
307
273
|
"""
|
308
274
|
return pulumi.get(self, "namespace")
|
@@ -400,9 +366,7 @@ class CertAuthBackendRoleArgs:
|
|
400
366
|
@pulumi.getter(name="tokenBoundCidrs")
|
401
367
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
402
368
|
"""
|
403
|
-
|
404
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
405
|
-
as well.
|
369
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
406
370
|
"""
|
407
371
|
return pulumi.get(self, "token_bound_cidrs")
|
408
372
|
|
@@ -414,10 +378,7 @@ class CertAuthBackendRoleArgs:
|
|
414
378
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
415
379
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
416
380
|
"""
|
417
|
-
|
418
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
419
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
420
|
-
`token_max_ttl` would otherwise allow a renewal.
|
381
|
+
Generated Token's Explicit Maximum TTL in seconds
|
421
382
|
"""
|
422
383
|
return pulumi.get(self, "token_explicit_max_ttl")
|
423
384
|
|
@@ -429,8 +390,7 @@ class CertAuthBackendRoleArgs:
|
|
429
390
|
@pulumi.getter(name="tokenMaxTtl")
|
430
391
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
431
392
|
"""
|
432
|
-
The maximum lifetime
|
433
|
-
Its current value will be referenced at renewal time.
|
393
|
+
The maximum lifetime of the generated token
|
434
394
|
"""
|
435
395
|
return pulumi.get(self, "token_max_ttl")
|
436
396
|
|
@@ -442,8 +402,7 @@ class CertAuthBackendRoleArgs:
|
|
442
402
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
443
403
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
444
404
|
"""
|
445
|
-
If
|
446
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
405
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
447
406
|
"""
|
448
407
|
return pulumi.get(self, "token_no_default_policy")
|
449
408
|
|
@@ -455,8 +414,7 @@ class CertAuthBackendRoleArgs:
|
|
455
414
|
@pulumi.getter(name="tokenNumUses")
|
456
415
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
457
416
|
"""
|
458
|
-
The
|
459
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
417
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
460
418
|
"""
|
461
419
|
return pulumi.get(self, "token_num_uses")
|
462
420
|
|
@@ -468,10 +426,7 @@ class CertAuthBackendRoleArgs:
|
|
468
426
|
@pulumi.getter(name="tokenPeriod")
|
469
427
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
470
428
|
"""
|
471
|
-
|
472
|
-
token generated using this role should never expire. The token should be renewed within the
|
473
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
474
|
-
value of this field. Specified in seconds.
|
429
|
+
Generated Token's Period
|
475
430
|
"""
|
476
431
|
return pulumi.get(self, "token_period")
|
477
432
|
|
@@ -483,8 +438,7 @@ class CertAuthBackendRoleArgs:
|
|
483
438
|
@pulumi.getter(name="tokenPolicies")
|
484
439
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
485
440
|
"""
|
486
|
-
|
487
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
441
|
+
Generated Token's Policies
|
488
442
|
"""
|
489
443
|
return pulumi.get(self, "token_policies")
|
490
444
|
|
@@ -496,8 +450,7 @@ class CertAuthBackendRoleArgs:
|
|
496
450
|
@pulumi.getter(name="tokenTtl")
|
497
451
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
498
452
|
"""
|
499
|
-
The
|
500
|
-
Its current value will be referenced at renewal time.
|
453
|
+
The initial ttl of the token to generate in seconds
|
501
454
|
"""
|
502
455
|
return pulumi.get(self, "token_ttl")
|
503
456
|
|
@@ -509,13 +462,7 @@ class CertAuthBackendRoleArgs:
|
|
509
462
|
@pulumi.getter(name="tokenType")
|
510
463
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
511
464
|
"""
|
512
|
-
The type of token
|
513
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
514
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
515
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
516
|
-
requests a different type at generation time.
|
517
|
-
|
518
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
465
|
+
The type of token to generate, service or batch
|
519
466
|
"""
|
520
467
|
return pulumi.get(self, "token_type")
|
521
468
|
|
@@ -531,7 +478,6 @@ class _CertAuthBackendRoleState:
|
|
531
478
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
532
479
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
533
480
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
534
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
535
481
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
536
482
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
537
483
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -561,7 +507,6 @@ class _CertAuthBackendRoleState:
|
|
561
507
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
562
508
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
563
509
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
564
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
565
510
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
566
511
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
567
512
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -569,7 +514,7 @@ class _CertAuthBackendRoleState:
|
|
569
514
|
:param pulumi.Input[str] name: Name of the role
|
570
515
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
571
516
|
The value should not contain leading or trailing forward slashes.
|
572
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
517
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
573
518
|
*Available only for Vault Enterprise*.
|
574
519
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
575
520
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -590,34 +535,15 @@ class _CertAuthBackendRoleState:
|
|
590
535
|
Requires Vault version 1.13+.
|
591
536
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
592
537
|
client certificates
|
593
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
594
|
-
|
595
|
-
|
596
|
-
:param pulumi.Input[
|
597
|
-
|
598
|
-
|
599
|
-
|
600
|
-
:param pulumi.Input[int]
|
601
|
-
|
602
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
603
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
604
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
605
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
606
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
607
|
-
token generated using this role should never expire. The token should be renewed within the
|
608
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
609
|
-
value of this field. Specified in seconds.
|
610
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
611
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
612
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
613
|
-
Its current value will be referenced at renewal time.
|
614
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
615
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
616
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
617
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
618
|
-
requests a different type at generation time.
|
619
|
-
|
620
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
538
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
539
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
540
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
541
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
542
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
543
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
544
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
545
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
546
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
621
547
|
"""
|
622
548
|
if allowed_common_names is not None:
|
623
549
|
pulumi.set(__self__, "allowed_common_names", allowed_common_names)
|
@@ -627,11 +553,6 @@ class _CertAuthBackendRoleState:
|
|
627
553
|
pulumi.set(__self__, "allowed_email_sans", allowed_email_sans)
|
628
554
|
if allowed_names is not None:
|
629
555
|
pulumi.set(__self__, "allowed_names", allowed_names)
|
630
|
-
if allowed_organization_units is not None:
|
631
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
632
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
633
|
-
if allowed_organization_units is not None:
|
634
|
-
pulumi.set(__self__, "allowed_organization_units", allowed_organization_units)
|
635
556
|
if allowed_organizational_units is not None:
|
636
557
|
pulumi.set(__self__, "allowed_organizational_units", allowed_organizational_units)
|
637
558
|
if allowed_uri_sans is not None:
|
@@ -725,24 +646,11 @@ class _CertAuthBackendRoleState:
|
|
725
646
|
def allowed_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
726
647
|
pulumi.set(self, "allowed_names", value)
|
727
648
|
|
728
|
-
@property
|
729
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
730
|
-
def allowed_organization_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
731
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
732
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
733
|
-
|
734
|
-
return pulumi.get(self, "allowed_organization_units")
|
735
|
-
|
736
|
-
@allowed_organization_units.setter
|
737
|
-
def allowed_organization_units(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
738
|
-
pulumi.set(self, "allowed_organization_units", value)
|
739
|
-
|
740
649
|
@property
|
741
650
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
742
651
|
def allowed_organizational_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
743
652
|
"""
|
744
653
|
Allowed organization units for authenticated client certificates.
|
745
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
746
654
|
"""
|
747
655
|
return pulumi.get(self, "allowed_organizational_units")
|
748
656
|
|
@@ -816,7 +724,7 @@ class _CertAuthBackendRoleState:
|
|
816
724
|
"""
|
817
725
|
The namespace to provision the resource in.
|
818
726
|
The value should not contain leading or trailing forward slashes.
|
819
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
727
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
820
728
|
*Available only for Vault Enterprise*.
|
821
729
|
"""
|
822
730
|
return pulumi.get(self, "namespace")
|
@@ -914,9 +822,7 @@ class _CertAuthBackendRoleState:
|
|
914
822
|
@pulumi.getter(name="tokenBoundCidrs")
|
915
823
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
916
824
|
"""
|
917
|
-
|
918
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
919
|
-
as well.
|
825
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
920
826
|
"""
|
921
827
|
return pulumi.get(self, "token_bound_cidrs")
|
922
828
|
|
@@ -928,10 +834,7 @@ class _CertAuthBackendRoleState:
|
|
928
834
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
929
835
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
930
836
|
"""
|
931
|
-
|
932
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
933
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
934
|
-
`token_max_ttl` would otherwise allow a renewal.
|
837
|
+
Generated Token's Explicit Maximum TTL in seconds
|
935
838
|
"""
|
936
839
|
return pulumi.get(self, "token_explicit_max_ttl")
|
937
840
|
|
@@ -943,8 +846,7 @@ class _CertAuthBackendRoleState:
|
|
943
846
|
@pulumi.getter(name="tokenMaxTtl")
|
944
847
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
945
848
|
"""
|
946
|
-
The maximum lifetime
|
947
|
-
Its current value will be referenced at renewal time.
|
849
|
+
The maximum lifetime of the generated token
|
948
850
|
"""
|
949
851
|
return pulumi.get(self, "token_max_ttl")
|
950
852
|
|
@@ -956,8 +858,7 @@ class _CertAuthBackendRoleState:
|
|
956
858
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
957
859
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
958
860
|
"""
|
959
|
-
If
|
960
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
861
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
961
862
|
"""
|
962
863
|
return pulumi.get(self, "token_no_default_policy")
|
963
864
|
|
@@ -969,8 +870,7 @@ class _CertAuthBackendRoleState:
|
|
969
870
|
@pulumi.getter(name="tokenNumUses")
|
970
871
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
971
872
|
"""
|
972
|
-
The
|
973
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
873
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
974
874
|
"""
|
975
875
|
return pulumi.get(self, "token_num_uses")
|
976
876
|
|
@@ -982,10 +882,7 @@ class _CertAuthBackendRoleState:
|
|
982
882
|
@pulumi.getter(name="tokenPeriod")
|
983
883
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
984
884
|
"""
|
985
|
-
|
986
|
-
token generated using this role should never expire. The token should be renewed within the
|
987
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
988
|
-
value of this field. Specified in seconds.
|
885
|
+
Generated Token's Period
|
989
886
|
"""
|
990
887
|
return pulumi.get(self, "token_period")
|
991
888
|
|
@@ -997,8 +894,7 @@ class _CertAuthBackendRoleState:
|
|
997
894
|
@pulumi.getter(name="tokenPolicies")
|
998
895
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
999
896
|
"""
|
1000
|
-
|
1001
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
897
|
+
Generated Token's Policies
|
1002
898
|
"""
|
1003
899
|
return pulumi.get(self, "token_policies")
|
1004
900
|
|
@@ -1010,8 +906,7 @@ class _CertAuthBackendRoleState:
|
|
1010
906
|
@pulumi.getter(name="tokenTtl")
|
1011
907
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
1012
908
|
"""
|
1013
|
-
The
|
1014
|
-
Its current value will be referenced at renewal time.
|
909
|
+
The initial ttl of the token to generate in seconds
|
1015
910
|
"""
|
1016
911
|
return pulumi.get(self, "token_ttl")
|
1017
912
|
|
@@ -1023,13 +918,7 @@ class _CertAuthBackendRoleState:
|
|
1023
918
|
@pulumi.getter(name="tokenType")
|
1024
919
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
1025
920
|
"""
|
1026
|
-
The type of token
|
1027
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1028
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1029
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1030
|
-
requests a different type at generation time.
|
1031
|
-
|
1032
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
921
|
+
The type of token to generate, service or batch
|
1033
922
|
"""
|
1034
923
|
return pulumi.get(self, "token_type")
|
1035
924
|
|
@@ -1047,7 +936,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1047
936
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1048
937
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1049
938
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1050
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1051
939
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1052
940
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1053
941
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1078,14 +966,16 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1078
966
|
|
1079
967
|
```python
|
1080
968
|
import pulumi
|
969
|
+
import pulumi_std as std
|
1081
970
|
import pulumi_vault as vault
|
1082
971
|
|
1083
|
-
|
972
|
+
cert = vault.AuthBackend("cert",
|
1084
973
|
path="cert",
|
1085
974
|
type="cert")
|
1086
|
-
cert_cert_auth_backend_role = vault.CertAuthBackendRole("
|
1087
|
-
|
1088
|
-
|
975
|
+
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
|
976
|
+
name="foo",
|
977
|
+
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
|
978
|
+
backend=cert.path,
|
1089
979
|
allowed_names=[
|
1090
980
|
"foo.example.org",
|
1091
981
|
"baz.example.org",
|
@@ -1102,7 +992,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1102
992
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
1103
993
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
1104
994
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
1105
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1106
995
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
1107
996
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
1108
997
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -1110,7 +999,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1110
999
|
:param pulumi.Input[str] name: Name of the role
|
1111
1000
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1112
1001
|
The value should not contain leading or trailing forward slashes.
|
1113
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1002
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1114
1003
|
*Available only for Vault Enterprise*.
|
1115
1004
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
1116
1005
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -1131,34 +1020,15 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1131
1020
|
Requires Vault version 1.13+.
|
1132
1021
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
1133
1022
|
client certificates
|
1134
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1135
|
-
|
1136
|
-
|
1137
|
-
:param pulumi.Input[
|
1138
|
-
|
1139
|
-
|
1140
|
-
|
1141
|
-
:param pulumi.Input[int]
|
1142
|
-
|
1143
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1144
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1145
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
1146
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1147
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1148
|
-
token generated using this role should never expire. The token should be renewed within the
|
1149
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1150
|
-
value of this field. Specified in seconds.
|
1151
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1152
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1153
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1154
|
-
Its current value will be referenced at renewal time.
|
1155
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1156
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1157
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1158
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1159
|
-
requests a different type at generation time.
|
1160
|
-
|
1161
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1023
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1024
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1025
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1026
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1027
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1028
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1029
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1030
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1031
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1162
1032
|
"""
|
1163
1033
|
...
|
1164
1034
|
@overload
|
@@ -1173,14 +1043,16 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1173
1043
|
|
1174
1044
|
```python
|
1175
1045
|
import pulumi
|
1046
|
+
import pulumi_std as std
|
1176
1047
|
import pulumi_vault as vault
|
1177
1048
|
|
1178
|
-
|
1049
|
+
cert = vault.AuthBackend("cert",
|
1179
1050
|
path="cert",
|
1180
1051
|
type="cert")
|
1181
|
-
cert_cert_auth_backend_role = vault.CertAuthBackendRole("
|
1182
|
-
|
1183
|
-
|
1052
|
+
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
|
1053
|
+
name="foo",
|
1054
|
+
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
|
1055
|
+
backend=cert.path,
|
1184
1056
|
allowed_names=[
|
1185
1057
|
"foo.example.org",
|
1186
1058
|
"baz.example.org",
|
@@ -1209,7 +1081,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1209
1081
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1210
1082
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1211
1083
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1212
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1213
1084
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1214
1085
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1215
1086
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1245,7 +1116,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1245
1116
|
__props__.__dict__["allowed_dns_sans"] = allowed_dns_sans
|
1246
1117
|
__props__.__dict__["allowed_email_sans"] = allowed_email_sans
|
1247
1118
|
__props__.__dict__["allowed_names"] = allowed_names
|
1248
|
-
__props__.__dict__["allowed_organization_units"] = allowed_organization_units
|
1249
1119
|
__props__.__dict__["allowed_organizational_units"] = allowed_organizational_units
|
1250
1120
|
__props__.__dict__["allowed_uri_sans"] = allowed_uri_sans
|
1251
1121
|
__props__.__dict__["backend"] = backend
|
@@ -1284,7 +1154,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1284
1154
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1285
1155
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1286
1156
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1287
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1288
1157
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1289
1158
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1290
1159
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1319,7 +1188,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1319
1188
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
1320
1189
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
1321
1190
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
1322
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1323
1191
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
1324
1192
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
1325
1193
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -1327,7 +1195,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1327
1195
|
:param pulumi.Input[str] name: Name of the role
|
1328
1196
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1329
1197
|
The value should not contain leading or trailing forward slashes.
|
1330
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1198
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1331
1199
|
*Available only for Vault Enterprise*.
|
1332
1200
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
1333
1201
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -1348,34 +1216,15 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1348
1216
|
Requires Vault version 1.13+.
|
1349
1217
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
1350
1218
|
client certificates
|
1351
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1352
|
-
|
1353
|
-
|
1354
|
-
:param pulumi.Input[
|
1355
|
-
|
1356
|
-
|
1357
|
-
|
1358
|
-
:param pulumi.Input[int]
|
1359
|
-
|
1360
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1361
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1362
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
1363
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1364
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1365
|
-
token generated using this role should never expire. The token should be renewed within the
|
1366
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1367
|
-
value of this field. Specified in seconds.
|
1368
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1369
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1370
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1371
|
-
Its current value will be referenced at renewal time.
|
1372
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1373
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1374
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1375
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1376
|
-
requests a different type at generation time.
|
1377
|
-
|
1378
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1219
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1220
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1221
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1222
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1223
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1224
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1225
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1226
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1227
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1379
1228
|
"""
|
1380
1229
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
1381
1230
|
|
@@ -1385,7 +1234,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1385
1234
|
__props__.__dict__["allowed_dns_sans"] = allowed_dns_sans
|
1386
1235
|
__props__.__dict__["allowed_email_sans"] = allowed_email_sans
|
1387
1236
|
__props__.__dict__["allowed_names"] = allowed_names
|
1388
|
-
__props__.__dict__["allowed_organization_units"] = allowed_organization_units
|
1389
1237
|
__props__.__dict__["allowed_organizational_units"] = allowed_organizational_units
|
1390
1238
|
__props__.__dict__["allowed_uri_sans"] = allowed_uri_sans
|
1391
1239
|
__props__.__dict__["backend"] = backend
|
@@ -1442,20 +1290,11 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1442
1290
|
"""
|
1443
1291
|
return pulumi.get(self, "allowed_names")
|
1444
1292
|
|
1445
|
-
@property
|
1446
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
1447
|
-
def allowed_organization_units(self) -> pulumi.Output[Sequence[str]]:
|
1448
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
1449
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
1450
|
-
|
1451
|
-
return pulumi.get(self, "allowed_organization_units")
|
1452
|
-
|
1453
1293
|
@property
|
1454
1294
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
1455
1295
|
def allowed_organizational_units(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1456
1296
|
"""
|
1457
1297
|
Allowed organization units for authenticated client certificates.
|
1458
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1459
1298
|
"""
|
1460
1299
|
return pulumi.get(self, "allowed_organizational_units")
|
1461
1300
|
|
@@ -1505,7 +1344,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1505
1344
|
"""
|
1506
1345
|
The namespace to provision the resource in.
|
1507
1346
|
The value should not contain leading or trailing forward slashes.
|
1508
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1347
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1509
1348
|
*Available only for Vault Enterprise*.
|
1510
1349
|
"""
|
1511
1350
|
return pulumi.get(self, "namespace")
|
@@ -1575,9 +1414,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1575
1414
|
@pulumi.getter(name="tokenBoundCidrs")
|
1576
1415
|
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1577
1416
|
"""
|
1578
|
-
|
1579
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
1580
|
-
as well.
|
1417
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
1581
1418
|
"""
|
1582
1419
|
return pulumi.get(self, "token_bound_cidrs")
|
1583
1420
|
|
@@ -1585,10 +1422,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1585
1422
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
1586
1423
|
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1587
1424
|
"""
|
1588
|
-
|
1589
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
1590
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1591
|
-
`token_max_ttl` would otherwise allow a renewal.
|
1425
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1592
1426
|
"""
|
1593
1427
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1594
1428
|
|
@@ -1596,8 +1430,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1596
1430
|
@pulumi.getter(name="tokenMaxTtl")
|
1597
1431
|
def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1598
1432
|
"""
|
1599
|
-
The maximum lifetime
|
1600
|
-
Its current value will be referenced at renewal time.
|
1433
|
+
The maximum lifetime of the generated token
|
1601
1434
|
"""
|
1602
1435
|
return pulumi.get(self, "token_max_ttl")
|
1603
1436
|
|
@@ -1605,8 +1438,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1605
1438
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1606
1439
|
def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
|
1607
1440
|
"""
|
1608
|
-
If
|
1609
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1441
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1610
1442
|
"""
|
1611
1443
|
return pulumi.get(self, "token_no_default_policy")
|
1612
1444
|
|
@@ -1614,8 +1446,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1614
1446
|
@pulumi.getter(name="tokenNumUses")
|
1615
1447
|
def token_num_uses(self) -> pulumi.Output[Optional[int]]:
|
1616
1448
|
"""
|
1617
|
-
The
|
1618
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1449
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1619
1450
|
"""
|
1620
1451
|
return pulumi.get(self, "token_num_uses")
|
1621
1452
|
|
@@ -1623,10 +1454,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1623
1454
|
@pulumi.getter(name="tokenPeriod")
|
1624
1455
|
def token_period(self) -> pulumi.Output[Optional[int]]:
|
1625
1456
|
"""
|
1626
|
-
|
1627
|
-
token generated using this role should never expire. The token should be renewed within the
|
1628
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1629
|
-
value of this field. Specified in seconds.
|
1457
|
+
Generated Token's Period
|
1630
1458
|
"""
|
1631
1459
|
return pulumi.get(self, "token_period")
|
1632
1460
|
|
@@ -1634,8 +1462,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1634
1462
|
@pulumi.getter(name="tokenPolicies")
|
1635
1463
|
def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1636
1464
|
"""
|
1637
|
-
|
1638
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1465
|
+
Generated Token's Policies
|
1639
1466
|
"""
|
1640
1467
|
return pulumi.get(self, "token_policies")
|
1641
1468
|
|
@@ -1643,8 +1470,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1643
1470
|
@pulumi.getter(name="tokenTtl")
|
1644
1471
|
def token_ttl(self) -> pulumi.Output[Optional[int]]:
|
1645
1472
|
"""
|
1646
|
-
The
|
1647
|
-
Its current value will be referenced at renewal time.
|
1473
|
+
The initial ttl of the token to generate in seconds
|
1648
1474
|
"""
|
1649
1475
|
return pulumi.get(self, "token_ttl")
|
1650
1476
|
|
@@ -1652,13 +1478,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1652
1478
|
@pulumi.getter(name="tokenType")
|
1653
1479
|
def token_type(self) -> pulumi.Output[Optional[str]]:
|
1654
1480
|
"""
|
1655
|
-
The type of token
|
1656
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1657
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1658
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1659
|
-
requests a different type at generation time.
|
1660
|
-
|
1661
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1481
|
+
The type of token to generate, service or batch
|
1662
1482
|
"""
|
1663
1483
|
return pulumi.get(self, "token_type")
|
1664
1484
|
|