pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
|
@@ -17,7 +22,7 @@ class SecretBackendRoleArgs:
|
|
17
22
|
backend: pulumi.Input[str],
|
18
23
|
creation_statements: pulumi.Input[Sequence[pulumi.Input[str]]],
|
19
24
|
db_name: pulumi.Input[str],
|
20
|
-
credential_config: Optional[pulumi.Input[Mapping[str,
|
25
|
+
credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
21
26
|
credential_type: Optional[pulumi.Input[str]] = None,
|
22
27
|
default_ttl: Optional[pulumi.Input[int]] = None,
|
23
28
|
max_ttl: Optional[pulumi.Input[int]] = None,
|
@@ -33,7 +38,7 @@ class SecretBackendRoleArgs:
|
|
33
38
|
creating a user.
|
34
39
|
:param pulumi.Input[str] db_name: The unique name of the database connection to use for
|
35
40
|
the role.
|
36
|
-
:param pulumi.Input[Mapping[str,
|
41
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
|
37
42
|
for the given `credential_type`.
|
38
43
|
|
39
44
|
The following options are available for each `credential_type` value:
|
@@ -118,7 +123,7 @@ class SecretBackendRoleArgs:
|
|
118
123
|
|
119
124
|
@property
|
120
125
|
@pulumi.getter(name="credentialConfig")
|
121
|
-
def credential_config(self) -> Optional[pulumi.Input[Mapping[str,
|
126
|
+
def credential_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
122
127
|
"""
|
123
128
|
Specifies the configuration
|
124
129
|
for the given `credential_type`.
|
@@ -128,7 +133,7 @@ class SecretBackendRoleArgs:
|
|
128
133
|
return pulumi.get(self, "credential_config")
|
129
134
|
|
130
135
|
@credential_config.setter
|
131
|
-
def credential_config(self, value: Optional[pulumi.Input[Mapping[str,
|
136
|
+
def credential_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
132
137
|
pulumi.set(self, "credential_config", value)
|
133
138
|
|
134
139
|
@property
|
@@ -243,7 +248,7 @@ class _SecretBackendRoleState:
|
|
243
248
|
def __init__(__self__, *,
|
244
249
|
backend: Optional[pulumi.Input[str]] = None,
|
245
250
|
creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
246
|
-
credential_config: Optional[pulumi.Input[Mapping[str,
|
251
|
+
credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
247
252
|
credential_type: Optional[pulumi.Input[str]] = None,
|
248
253
|
db_name: Optional[pulumi.Input[str]] = None,
|
249
254
|
default_ttl: Optional[pulumi.Input[int]] = None,
|
@@ -258,7 +263,7 @@ class _SecretBackendRoleState:
|
|
258
263
|
:param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
|
259
264
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
|
260
265
|
creating a user.
|
261
|
-
:param pulumi.Input[Mapping[str,
|
266
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
|
262
267
|
for the given `credential_type`.
|
263
268
|
|
264
269
|
The following options are available for each `credential_type` value:
|
@@ -335,7 +340,7 @@ class _SecretBackendRoleState:
|
|
335
340
|
|
336
341
|
@property
|
337
342
|
@pulumi.getter(name="credentialConfig")
|
338
|
-
def credential_config(self) -> Optional[pulumi.Input[Mapping[str,
|
343
|
+
def credential_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
339
344
|
"""
|
340
345
|
Specifies the configuration
|
341
346
|
for the given `credential_type`.
|
@@ -345,7 +350,7 @@ class _SecretBackendRoleState:
|
|
345
350
|
return pulumi.get(self, "credential_config")
|
346
351
|
|
347
352
|
@credential_config.setter
|
348
|
-
def credential_config(self, value: Optional[pulumi.Input[Mapping[str,
|
353
|
+
def credential_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
349
354
|
pulumi.set(self, "credential_config", value)
|
350
355
|
|
351
356
|
@property
|
@@ -475,7 +480,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
475
480
|
opts: Optional[pulumi.ResourceOptions] = None,
|
476
481
|
backend: Optional[pulumi.Input[str]] = None,
|
477
482
|
creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
478
|
-
credential_config: Optional[pulumi.Input[Mapping[str,
|
483
|
+
credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
479
484
|
credential_type: Optional[pulumi.Input[str]] = None,
|
480
485
|
db_name: Optional[pulumi.Input[str]] = None,
|
481
486
|
default_ttl: Optional[pulumi.Input[int]] = None,
|
@@ -498,15 +503,17 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
498
503
|
type="database")
|
499
504
|
postgres = vault.database.SecretBackendConnection("postgres",
|
500
505
|
backend=db.path,
|
506
|
+
name="postgres",
|
501
507
|
allowed_roles=[
|
502
508
|
"dev",
|
503
509
|
"prod",
|
504
510
|
],
|
505
|
-
postgresql=
|
506
|
-
connection_url
|
507
|
-
)
|
511
|
+
postgresql={
|
512
|
+
"connection_url": "postgres://username:password@host:port/database",
|
513
|
+
})
|
508
514
|
role = vault.database.SecretBackendRole("role",
|
509
515
|
backend=db.path,
|
516
|
+
name="dev",
|
510
517
|
db_name=postgres.name,
|
511
518
|
creation_statements=["CREATE ROLE \\"{{name}}\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"])
|
512
519
|
```
|
@@ -516,7 +523,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
516
523
|
Database secret backend roles can be imported using the `backend`, `/roles/`, and the `name` e.g.
|
517
524
|
|
518
525
|
```sh
|
519
|
-
|
526
|
+
$ pulumi import vault:database/secretBackendRole:SecretBackendRole example postgres/roles/my-role
|
520
527
|
```
|
521
528
|
|
522
529
|
:param str resource_name: The name of the resource.
|
@@ -524,7 +531,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
524
531
|
:param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
|
525
532
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
|
526
533
|
creating a user.
|
527
|
-
:param pulumi.Input[Mapping[str,
|
534
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
|
528
535
|
for the given `credential_type`.
|
529
536
|
|
530
537
|
The following options are available for each `credential_type` value:
|
@@ -567,15 +574,17 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
567
574
|
type="database")
|
568
575
|
postgres = vault.database.SecretBackendConnection("postgres",
|
569
576
|
backend=db.path,
|
577
|
+
name="postgres",
|
570
578
|
allowed_roles=[
|
571
579
|
"dev",
|
572
580
|
"prod",
|
573
581
|
],
|
574
|
-
postgresql=
|
575
|
-
connection_url
|
576
|
-
)
|
582
|
+
postgresql={
|
583
|
+
"connection_url": "postgres://username:password@host:port/database",
|
584
|
+
})
|
577
585
|
role = vault.database.SecretBackendRole("role",
|
578
586
|
backend=db.path,
|
587
|
+
name="dev",
|
579
588
|
db_name=postgres.name,
|
580
589
|
creation_statements=["CREATE ROLE \\"{{name}}\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"])
|
581
590
|
```
|
@@ -585,7 +594,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
585
594
|
Database secret backend roles can be imported using the `backend`, `/roles/`, and the `name` e.g.
|
586
595
|
|
587
596
|
```sh
|
588
|
-
|
597
|
+
$ pulumi import vault:database/secretBackendRole:SecretBackendRole example postgres/roles/my-role
|
589
598
|
```
|
590
599
|
|
591
600
|
:param str resource_name: The name of the resource.
|
@@ -605,7 +614,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
605
614
|
opts: Optional[pulumi.ResourceOptions] = None,
|
606
615
|
backend: Optional[pulumi.Input[str]] = None,
|
607
616
|
creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
608
|
-
credential_config: Optional[pulumi.Input[Mapping[str,
|
617
|
+
credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
609
618
|
credential_type: Optional[pulumi.Input[str]] = None,
|
610
619
|
db_name: Optional[pulumi.Input[str]] = None,
|
611
620
|
default_ttl: Optional[pulumi.Input[int]] = None,
|
@@ -654,7 +663,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
654
663
|
opts: Optional[pulumi.ResourceOptions] = None,
|
655
664
|
backend: Optional[pulumi.Input[str]] = None,
|
656
665
|
creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
657
|
-
credential_config: Optional[pulumi.Input[Mapping[str,
|
666
|
+
credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
658
667
|
credential_type: Optional[pulumi.Input[str]] = None,
|
659
668
|
db_name: Optional[pulumi.Input[str]] = None,
|
660
669
|
default_ttl: Optional[pulumi.Input[int]] = None,
|
@@ -674,7 +683,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
674
683
|
:param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
|
675
684
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
|
676
685
|
creating a user.
|
677
|
-
:param pulumi.Input[Mapping[str,
|
686
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
|
678
687
|
for the given `credential_type`.
|
679
688
|
|
680
689
|
The following options are available for each `credential_type` value:
|
@@ -736,7 +745,7 @@ class SecretBackendRole(pulumi.CustomResource):
|
|
736
745
|
|
737
746
|
@property
|
738
747
|
@pulumi.getter(name="credentialConfig")
|
739
|
-
def credential_config(self) -> pulumi.Output[Optional[Mapping[str,
|
748
|
+
def credential_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
740
749
|
"""
|
741
750
|
Specifies the configuration
|
742
751
|
for the given `credential_type`.
|
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['SecretBackendStaticRoleArgs', 'SecretBackendStaticRole']
|
@@ -22,7 +27,8 @@ class SecretBackendStaticRoleArgs:
|
|
22
27
|
rotation_period: Optional[pulumi.Input[int]] = None,
|
23
28
|
rotation_schedule: Optional[pulumi.Input[str]] = None,
|
24
29
|
rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
25
|
-
rotation_window: Optional[pulumi.Input[int]] = None
|
30
|
+
rotation_window: Optional[pulumi.Input[int]] = None,
|
31
|
+
self_managed_password: Optional[pulumi.Input[str]] = None):
|
26
32
|
"""
|
27
33
|
The set of arguments for constructing a SecretBackendStaticRole resource.
|
28
34
|
:param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
|
@@ -43,6 +49,9 @@ class SecretBackendStaticRoleArgs:
|
|
43
49
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
|
44
50
|
:param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
|
45
51
|
from a given `rotation_schedule`.
|
52
|
+
:param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
|
53
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
54
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
46
55
|
"""
|
47
56
|
pulumi.set(__self__, "backend", backend)
|
48
57
|
pulumi.set(__self__, "db_name", db_name)
|
@@ -59,6 +68,8 @@ class SecretBackendStaticRoleArgs:
|
|
59
68
|
pulumi.set(__self__, "rotation_statements", rotation_statements)
|
60
69
|
if rotation_window is not None:
|
61
70
|
pulumi.set(__self__, "rotation_window", rotation_window)
|
71
|
+
if self_managed_password is not None:
|
72
|
+
pulumi.set(__self__, "self_managed_password", self_managed_password)
|
62
73
|
|
63
74
|
@property
|
64
75
|
@pulumi.getter
|
@@ -177,6 +188,20 @@ class SecretBackendStaticRoleArgs:
|
|
177
188
|
def rotation_window(self, value: Optional[pulumi.Input[int]]):
|
178
189
|
pulumi.set(self, "rotation_window", value)
|
179
190
|
|
191
|
+
@property
|
192
|
+
@pulumi.getter(name="selfManagedPassword")
|
193
|
+
def self_managed_password(self) -> Optional[pulumi.Input[str]]:
|
194
|
+
"""
|
195
|
+
The password corresponding to the username in the database.
|
196
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
197
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
198
|
+
"""
|
199
|
+
return pulumi.get(self, "self_managed_password")
|
200
|
+
|
201
|
+
@self_managed_password.setter
|
202
|
+
def self_managed_password(self, value: Optional[pulumi.Input[str]]):
|
203
|
+
pulumi.set(self, "self_managed_password", value)
|
204
|
+
|
180
205
|
|
181
206
|
@pulumi.input_type
|
182
207
|
class _SecretBackendStaticRoleState:
|
@@ -189,6 +214,7 @@ class _SecretBackendStaticRoleState:
|
|
189
214
|
rotation_schedule: Optional[pulumi.Input[str]] = None,
|
190
215
|
rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
191
216
|
rotation_window: Optional[pulumi.Input[int]] = None,
|
217
|
+
self_managed_password: Optional[pulumi.Input[str]] = None,
|
192
218
|
username: Optional[pulumi.Input[str]] = None):
|
193
219
|
"""
|
194
220
|
Input properties used for looking up and filtering SecretBackendStaticRole resources.
|
@@ -209,6 +235,9 @@ class _SecretBackendStaticRoleState:
|
|
209
235
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
|
210
236
|
:param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
|
211
237
|
from a given `rotation_schedule`.
|
238
|
+
:param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
|
239
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
240
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
212
241
|
:param pulumi.Input[str] username: The database username that this static role corresponds to.
|
213
242
|
"""
|
214
243
|
if backend is not None:
|
@@ -227,6 +256,8 @@ class _SecretBackendStaticRoleState:
|
|
227
256
|
pulumi.set(__self__, "rotation_statements", rotation_statements)
|
228
257
|
if rotation_window is not None:
|
229
258
|
pulumi.set(__self__, "rotation_window", rotation_window)
|
259
|
+
if self_managed_password is not None:
|
260
|
+
pulumi.set(__self__, "self_managed_password", self_managed_password)
|
230
261
|
if username is not None:
|
231
262
|
pulumi.set(__self__, "username", username)
|
232
263
|
|
@@ -335,6 +366,20 @@ class _SecretBackendStaticRoleState:
|
|
335
366
|
def rotation_window(self, value: Optional[pulumi.Input[int]]):
|
336
367
|
pulumi.set(self, "rotation_window", value)
|
337
368
|
|
369
|
+
@property
|
370
|
+
@pulumi.getter(name="selfManagedPassword")
|
371
|
+
def self_managed_password(self) -> Optional[pulumi.Input[str]]:
|
372
|
+
"""
|
373
|
+
The password corresponding to the username in the database.
|
374
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
375
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
376
|
+
"""
|
377
|
+
return pulumi.get(self, "self_managed_password")
|
378
|
+
|
379
|
+
@self_managed_password.setter
|
380
|
+
def self_managed_password(self, value: Optional[pulumi.Input[str]]):
|
381
|
+
pulumi.set(self, "self_managed_password", value)
|
382
|
+
|
338
383
|
@property
|
339
384
|
@pulumi.getter
|
340
385
|
def username(self) -> Optional[pulumi.Input[str]]:
|
@@ -361,6 +406,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
361
406
|
rotation_schedule: Optional[pulumi.Input[str]] = None,
|
362
407
|
rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
363
408
|
rotation_window: Optional[pulumi.Input[int]] = None,
|
409
|
+
self_managed_password: Optional[pulumi.Input[str]] = None,
|
364
410
|
username: Optional[pulumi.Input[str]] = None,
|
365
411
|
__props__=None):
|
366
412
|
"""
|
@@ -379,20 +425,23 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
379
425
|
type="database")
|
380
426
|
postgres = vault.database.SecretBackendConnection("postgres",
|
381
427
|
backend=db.path,
|
428
|
+
name="postgres",
|
382
429
|
allowed_roles=["*"],
|
383
|
-
postgresql=
|
384
|
-
connection_url
|
385
|
-
)
|
430
|
+
postgresql={
|
431
|
+
"connection_url": "postgres://username:password@host:port/database",
|
432
|
+
})
|
386
433
|
# configure a static role with period-based rotations
|
387
|
-
period_role = vault.database.SecretBackendStaticRole("
|
434
|
+
period_role = vault.database.SecretBackendStaticRole("period_role",
|
388
435
|
backend=db.path,
|
436
|
+
name="my-period-role",
|
389
437
|
db_name=postgres.name,
|
390
438
|
username="example",
|
391
439
|
rotation_period=3600,
|
392
440
|
rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
|
393
441
|
# configure a static role with schedule-based rotations
|
394
|
-
schedule_role = vault.database.SecretBackendStaticRole("
|
442
|
+
schedule_role = vault.database.SecretBackendStaticRole("schedule_role",
|
395
443
|
backend=db.path,
|
444
|
+
name="my-schedule-role",
|
396
445
|
db_name=postgres.name,
|
397
446
|
username="example",
|
398
447
|
rotation_schedule="0 0 * * SAT",
|
@@ -405,7 +454,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
405
454
|
Database secret backend static roles can be imported using the `backend`, `/static-roles/`, and the `name` e.g.
|
406
455
|
|
407
456
|
```sh
|
408
|
-
|
457
|
+
$ pulumi import vault:database/secretBackendStaticRole:SecretBackendStaticRole example postgres/static-roles/my-role
|
409
458
|
```
|
410
459
|
|
411
460
|
:param str resource_name: The name of the resource.
|
@@ -427,6 +476,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
427
476
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
|
428
477
|
:param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
|
429
478
|
from a given `rotation_schedule`.
|
479
|
+
:param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
|
480
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
481
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
430
482
|
:param pulumi.Input[str] username: The database username that this static role corresponds to.
|
431
483
|
"""
|
432
484
|
...
|
@@ -451,20 +503,23 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
451
503
|
type="database")
|
452
504
|
postgres = vault.database.SecretBackendConnection("postgres",
|
453
505
|
backend=db.path,
|
506
|
+
name="postgres",
|
454
507
|
allowed_roles=["*"],
|
455
|
-
postgresql=
|
456
|
-
connection_url
|
457
|
-
)
|
508
|
+
postgresql={
|
509
|
+
"connection_url": "postgres://username:password@host:port/database",
|
510
|
+
})
|
458
511
|
# configure a static role with period-based rotations
|
459
|
-
period_role = vault.database.SecretBackendStaticRole("
|
512
|
+
period_role = vault.database.SecretBackendStaticRole("period_role",
|
460
513
|
backend=db.path,
|
514
|
+
name="my-period-role",
|
461
515
|
db_name=postgres.name,
|
462
516
|
username="example",
|
463
517
|
rotation_period=3600,
|
464
518
|
rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
|
465
519
|
# configure a static role with schedule-based rotations
|
466
|
-
schedule_role = vault.database.SecretBackendStaticRole("
|
520
|
+
schedule_role = vault.database.SecretBackendStaticRole("schedule_role",
|
467
521
|
backend=db.path,
|
522
|
+
name="my-schedule-role",
|
468
523
|
db_name=postgres.name,
|
469
524
|
username="example",
|
470
525
|
rotation_schedule="0 0 * * SAT",
|
@@ -477,7 +532,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
477
532
|
Database secret backend static roles can be imported using the `backend`, `/static-roles/`, and the `name` e.g.
|
478
533
|
|
479
534
|
```sh
|
480
|
-
|
535
|
+
$ pulumi import vault:database/secretBackendStaticRole:SecretBackendStaticRole example postgres/static-roles/my-role
|
481
536
|
```
|
482
537
|
|
483
538
|
:param str resource_name: The name of the resource.
|
@@ -503,6 +558,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
503
558
|
rotation_schedule: Optional[pulumi.Input[str]] = None,
|
504
559
|
rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
505
560
|
rotation_window: Optional[pulumi.Input[int]] = None,
|
561
|
+
self_managed_password: Optional[pulumi.Input[str]] = None,
|
506
562
|
username: Optional[pulumi.Input[str]] = None,
|
507
563
|
__props__=None):
|
508
564
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
@@ -525,9 +581,12 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
525
581
|
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
526
582
|
__props__.__dict__["rotation_statements"] = rotation_statements
|
527
583
|
__props__.__dict__["rotation_window"] = rotation_window
|
584
|
+
__props__.__dict__["self_managed_password"] = None if self_managed_password is None else pulumi.Output.secret(self_managed_password)
|
528
585
|
if username is None and not opts.urn:
|
529
586
|
raise TypeError("Missing required property 'username'")
|
530
587
|
__props__.__dict__["username"] = username
|
588
|
+
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"])
|
589
|
+
opts = pulumi.ResourceOptions.merge(opts, secret_opts)
|
531
590
|
super(SecretBackendStaticRole, __self__).__init__(
|
532
591
|
'vault:database/secretBackendStaticRole:SecretBackendStaticRole',
|
533
592
|
resource_name,
|
@@ -546,6 +605,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
546
605
|
rotation_schedule: Optional[pulumi.Input[str]] = None,
|
547
606
|
rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
548
607
|
rotation_window: Optional[pulumi.Input[int]] = None,
|
608
|
+
self_managed_password: Optional[pulumi.Input[str]] = None,
|
549
609
|
username: Optional[pulumi.Input[str]] = None) -> 'SecretBackendStaticRole':
|
550
610
|
"""
|
551
611
|
Get an existing SecretBackendStaticRole resource's state with the given name, id, and optional extra
|
@@ -571,6 +631,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
571
631
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
|
572
632
|
:param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
|
573
633
|
from a given `rotation_schedule`.
|
634
|
+
:param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
|
635
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
636
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
574
637
|
:param pulumi.Input[str] username: The database username that this static role corresponds to.
|
575
638
|
"""
|
576
639
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
@@ -585,6 +648,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
585
648
|
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
586
649
|
__props__.__dict__["rotation_statements"] = rotation_statements
|
587
650
|
__props__.__dict__["rotation_window"] = rotation_window
|
651
|
+
__props__.__dict__["self_managed_password"] = self_managed_password
|
588
652
|
__props__.__dict__["username"] = username
|
589
653
|
return SecretBackendStaticRole(resource_name, opts=opts, __props__=__props__)
|
590
654
|
|
@@ -661,6 +725,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
|
|
661
725
|
"""
|
662
726
|
return pulumi.get(self, "rotation_window")
|
663
727
|
|
728
|
+
@property
|
729
|
+
@pulumi.getter(name="selfManagedPassword")
|
730
|
+
def self_managed_password(self) -> pulumi.Output[Optional[str]]:
|
731
|
+
"""
|
732
|
+
The password corresponding to the username in the database.
|
733
|
+
Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
|
734
|
+
select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
|
735
|
+
"""
|
736
|
+
return pulumi.get(self, "self_managed_password")
|
737
|
+
|
664
738
|
@property
|
665
739
|
@pulumi.getter
|
666
740
|
def username(self) -> pulumi.Output[str]:
|