pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +26 -9
  5. pulumi_vault/ad/secret_backend.py +16 -142
  6. pulumi_vault/ad/secret_library.py +16 -9
  7. pulumi_vault/ad/secret_role.py +14 -9
  8. pulumi_vault/alicloud/auth_backend_role.py +76 -190
  9. pulumi_vault/approle/auth_backend_login.py +12 -7
  10. pulumi_vault/approle/auth_backend_role.py +77 -191
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
  13. pulumi_vault/audit.py +30 -21
  14. pulumi_vault/audit_request_header.py +11 -2
  15. pulumi_vault/auth_backend.py +66 -14
  16. pulumi_vault/aws/auth_backend_cert.py +18 -9
  17. pulumi_vault/aws/auth_backend_client.py +267 -22
  18. pulumi_vault/aws/auth_backend_config_identity.py +14 -9
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +77 -191
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
  24. pulumi_vault/aws/auth_backend_sts_role.py +14 -9
  25. pulumi_vault/aws/get_access_credentials.py +38 -9
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +77 -9
  28. pulumi_vault/aws/secret_backend_role.py +185 -9
  29. pulumi_vault/aws/secret_backend_static_role.py +20 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +153 -15
  32. pulumi_vault/azure/auth_backend_role.py +77 -191
  33. pulumi_vault/azure/backend.py +227 -21
  34. pulumi_vault/azure/backend_role.py +42 -37
  35. pulumi_vault/azure/get_access_credentials.py +41 -7
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -267
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +28 -19
  44. pulumi_vault/consul/secret_backend_role.py +18 -78
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +119 -112
  48. pulumi_vault/database/secret_backend_role.py +31 -22
  49. pulumi_vault/database/secret_backend_static_role.py +87 -13
  50. pulumi_vault/database/secrets_mount.py +427 -136
  51. pulumi_vault/egp_policy.py +16 -11
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +250 -33
  54. pulumi_vault/gcp/auth_backend_role.py +77 -269
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -5
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -12
  58. pulumi_vault/gcp/secret_impersonated_account.py +76 -15
  59. pulumi_vault/gcp/secret_roleset.py +31 -24
  60. pulumi_vault/gcp/secret_static_account.py +39 -32
  61. pulumi_vault/generic/endpoint.py +24 -17
  62. pulumi_vault/generic/get_secret.py +64 -8
  63. pulumi_vault/generic/secret.py +21 -16
  64. pulumi_vault/get_auth_backend.py +24 -7
  65. pulumi_vault/get_auth_backends.py +51 -9
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -11
  69. pulumi_vault/get_policy_document.py +34 -19
  70. pulumi_vault/get_raft_autopilot_state.py +29 -10
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +19 -14
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +16 -11
  75. pulumi_vault/github/user.py +16 -11
  76. pulumi_vault/identity/entity.py +20 -13
  77. pulumi_vault/identity/entity_alias.py +20 -13
  78. pulumi_vault/identity/entity_policies.py +28 -11
  79. pulumi_vault/identity/get_entity.py +42 -10
  80. pulumi_vault/identity/get_group.py +47 -9
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -7
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -9
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -10
  84. pulumi_vault/identity/group.py +58 -39
  85. pulumi_vault/identity/group_alias.py +16 -9
  86. pulumi_vault/identity/group_member_entity_ids.py +28 -66
  87. pulumi_vault/identity/group_member_group_ids.py +40 -19
  88. pulumi_vault/identity/group_policies.py +20 -7
  89. pulumi_vault/identity/mfa_duo.py +11 -6
  90. pulumi_vault/identity/mfa_login_enforcement.py +15 -6
  91. pulumi_vault/identity/mfa_okta.py +11 -6
  92. pulumi_vault/identity/mfa_pingid.py +7 -2
  93. pulumi_vault/identity/mfa_totp.py +7 -2
  94. pulumi_vault/identity/oidc.py +12 -7
  95. pulumi_vault/identity/oidc_assignment.py +24 -11
  96. pulumi_vault/identity/oidc_client.py +36 -23
  97. pulumi_vault/identity/oidc_key.py +30 -17
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
  99. pulumi_vault/identity/oidc_provider.py +36 -21
  100. pulumi_vault/identity/oidc_role.py +42 -21
  101. pulumi_vault/identity/oidc_scope.py +20 -13
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +45 -40
  105. pulumi_vault/jwt/auth_backend_role.py +133 -254
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +24 -19
  108. pulumi_vault/kmip/secret_role.py +14 -9
  109. pulumi_vault/kmip/secret_scope.py +14 -9
  110. pulumi_vault/kubernetes/auth_backend_config.py +57 -5
  111. pulumi_vault/kubernetes/auth_backend_role.py +70 -177
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -11
  115. pulumi_vault/kubernetes/secret_backend.py +316 -27
  116. pulumi_vault/kubernetes/secret_backend_role.py +137 -46
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +25 -8
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
  120. pulumi_vault/kv/get_secret_v2.py +85 -9
  121. pulumi_vault/kv/get_secrets_list.py +24 -11
  122. pulumi_vault/kv/get_secrets_list_v2.py +37 -15
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +23 -16
  125. pulumi_vault/kv/secret_backend_v2.py +20 -11
  126. pulumi_vault/kv/secret_v2.py +59 -50
  127. pulumi_vault/ldap/auth_backend.py +127 -166
  128. pulumi_vault/ldap/auth_backend_group.py +14 -9
  129. pulumi_vault/ldap/auth_backend_user.py +14 -9
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +354 -82
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +16 -9
  135. pulumi_vault/ldap/secret_backend_static_role.py +73 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +29 -57
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +18 -11
  140. pulumi_vault/mfa_okta.py +18 -11
  141. pulumi_vault/mfa_pingid.py +18 -11
  142. pulumi_vault/mfa_totp.py +24 -17
  143. pulumi_vault/mongodbatlas/secret_backend.py +20 -15
  144. pulumi_vault/mongodbatlas/secret_role.py +47 -38
  145. pulumi_vault/mount.py +391 -51
  146. pulumi_vault/namespace.py +68 -83
  147. pulumi_vault/nomad_secret_backend.py +18 -13
  148. pulumi_vault/nomad_secret_role.py +14 -9
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +485 -39
  151. pulumi_vault/okta/auth_backend_group.py +14 -9
  152. pulumi_vault/okta/auth_backend_user.py +14 -9
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +20 -13
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -9
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -8
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
  174. pulumi_vault/pkisecret/secret_backend_key.py +14 -9
  175. pulumi_vault/pkisecret/secret_backend_role.py +21 -14
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +14 -9
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +60 -6
  185. pulumi_vault/quota_rate_limit.py +56 -2
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +18 -13
  189. pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
  190. pulumi_vault/raft_autopilot.py +14 -9
  191. pulumi_vault/raft_snapshot_agent_config.py +129 -224
  192. pulumi_vault/rgp_policy.py +14 -9
  193. pulumi_vault/saml/auth_backend.py +22 -17
  194. pulumi_vault/saml/auth_backend_role.py +92 -197
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -71
  199. pulumi_vault/secrets/sync_aws_destination.py +242 -27
  200. pulumi_vault/secrets/sync_azure_destination.py +92 -31
  201. pulumi_vault/secrets/sync_config.py +9 -4
  202. pulumi_vault/secrets/sync_gcp_destination.py +158 -25
  203. pulumi_vault/secrets/sync_gh_destination.py +189 -13
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +74 -13
  206. pulumi_vault/ssh/_inputs.py +28 -28
  207. pulumi_vault/ssh/outputs.py +11 -28
  208. pulumi_vault/ssh/secret_backend_ca.py +108 -9
  209. pulumi_vault/ssh/secret_backend_role.py +85 -118
  210. pulumi_vault/terraformcloud/secret_backend.py +7 -54
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -20
  212. pulumi_vault/terraformcloud/secret_role.py +16 -74
  213. pulumi_vault/token.py +28 -23
  214. pulumi_vault/tokenauth/auth_backend_role.py +78 -199
  215. pulumi_vault/transform/alphabet.py +16 -9
  216. pulumi_vault/transform/get_decode.py +45 -17
  217. pulumi_vault/transform/get_encode.py +45 -17
  218. pulumi_vault/transform/role.py +16 -9
  219. pulumi_vault/transform/template.py +30 -21
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -21
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +27 -93
  224. pulumi_vault/transit/secret_cache_config.py +12 -7
  225. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
@@ -40,45 +45,22 @@ class AuthBackendRoleArgs:
40
45
  The set of arguments for constructing a AuthBackendRole resource.
41
46
  :param pulumi.Input[str] role: Name of the GCP role
42
47
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
43
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
44
48
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
45
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
46
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
47
49
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
48
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
49
50
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
50
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
51
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
52
51
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
53
52
  The value should not contain leading or trailing forward slashes.
54
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
53
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
55
54
  *Available only for Vault Enterprise*.
56
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
57
- addresses which can authenticate successfully, and ties the resulting token to these blocks
58
- as well.
59
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
60
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
61
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
62
- `token_max_ttl` would otherwise allow a renewal.
63
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
64
- Its current value will be referenced at renewal time.
65
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
66
- generated tokens; otherwise it will be added to the policies set in token_policies.
67
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
68
- of times a generated token may be used (within its lifetime); 0 means unlimited.
69
- :param pulumi.Input[int] token_period: If set, indicates that the
70
- token generated using this role should never expire. The token should be renewed within the
71
- duration specified by this value. At each renewal, the token's TTL will be set to the
72
- value of this field. Specified in seconds.
73
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
74
- on the auth method, this list may be supplemented by user/group/other values.
75
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
76
- Its current value will be referenced at renewal time.
77
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
78
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
79
- `service` tokens). For token store roles, there are two additional possibilities:
80
- `default-service` and `default-batch` which specify the type to return unless the client
81
- requests a different type at generation time.
55
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
56
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
57
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
58
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
59
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
60
+ :param pulumi.Input[int] token_period: Generated Token's Period
61
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
62
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
63
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
82
64
  """
83
65
  pulumi.set(__self__, "role", role)
84
66
  pulumi.set(__self__, "type", type)
@@ -159,9 +141,6 @@ class AuthBackendRoleArgs:
159
141
  @property
160
142
  @pulumi.getter(name="allowGceInference")
161
143
  def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
162
- """
163
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
164
- """
165
144
  return pulumi.get(self, "allow_gce_inference")
166
145
 
167
146
  @allow_gce_inference.setter
@@ -183,9 +162,6 @@ class AuthBackendRoleArgs:
183
162
  @property
184
163
  @pulumi.getter(name="boundInstanceGroups")
185
164
  def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
186
- """
187
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
188
- """
189
165
  return pulumi.get(self, "bound_instance_groups")
190
166
 
191
167
  @bound_instance_groups.setter
@@ -195,9 +171,6 @@ class AuthBackendRoleArgs:
195
171
  @property
196
172
  @pulumi.getter(name="boundLabels")
197
173
  def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
198
- """
199
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
200
- """
201
174
  return pulumi.get(self, "bound_labels")
202
175
 
203
176
  @bound_labels.setter
@@ -219,9 +192,6 @@ class AuthBackendRoleArgs:
219
192
  @property
220
193
  @pulumi.getter(name="boundRegions")
221
194
  def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
222
- """
223
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
224
- """
225
195
  return pulumi.get(self, "bound_regions")
226
196
 
227
197
  @bound_regions.setter
@@ -243,9 +213,6 @@ class AuthBackendRoleArgs:
243
213
  @property
244
214
  @pulumi.getter(name="boundZones")
245
215
  def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
246
- """
247
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
248
- """
249
216
  return pulumi.get(self, "bound_zones")
250
217
 
251
218
  @bound_zones.setter
@@ -255,9 +222,6 @@ class AuthBackendRoleArgs:
255
222
  @property
256
223
  @pulumi.getter(name="maxJwtExp")
257
224
  def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
258
- """
259
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
260
- """
261
225
  return pulumi.get(self, "max_jwt_exp")
262
226
 
263
227
  @max_jwt_exp.setter
@@ -270,7 +234,7 @@ class AuthBackendRoleArgs:
270
234
  """
271
235
  The namespace to provision the resource in.
272
236
  The value should not contain leading or trailing forward slashes.
273
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
237
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
274
238
  *Available only for Vault Enterprise*.
275
239
  """
276
240
  return pulumi.get(self, "namespace")
@@ -283,9 +247,7 @@ class AuthBackendRoleArgs:
283
247
  @pulumi.getter(name="tokenBoundCidrs")
284
248
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
285
249
  """
286
- List of CIDR blocks; if set, specifies blocks of IP
287
- addresses which can authenticate successfully, and ties the resulting token to these blocks
288
- as well.
250
+ Specifies the blocks of IP addresses which are allowed to use the generated token
289
251
  """
290
252
  return pulumi.get(self, "token_bound_cidrs")
291
253
 
@@ -297,10 +259,7 @@ class AuthBackendRoleArgs:
297
259
  @pulumi.getter(name="tokenExplicitMaxTtl")
298
260
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
299
261
  """
300
- If set, will encode an
301
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
302
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
303
- `token_max_ttl` would otherwise allow a renewal.
262
+ Generated Token's Explicit Maximum TTL in seconds
304
263
  """
305
264
  return pulumi.get(self, "token_explicit_max_ttl")
306
265
 
@@ -312,8 +271,7 @@ class AuthBackendRoleArgs:
312
271
  @pulumi.getter(name="tokenMaxTtl")
313
272
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
314
273
  """
315
- The maximum lifetime for generated tokens in number of seconds.
316
- Its current value will be referenced at renewal time.
274
+ The maximum lifetime of the generated token
317
275
  """
318
276
  return pulumi.get(self, "token_max_ttl")
319
277
 
@@ -325,8 +283,7 @@ class AuthBackendRoleArgs:
325
283
  @pulumi.getter(name="tokenNoDefaultPolicy")
326
284
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
327
285
  """
328
- If set, the default policy will not be set on
329
- generated tokens; otherwise it will be added to the policies set in token_policies.
286
+ If true, the 'default' policy will not automatically be added to generated tokens
330
287
  """
331
288
  return pulumi.get(self, "token_no_default_policy")
332
289
 
@@ -338,8 +295,7 @@ class AuthBackendRoleArgs:
338
295
  @pulumi.getter(name="tokenNumUses")
339
296
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
340
297
  """
341
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
342
- of times a generated token may be used (within its lifetime); 0 means unlimited.
298
+ The maximum number of times a token may be used, a value of zero means unlimited
343
299
  """
344
300
  return pulumi.get(self, "token_num_uses")
345
301
 
@@ -351,10 +307,7 @@ class AuthBackendRoleArgs:
351
307
  @pulumi.getter(name="tokenPeriod")
352
308
  def token_period(self) -> Optional[pulumi.Input[int]]:
353
309
  """
354
- If set, indicates that the
355
- token generated using this role should never expire. The token should be renewed within the
356
- duration specified by this value. At each renewal, the token's TTL will be set to the
357
- value of this field. Specified in seconds.
310
+ Generated Token's Period
358
311
  """
359
312
  return pulumi.get(self, "token_period")
360
313
 
@@ -366,8 +319,7 @@ class AuthBackendRoleArgs:
366
319
  @pulumi.getter(name="tokenPolicies")
367
320
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
368
321
  """
369
- List of policies to encode onto generated tokens. Depending
370
- on the auth method, this list may be supplemented by user/group/other values.
322
+ Generated Token's Policies
371
323
  """
372
324
  return pulumi.get(self, "token_policies")
373
325
 
@@ -379,8 +331,7 @@ class AuthBackendRoleArgs:
379
331
  @pulumi.getter(name="tokenTtl")
380
332
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
381
333
  """
382
- The incremental lifetime for generated tokens in number of seconds.
383
- Its current value will be referenced at renewal time.
334
+ The initial ttl of the token to generate in seconds
384
335
  """
385
336
  return pulumi.get(self, "token_ttl")
386
337
 
@@ -392,11 +343,7 @@ class AuthBackendRoleArgs:
392
343
  @pulumi.getter(name="tokenType")
393
344
  def token_type(self) -> Optional[pulumi.Input[str]]:
394
345
  """
395
- The type of token that should be generated. Can be `service`,
396
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
397
- `service` tokens). For token store roles, there are two additional possibilities:
398
- `default-service` and `default-batch` which specify the type to return unless the client
399
- requests a different type at generation time.
346
+ The type of token to generate, service or batch
400
347
  """
401
348
  return pulumi.get(self, "token_type")
402
349
 
@@ -432,46 +379,23 @@ class _AuthBackendRoleState:
432
379
  type: Optional[pulumi.Input[str]] = None):
433
380
  """
434
381
  Input properties used for looking up and filtering AuthBackendRole resources.
435
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
436
382
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
437
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
438
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
439
383
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
440
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
441
384
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
442
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
443
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
444
385
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
445
386
  The value should not contain leading or trailing forward slashes.
446
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
387
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
447
388
  *Available only for Vault Enterprise*.
448
389
  :param pulumi.Input[str] role: Name of the GCP role
449
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
450
- addresses which can authenticate successfully, and ties the resulting token to these blocks
451
- as well.
452
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
453
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
454
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
455
- `token_max_ttl` would otherwise allow a renewal.
456
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
457
- Its current value will be referenced at renewal time.
458
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
459
- generated tokens; otherwise it will be added to the policies set in token_policies.
460
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
461
- of times a generated token may be used (within its lifetime); 0 means unlimited.
462
- :param pulumi.Input[int] token_period: If set, indicates that the
463
- token generated using this role should never expire. The token should be renewed within the
464
- duration specified by this value. At each renewal, the token's TTL will be set to the
465
- value of this field. Specified in seconds.
466
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
467
- on the auth method, this list may be supplemented by user/group/other values.
468
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
469
- Its current value will be referenced at renewal time.
470
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
471
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
472
- `service` tokens). For token store roles, there are two additional possibilities:
473
- `default-service` and `default-batch` which specify the type to return unless the client
474
- requests a different type at generation time.
390
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
391
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
392
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
393
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
394
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
395
+ :param pulumi.Input[int] token_period: Generated Token's Period
396
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
397
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
398
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
475
399
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
476
400
  """
477
401
  if add_group_aliases is not None:
@@ -531,9 +455,6 @@ class _AuthBackendRoleState:
531
455
  @property
532
456
  @pulumi.getter(name="allowGceInference")
533
457
  def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
534
- """
535
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
536
- """
537
458
  return pulumi.get(self, "allow_gce_inference")
538
459
 
539
460
  @allow_gce_inference.setter
@@ -555,9 +476,6 @@ class _AuthBackendRoleState:
555
476
  @property
556
477
  @pulumi.getter(name="boundInstanceGroups")
557
478
  def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
558
- """
559
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
560
- """
561
479
  return pulumi.get(self, "bound_instance_groups")
562
480
 
563
481
  @bound_instance_groups.setter
@@ -567,9 +485,6 @@ class _AuthBackendRoleState:
567
485
  @property
568
486
  @pulumi.getter(name="boundLabels")
569
487
  def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
570
- """
571
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
572
- """
573
488
  return pulumi.get(self, "bound_labels")
574
489
 
575
490
  @bound_labels.setter
@@ -591,9 +506,6 @@ class _AuthBackendRoleState:
591
506
  @property
592
507
  @pulumi.getter(name="boundRegions")
593
508
  def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
594
- """
595
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
596
- """
597
509
  return pulumi.get(self, "bound_regions")
598
510
 
599
511
  @bound_regions.setter
@@ -615,9 +527,6 @@ class _AuthBackendRoleState:
615
527
  @property
616
528
  @pulumi.getter(name="boundZones")
617
529
  def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
618
- """
619
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
620
- """
621
530
  return pulumi.get(self, "bound_zones")
622
531
 
623
532
  @bound_zones.setter
@@ -627,9 +536,6 @@ class _AuthBackendRoleState:
627
536
  @property
628
537
  @pulumi.getter(name="maxJwtExp")
629
538
  def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
630
- """
631
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
632
- """
633
539
  return pulumi.get(self, "max_jwt_exp")
634
540
 
635
541
  @max_jwt_exp.setter
@@ -642,7 +548,7 @@ class _AuthBackendRoleState:
642
548
  """
643
549
  The namespace to provision the resource in.
644
550
  The value should not contain leading or trailing forward slashes.
645
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
551
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
646
552
  *Available only for Vault Enterprise*.
647
553
  """
648
554
  return pulumi.get(self, "namespace")
@@ -667,9 +573,7 @@ class _AuthBackendRoleState:
667
573
  @pulumi.getter(name="tokenBoundCidrs")
668
574
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
669
575
  """
670
- List of CIDR blocks; if set, specifies blocks of IP
671
- addresses which can authenticate successfully, and ties the resulting token to these blocks
672
- as well.
576
+ Specifies the blocks of IP addresses which are allowed to use the generated token
673
577
  """
674
578
  return pulumi.get(self, "token_bound_cidrs")
675
579
 
@@ -681,10 +585,7 @@ class _AuthBackendRoleState:
681
585
  @pulumi.getter(name="tokenExplicitMaxTtl")
682
586
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
683
587
  """
684
- If set, will encode an
685
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
686
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
687
- `token_max_ttl` would otherwise allow a renewal.
588
+ Generated Token's Explicit Maximum TTL in seconds
688
589
  """
689
590
  return pulumi.get(self, "token_explicit_max_ttl")
690
591
 
@@ -696,8 +597,7 @@ class _AuthBackendRoleState:
696
597
  @pulumi.getter(name="tokenMaxTtl")
697
598
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
698
599
  """
699
- The maximum lifetime for generated tokens in number of seconds.
700
- Its current value will be referenced at renewal time.
600
+ The maximum lifetime of the generated token
701
601
  """
702
602
  return pulumi.get(self, "token_max_ttl")
703
603
 
@@ -709,8 +609,7 @@ class _AuthBackendRoleState:
709
609
  @pulumi.getter(name="tokenNoDefaultPolicy")
710
610
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
711
611
  """
712
- If set, the default policy will not be set on
713
- generated tokens; otherwise it will be added to the policies set in token_policies.
612
+ If true, the 'default' policy will not automatically be added to generated tokens
714
613
  """
715
614
  return pulumi.get(self, "token_no_default_policy")
716
615
 
@@ -722,8 +621,7 @@ class _AuthBackendRoleState:
722
621
  @pulumi.getter(name="tokenNumUses")
723
622
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
724
623
  """
725
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
726
- of times a generated token may be used (within its lifetime); 0 means unlimited.
624
+ The maximum number of times a token may be used, a value of zero means unlimited
727
625
  """
728
626
  return pulumi.get(self, "token_num_uses")
729
627
 
@@ -735,10 +633,7 @@ class _AuthBackendRoleState:
735
633
  @pulumi.getter(name="tokenPeriod")
736
634
  def token_period(self) -> Optional[pulumi.Input[int]]:
737
635
  """
738
- If set, indicates that the
739
- token generated using this role should never expire. The token should be renewed within the
740
- duration specified by this value. At each renewal, the token's TTL will be set to the
741
- value of this field. Specified in seconds.
636
+ Generated Token's Period
742
637
  """
743
638
  return pulumi.get(self, "token_period")
744
639
 
@@ -750,8 +645,7 @@ class _AuthBackendRoleState:
750
645
  @pulumi.getter(name="tokenPolicies")
751
646
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
752
647
  """
753
- List of policies to encode onto generated tokens. Depending
754
- on the auth method, this list may be supplemented by user/group/other values.
648
+ Generated Token's Policies
755
649
  """
756
650
  return pulumi.get(self, "token_policies")
757
651
 
@@ -763,8 +657,7 @@ class _AuthBackendRoleState:
763
657
  @pulumi.getter(name="tokenTtl")
764
658
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
765
659
  """
766
- The incremental lifetime for generated tokens in number of seconds.
767
- Its current value will be referenced at renewal time.
660
+ The initial ttl of the token to generate in seconds
768
661
  """
769
662
  return pulumi.get(self, "token_ttl")
770
663
 
@@ -776,11 +669,7 @@ class _AuthBackendRoleState:
776
669
  @pulumi.getter(name="tokenType")
777
670
  def token_type(self) -> Optional[pulumi.Input[str]]:
778
671
  """
779
- The type of token that should be generated. Can be `service`,
780
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
781
- `service` tokens). For token store roles, there are two additional possibilities:
782
- `default-service` and `default-batch` which specify the type to return unless the client
783
- requests a different type at generation time.
672
+ The type of token to generate, service or batch
784
673
  """
785
674
  return pulumi.get(self, "token_type")
786
675
 
@@ -861,51 +750,28 @@ class AuthBackendRole(pulumi.CustomResource):
861
750
  GCP authentication roles can be imported using the `path`, e.g.
862
751
 
863
752
  ```sh
864
- $ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role
753
+ $ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role
865
754
  ```
866
755
 
867
756
  :param str resource_name: The name of the resource.
868
757
  :param pulumi.ResourceOptions opts: Options for the resource.
869
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
870
758
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
871
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
872
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
873
759
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
874
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
875
760
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
876
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
877
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
878
761
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
879
762
  The value should not contain leading or trailing forward slashes.
880
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
763
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
881
764
  *Available only for Vault Enterprise*.
882
765
  :param pulumi.Input[str] role: Name of the GCP role
883
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
884
- addresses which can authenticate successfully, and ties the resulting token to these blocks
885
- as well.
886
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
887
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
888
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
889
- `token_max_ttl` would otherwise allow a renewal.
890
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
891
- Its current value will be referenced at renewal time.
892
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
893
- generated tokens; otherwise it will be added to the policies set in token_policies.
894
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
895
- of times a generated token may be used (within its lifetime); 0 means unlimited.
896
- :param pulumi.Input[int] token_period: If set, indicates that the
897
- token generated using this role should never expire. The token should be renewed within the
898
- duration specified by this value. At each renewal, the token's TTL will be set to the
899
- value of this field. Specified in seconds.
900
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
901
- on the auth method, this list may be supplemented by user/group/other values.
902
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
903
- Its current value will be referenced at renewal time.
904
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
905
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
906
- `service` tokens). For token store roles, there are two additional possibilities:
907
- `default-service` and `default-batch` which specify the type to return unless the client
908
- requests a different type at generation time.
766
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
767
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
768
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
769
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
770
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
771
+ :param pulumi.Input[int] token_period: Generated Token's Period
772
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
773
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
774
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
909
775
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
910
776
  """
911
777
  ...
@@ -946,7 +812,7 @@ class AuthBackendRole(pulumi.CustomResource):
946
812
  GCP authentication roles can be imported using the `path`, e.g.
947
813
 
948
814
  ```sh
949
- $ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role
815
+ $ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role
950
816
  ```
951
817
 
952
818
  :param str resource_name: The name of the resource.
@@ -1060,46 +926,23 @@ class AuthBackendRole(pulumi.CustomResource):
1060
926
  :param str resource_name: The unique name of the resulting resource.
1061
927
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
1062
928
  :param pulumi.ResourceOptions opts: Options for the resource.
1063
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
1064
929
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
1065
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
1066
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
1067
930
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
1068
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
1069
931
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
1070
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
1071
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
1072
932
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1073
933
  The value should not contain leading or trailing forward slashes.
1074
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
934
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1075
935
  *Available only for Vault Enterprise*.
1076
936
  :param pulumi.Input[str] role: Name of the GCP role
1077
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1078
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1079
- as well.
1080
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1081
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1082
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1083
- `token_max_ttl` would otherwise allow a renewal.
1084
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1085
- Its current value will be referenced at renewal time.
1086
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1087
- generated tokens; otherwise it will be added to the policies set in token_policies.
1088
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
1089
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1090
- :param pulumi.Input[int] token_period: If set, indicates that the
1091
- token generated using this role should never expire. The token should be renewed within the
1092
- duration specified by this value. At each renewal, the token's TTL will be set to the
1093
- value of this field. Specified in seconds.
1094
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1095
- on the auth method, this list may be supplemented by user/group/other values.
1096
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1097
- Its current value will be referenced at renewal time.
1098
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1099
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1100
- `service` tokens). For token store roles, there are two additional possibilities:
1101
- `default-service` and `default-batch` which specify the type to return unless the client
1102
- requests a different type at generation time.
937
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
938
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
939
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
940
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
941
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
942
+ :param pulumi.Input[int] token_period: Generated Token's Period
943
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
944
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
945
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1103
946
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
1104
947
  """
1105
948
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -1138,9 +981,6 @@ class AuthBackendRole(pulumi.CustomResource):
1138
981
  @property
1139
982
  @pulumi.getter(name="allowGceInference")
1140
983
  def allow_gce_inference(self) -> pulumi.Output[bool]:
1141
- """
1142
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
1143
- """
1144
984
  return pulumi.get(self, "allow_gce_inference")
1145
985
 
1146
986
  @property
@@ -1154,17 +994,11 @@ class AuthBackendRole(pulumi.CustomResource):
1154
994
  @property
1155
995
  @pulumi.getter(name="boundInstanceGroups")
1156
996
  def bound_instance_groups(self) -> pulumi.Output[Sequence[str]]:
1157
- """
1158
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
1159
- """
1160
997
  return pulumi.get(self, "bound_instance_groups")
1161
998
 
1162
999
  @property
1163
1000
  @pulumi.getter(name="boundLabels")
1164
1001
  def bound_labels(self) -> pulumi.Output[Sequence[str]]:
1165
- """
1166
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
1167
- """
1168
1002
  return pulumi.get(self, "bound_labels")
1169
1003
 
1170
1004
  @property
@@ -1178,9 +1012,6 @@ class AuthBackendRole(pulumi.CustomResource):
1178
1012
  @property
1179
1013
  @pulumi.getter(name="boundRegions")
1180
1014
  def bound_regions(self) -> pulumi.Output[Sequence[str]]:
1181
- """
1182
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
1183
- """
1184
1015
  return pulumi.get(self, "bound_regions")
1185
1016
 
1186
1017
  @property
@@ -1194,17 +1025,11 @@ class AuthBackendRole(pulumi.CustomResource):
1194
1025
  @property
1195
1026
  @pulumi.getter(name="boundZones")
1196
1027
  def bound_zones(self) -> pulumi.Output[Sequence[str]]:
1197
- """
1198
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
1199
- """
1200
1028
  return pulumi.get(self, "bound_zones")
1201
1029
 
1202
1030
  @property
1203
1031
  @pulumi.getter(name="maxJwtExp")
1204
1032
  def max_jwt_exp(self) -> pulumi.Output[str]:
1205
- """
1206
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
1207
- """
1208
1033
  return pulumi.get(self, "max_jwt_exp")
1209
1034
 
1210
1035
  @property
@@ -1213,7 +1038,7 @@ class AuthBackendRole(pulumi.CustomResource):
1213
1038
  """
1214
1039
  The namespace to provision the resource in.
1215
1040
  The value should not contain leading or trailing forward slashes.
1216
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1041
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1217
1042
  *Available only for Vault Enterprise*.
1218
1043
  """
1219
1044
  return pulumi.get(self, "namespace")
@@ -1230,9 +1055,7 @@ class AuthBackendRole(pulumi.CustomResource):
1230
1055
  @pulumi.getter(name="tokenBoundCidrs")
1231
1056
  def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
1232
1057
  """
1233
- List of CIDR blocks; if set, specifies blocks of IP
1234
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1235
- as well.
1058
+ Specifies the blocks of IP addresses which are allowed to use the generated token
1236
1059
  """
1237
1060
  return pulumi.get(self, "token_bound_cidrs")
1238
1061
 
@@ -1240,10 +1063,7 @@ class AuthBackendRole(pulumi.CustomResource):
1240
1063
  @pulumi.getter(name="tokenExplicitMaxTtl")
1241
1064
  def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
1242
1065
  """
1243
- If set, will encode an
1244
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1245
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1246
- `token_max_ttl` would otherwise allow a renewal.
1066
+ Generated Token's Explicit Maximum TTL in seconds
1247
1067
  """
1248
1068
  return pulumi.get(self, "token_explicit_max_ttl")
1249
1069
 
@@ -1251,8 +1071,7 @@ class AuthBackendRole(pulumi.CustomResource):
1251
1071
  @pulumi.getter(name="tokenMaxTtl")
1252
1072
  def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
1253
1073
  """
1254
- The maximum lifetime for generated tokens in number of seconds.
1255
- Its current value will be referenced at renewal time.
1074
+ The maximum lifetime of the generated token
1256
1075
  """
1257
1076
  return pulumi.get(self, "token_max_ttl")
1258
1077
 
@@ -1260,8 +1079,7 @@ class AuthBackendRole(pulumi.CustomResource):
1260
1079
  @pulumi.getter(name="tokenNoDefaultPolicy")
1261
1080
  def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
1262
1081
  """
1263
- If set, the default policy will not be set on
1264
- generated tokens; otherwise it will be added to the policies set in token_policies.
1082
+ If true, the 'default' policy will not automatically be added to generated tokens
1265
1083
  """
1266
1084
  return pulumi.get(self, "token_no_default_policy")
1267
1085
 
@@ -1269,8 +1087,7 @@ class AuthBackendRole(pulumi.CustomResource):
1269
1087
  @pulumi.getter(name="tokenNumUses")
1270
1088
  def token_num_uses(self) -> pulumi.Output[Optional[int]]:
1271
1089
  """
1272
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
1273
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1090
+ The maximum number of times a token may be used, a value of zero means unlimited
1274
1091
  """
1275
1092
  return pulumi.get(self, "token_num_uses")
1276
1093
 
@@ -1278,10 +1095,7 @@ class AuthBackendRole(pulumi.CustomResource):
1278
1095
  @pulumi.getter(name="tokenPeriod")
1279
1096
  def token_period(self) -> pulumi.Output[Optional[int]]:
1280
1097
  """
1281
- If set, indicates that the
1282
- token generated using this role should never expire. The token should be renewed within the
1283
- duration specified by this value. At each renewal, the token's TTL will be set to the
1284
- value of this field. Specified in seconds.
1098
+ Generated Token's Period
1285
1099
  """
1286
1100
  return pulumi.get(self, "token_period")
1287
1101
 
@@ -1289,8 +1103,7 @@ class AuthBackendRole(pulumi.CustomResource):
1289
1103
  @pulumi.getter(name="tokenPolicies")
1290
1104
  def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
1291
1105
  """
1292
- List of policies to encode onto generated tokens. Depending
1293
- on the auth method, this list may be supplemented by user/group/other values.
1106
+ Generated Token's Policies
1294
1107
  """
1295
1108
  return pulumi.get(self, "token_policies")
1296
1109
 
@@ -1298,8 +1111,7 @@ class AuthBackendRole(pulumi.CustomResource):
1298
1111
  @pulumi.getter(name="tokenTtl")
1299
1112
  def token_ttl(self) -> pulumi.Output[Optional[int]]:
1300
1113
  """
1301
- The incremental lifetime for generated tokens in number of seconds.
1302
- Its current value will be referenced at renewal time.
1114
+ The initial ttl of the token to generate in seconds
1303
1115
  """
1304
1116
  return pulumi.get(self, "token_ttl")
1305
1117
 
@@ -1307,11 +1119,7 @@ class AuthBackendRole(pulumi.CustomResource):
1307
1119
  @pulumi.getter(name="tokenType")
1308
1120
  def token_type(self) -> pulumi.Output[Optional[str]]:
1309
1121
  """
1310
- The type of token that should be generated. Can be `service`,
1311
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1312
- `service` tokens). For token store roles, there are two additional possibilities:
1313
- `default-service` and `default-batch` which specify the type to return unless the client
1314
- requests a different type at generation time.
1122
+ The type of token to generate, service or batch
1315
1123
  """
1316
1124
  return pulumi.get(self, "token_type")
1317
1125