pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
|
@@ -4,9 +4,14 @@
|
|
|
4
4
|
|
|
5
5
|
import copy
|
|
6
6
|
import warnings
|
|
7
|
+
import sys
|
|
7
8
|
import pulumi
|
|
8
9
|
import pulumi.runtime
|
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
|
11
|
+
if sys.version_info >= (3, 11):
|
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
|
13
|
+
else:
|
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
|
10
15
|
from .. import _utilities
|
|
11
16
|
|
|
12
17
|
__all__ = [
|
|
@@ -393,9 +398,6 @@ def get_auth_backend_role(backend: Optional[str] = None,
|
|
|
393
398
|
token_ttl=pulumi.get(__ret__, 'token_ttl'),
|
|
394
399
|
token_type=pulumi.get(__ret__, 'token_type'),
|
|
395
400
|
type=pulumi.get(__ret__, 'type'))
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
@_utilities.lift_output_func(get_auth_backend_role)
|
|
399
401
|
def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]] = None,
|
|
400
402
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
|
401
403
|
role_name: Optional[pulumi.Input[str]] = None,
|
|
@@ -408,7 +410,7 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
|
|
|
408
410
|
token_policies: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
|
|
409
411
|
token_ttl: Optional[pulumi.Input[Optional[int]]] = None,
|
|
410
412
|
token_type: Optional[pulumi.Input[Optional[str]]] = None,
|
|
411
|
-
opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
|
413
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
|
412
414
|
"""
|
|
413
415
|
Reads a GCP auth role from a Vault server.
|
|
414
416
|
|
|
@@ -458,4 +460,40 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
|
|
|
458
460
|
`default-service` and `default-batch` which specify the type to return unless the client
|
|
459
461
|
requests a different type at generation time.
|
|
460
462
|
"""
|
|
461
|
-
|
|
463
|
+
__args__ = dict()
|
|
464
|
+
__args__['backend'] = backend
|
|
465
|
+
__args__['namespace'] = namespace
|
|
466
|
+
__args__['roleName'] = role_name
|
|
467
|
+
__args__['tokenBoundCidrs'] = token_bound_cidrs
|
|
468
|
+
__args__['tokenExplicitMaxTtl'] = token_explicit_max_ttl
|
|
469
|
+
__args__['tokenMaxTtl'] = token_max_ttl
|
|
470
|
+
__args__['tokenNoDefaultPolicy'] = token_no_default_policy
|
|
471
|
+
__args__['tokenNumUses'] = token_num_uses
|
|
472
|
+
__args__['tokenPeriod'] = token_period
|
|
473
|
+
__args__['tokenPolicies'] = token_policies
|
|
474
|
+
__args__['tokenTtl'] = token_ttl
|
|
475
|
+
__args__['tokenType'] = token_type
|
|
476
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
|
477
|
+
__ret__ = pulumi.runtime.invoke_output('vault:gcp/getAuthBackendRole:getAuthBackendRole', __args__, opts=opts, typ=GetAuthBackendRoleResult)
|
|
478
|
+
return __ret__.apply(lambda __response__: GetAuthBackendRoleResult(
|
|
479
|
+
backend=pulumi.get(__response__, 'backend'),
|
|
480
|
+
bound_instance_groups=pulumi.get(__response__, 'bound_instance_groups'),
|
|
481
|
+
bound_labels=pulumi.get(__response__, 'bound_labels'),
|
|
482
|
+
bound_projects=pulumi.get(__response__, 'bound_projects'),
|
|
483
|
+
bound_regions=pulumi.get(__response__, 'bound_regions'),
|
|
484
|
+
bound_service_accounts=pulumi.get(__response__, 'bound_service_accounts'),
|
|
485
|
+
bound_zones=pulumi.get(__response__, 'bound_zones'),
|
|
486
|
+
id=pulumi.get(__response__, 'id'),
|
|
487
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
|
488
|
+
role_id=pulumi.get(__response__, 'role_id'),
|
|
489
|
+
role_name=pulumi.get(__response__, 'role_name'),
|
|
490
|
+
token_bound_cidrs=pulumi.get(__response__, 'token_bound_cidrs'),
|
|
491
|
+
token_explicit_max_ttl=pulumi.get(__response__, 'token_explicit_max_ttl'),
|
|
492
|
+
token_max_ttl=pulumi.get(__response__, 'token_max_ttl'),
|
|
493
|
+
token_no_default_policy=pulumi.get(__response__, 'token_no_default_policy'),
|
|
494
|
+
token_num_uses=pulumi.get(__response__, 'token_num_uses'),
|
|
495
|
+
token_period=pulumi.get(__response__, 'token_period'),
|
|
496
|
+
token_policies=pulumi.get(__response__, 'token_policies'),
|
|
497
|
+
token_ttl=pulumi.get(__response__, 'token_ttl'),
|
|
498
|
+
token_type=pulumi.get(__response__, 'token_type'),
|
|
499
|
+
type=pulumi.get(__response__, 'type')))
|
pulumi_vault/gcp/outputs.py
CHANGED
|
@@ -4,9 +4,14 @@
|
|
|
4
4
|
|
|
5
5
|
import copy
|
|
6
6
|
import warnings
|
|
7
|
+
import sys
|
|
7
8
|
import pulumi
|
|
8
9
|
import pulumi.runtime
|
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
|
11
|
+
if sys.version_info >= (3, 11):
|
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
|
13
|
+
else:
|
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
|
10
15
|
from .. import _utilities
|
|
11
16
|
|
|
12
17
|
__all__ = [
|
|
@@ -4,9 +4,14 @@
|
|
|
4
4
|
|
|
5
5
|
import copy
|
|
6
6
|
import warnings
|
|
7
|
+
import sys
|
|
7
8
|
import pulumi
|
|
8
9
|
import pulumi.runtime
|
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
|
11
|
+
if sys.version_info >= (3, 11):
|
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
|
13
|
+
else:
|
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
|
10
15
|
from .. import _utilities
|
|
11
16
|
|
|
12
17
|
__all__ = ['SecretBackendArgs', 'SecretBackend']
|
|
@@ -18,10 +23,14 @@ class SecretBackendArgs:
|
|
|
18
23
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
19
24
|
description: Optional[pulumi.Input[str]] = None,
|
|
20
25
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
|
26
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
|
27
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
|
28
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
|
21
29
|
local: Optional[pulumi.Input[bool]] = None,
|
|
22
30
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
23
31
|
namespace: Optional[pulumi.Input[str]] = None,
|
|
24
|
-
path: Optional[pulumi.Input[str]] = None
|
|
32
|
+
path: Optional[pulumi.Input[str]] = None,
|
|
33
|
+
service_account_email: Optional[pulumi.Input[str]] = None):
|
|
25
34
|
"""
|
|
26
35
|
The set of arguments for constructing a SecretBackend resource.
|
|
27
36
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
|
@@ -30,15 +39,23 @@ class SecretBackendArgs:
|
|
|
30
39
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
|
31
40
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
|
32
41
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
|
42
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
|
43
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
44
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
45
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
|
46
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
47
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
|
33
48
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
|
34
49
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
|
35
50
|
for credentials issued by this backend. Defaults to '0'.
|
|
36
51
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
|
37
52
|
The value should not contain leading or trailing forward slashes.
|
|
38
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
53
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
39
54
|
*Available only for Vault Enterprise*.
|
|
40
55
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
|
41
56
|
not begin or end with a `/`. Defaults to `gcp`.
|
|
57
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
|
58
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
42
59
|
"""
|
|
43
60
|
if credentials is not None:
|
|
44
61
|
pulumi.set(__self__, "credentials", credentials)
|
|
@@ -48,6 +65,12 @@ class SecretBackendArgs:
|
|
|
48
65
|
pulumi.set(__self__, "description", description)
|
|
49
66
|
if disable_remount is not None:
|
|
50
67
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
|
68
|
+
if identity_token_audience is not None:
|
|
69
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
|
70
|
+
if identity_token_key is not None:
|
|
71
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
|
72
|
+
if identity_token_ttl is not None:
|
|
73
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
|
51
74
|
if local is not None:
|
|
52
75
|
pulumi.set(__self__, "local", local)
|
|
53
76
|
if max_lease_ttl_seconds is not None:
|
|
@@ -56,6 +79,8 @@ class SecretBackendArgs:
|
|
|
56
79
|
pulumi.set(__self__, "namespace", namespace)
|
|
57
80
|
if path is not None:
|
|
58
81
|
pulumi.set(__self__, "path", path)
|
|
82
|
+
if service_account_email is not None:
|
|
83
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
|
59
84
|
|
|
60
85
|
@property
|
|
61
86
|
@pulumi.getter
|
|
@@ -107,6 +132,45 @@ class SecretBackendArgs:
|
|
|
107
132
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
|
108
133
|
pulumi.set(self, "disable_remount", value)
|
|
109
134
|
|
|
135
|
+
@property
|
|
136
|
+
@pulumi.getter(name="identityTokenAudience")
|
|
137
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
|
138
|
+
"""
|
|
139
|
+
The audience claim value for plugin identity
|
|
140
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
141
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
142
|
+
"""
|
|
143
|
+
return pulumi.get(self, "identity_token_audience")
|
|
144
|
+
|
|
145
|
+
@identity_token_audience.setter
|
|
146
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
|
147
|
+
pulumi.set(self, "identity_token_audience", value)
|
|
148
|
+
|
|
149
|
+
@property
|
|
150
|
+
@pulumi.getter(name="identityTokenKey")
|
|
151
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
|
152
|
+
"""
|
|
153
|
+
The key to use for signing plugin identity
|
|
154
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
155
|
+
"""
|
|
156
|
+
return pulumi.get(self, "identity_token_key")
|
|
157
|
+
|
|
158
|
+
@identity_token_key.setter
|
|
159
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
|
160
|
+
pulumi.set(self, "identity_token_key", value)
|
|
161
|
+
|
|
162
|
+
@property
|
|
163
|
+
@pulumi.getter(name="identityTokenTtl")
|
|
164
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
|
165
|
+
"""
|
|
166
|
+
The TTL of generated tokens.
|
|
167
|
+
"""
|
|
168
|
+
return pulumi.get(self, "identity_token_ttl")
|
|
169
|
+
|
|
170
|
+
@identity_token_ttl.setter
|
|
171
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
|
172
|
+
pulumi.set(self, "identity_token_ttl", value)
|
|
173
|
+
|
|
110
174
|
@property
|
|
111
175
|
@pulumi.getter
|
|
112
176
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
|
@@ -138,7 +202,7 @@ class SecretBackendArgs:
|
|
|
138
202
|
"""
|
|
139
203
|
The namespace to provision the resource in.
|
|
140
204
|
The value should not contain leading or trailing forward slashes.
|
|
141
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
205
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
142
206
|
*Available only for Vault Enterprise*.
|
|
143
207
|
"""
|
|
144
208
|
return pulumi.get(self, "namespace")
|
|
@@ -160,36 +224,65 @@ class SecretBackendArgs:
|
|
|
160
224
|
def path(self, value: Optional[pulumi.Input[str]]):
|
|
161
225
|
pulumi.set(self, "path", value)
|
|
162
226
|
|
|
227
|
+
@property
|
|
228
|
+
@pulumi.getter(name="serviceAccountEmail")
|
|
229
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
|
230
|
+
"""
|
|
231
|
+
Service Account to impersonate for plugin workload identity federation.
|
|
232
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
233
|
+
"""
|
|
234
|
+
return pulumi.get(self, "service_account_email")
|
|
235
|
+
|
|
236
|
+
@service_account_email.setter
|
|
237
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
|
238
|
+
pulumi.set(self, "service_account_email", value)
|
|
239
|
+
|
|
163
240
|
|
|
164
241
|
@pulumi.input_type
|
|
165
242
|
class _SecretBackendState:
|
|
166
243
|
def __init__(__self__, *,
|
|
244
|
+
accessor: Optional[pulumi.Input[str]] = None,
|
|
167
245
|
credentials: Optional[pulumi.Input[str]] = None,
|
|
168
246
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
169
247
|
description: Optional[pulumi.Input[str]] = None,
|
|
170
248
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
|
249
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
|
250
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
|
251
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
|
171
252
|
local: Optional[pulumi.Input[bool]] = None,
|
|
172
253
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
173
254
|
namespace: Optional[pulumi.Input[str]] = None,
|
|
174
|
-
path: Optional[pulumi.Input[str]] = None
|
|
255
|
+
path: Optional[pulumi.Input[str]] = None,
|
|
256
|
+
service_account_email: Optional[pulumi.Input[str]] = None):
|
|
175
257
|
"""
|
|
176
258
|
Input properties used for looking up and filtering SecretBackend resources.
|
|
259
|
+
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
|
177
260
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
|
178
261
|
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
|
179
262
|
issued by this backend. Defaults to '0'.
|
|
180
263
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
|
181
264
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
|
182
265
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
|
266
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
|
267
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
268
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
269
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
|
270
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
271
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
|
183
272
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
|
184
273
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
|
185
274
|
for credentials issued by this backend. Defaults to '0'.
|
|
186
275
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
|
187
276
|
The value should not contain leading or trailing forward slashes.
|
|
188
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
277
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
189
278
|
*Available only for Vault Enterprise*.
|
|
190
279
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
|
191
280
|
not begin or end with a `/`. Defaults to `gcp`.
|
|
281
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
|
282
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
192
283
|
"""
|
|
284
|
+
if accessor is not None:
|
|
285
|
+
pulumi.set(__self__, "accessor", accessor)
|
|
193
286
|
if credentials is not None:
|
|
194
287
|
pulumi.set(__self__, "credentials", credentials)
|
|
195
288
|
if default_lease_ttl_seconds is not None:
|
|
@@ -198,6 +291,12 @@ class _SecretBackendState:
|
|
|
198
291
|
pulumi.set(__self__, "description", description)
|
|
199
292
|
if disable_remount is not None:
|
|
200
293
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
|
294
|
+
if identity_token_audience is not None:
|
|
295
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
|
296
|
+
if identity_token_key is not None:
|
|
297
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
|
298
|
+
if identity_token_ttl is not None:
|
|
299
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
|
201
300
|
if local is not None:
|
|
202
301
|
pulumi.set(__self__, "local", local)
|
|
203
302
|
if max_lease_ttl_seconds is not None:
|
|
@@ -206,6 +305,20 @@ class _SecretBackendState:
|
|
|
206
305
|
pulumi.set(__self__, "namespace", namespace)
|
|
207
306
|
if path is not None:
|
|
208
307
|
pulumi.set(__self__, "path", path)
|
|
308
|
+
if service_account_email is not None:
|
|
309
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
|
310
|
+
|
|
311
|
+
@property
|
|
312
|
+
@pulumi.getter
|
|
313
|
+
def accessor(self) -> Optional[pulumi.Input[str]]:
|
|
314
|
+
"""
|
|
315
|
+
The accessor of the created GCP mount.
|
|
316
|
+
"""
|
|
317
|
+
return pulumi.get(self, "accessor")
|
|
318
|
+
|
|
319
|
+
@accessor.setter
|
|
320
|
+
def accessor(self, value: Optional[pulumi.Input[str]]):
|
|
321
|
+
pulumi.set(self, "accessor", value)
|
|
209
322
|
|
|
210
323
|
@property
|
|
211
324
|
@pulumi.getter
|
|
@@ -257,6 +370,45 @@ class _SecretBackendState:
|
|
|
257
370
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
|
258
371
|
pulumi.set(self, "disable_remount", value)
|
|
259
372
|
|
|
373
|
+
@property
|
|
374
|
+
@pulumi.getter(name="identityTokenAudience")
|
|
375
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
|
376
|
+
"""
|
|
377
|
+
The audience claim value for plugin identity
|
|
378
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
379
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
380
|
+
"""
|
|
381
|
+
return pulumi.get(self, "identity_token_audience")
|
|
382
|
+
|
|
383
|
+
@identity_token_audience.setter
|
|
384
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
|
385
|
+
pulumi.set(self, "identity_token_audience", value)
|
|
386
|
+
|
|
387
|
+
@property
|
|
388
|
+
@pulumi.getter(name="identityTokenKey")
|
|
389
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
|
390
|
+
"""
|
|
391
|
+
The key to use for signing plugin identity
|
|
392
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
393
|
+
"""
|
|
394
|
+
return pulumi.get(self, "identity_token_key")
|
|
395
|
+
|
|
396
|
+
@identity_token_key.setter
|
|
397
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
|
398
|
+
pulumi.set(self, "identity_token_key", value)
|
|
399
|
+
|
|
400
|
+
@property
|
|
401
|
+
@pulumi.getter(name="identityTokenTtl")
|
|
402
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
|
403
|
+
"""
|
|
404
|
+
The TTL of generated tokens.
|
|
405
|
+
"""
|
|
406
|
+
return pulumi.get(self, "identity_token_ttl")
|
|
407
|
+
|
|
408
|
+
@identity_token_ttl.setter
|
|
409
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
|
410
|
+
pulumi.set(self, "identity_token_ttl", value)
|
|
411
|
+
|
|
260
412
|
@property
|
|
261
413
|
@pulumi.getter
|
|
262
414
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
|
@@ -288,7 +440,7 @@ class _SecretBackendState:
|
|
|
288
440
|
"""
|
|
289
441
|
The namespace to provision the resource in.
|
|
290
442
|
The value should not contain leading or trailing forward slashes.
|
|
291
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
443
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
292
444
|
*Available only for Vault Enterprise*.
|
|
293
445
|
"""
|
|
294
446
|
return pulumi.get(self, "namespace")
|
|
@@ -310,6 +462,19 @@ class _SecretBackendState:
|
|
|
310
462
|
def path(self, value: Optional[pulumi.Input[str]]):
|
|
311
463
|
pulumi.set(self, "path", value)
|
|
312
464
|
|
|
465
|
+
@property
|
|
466
|
+
@pulumi.getter(name="serviceAccountEmail")
|
|
467
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
|
468
|
+
"""
|
|
469
|
+
Service Account to impersonate for plugin workload identity federation.
|
|
470
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
471
|
+
"""
|
|
472
|
+
return pulumi.get(self, "service_account_email")
|
|
473
|
+
|
|
474
|
+
@service_account_email.setter
|
|
475
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
|
476
|
+
pulumi.set(self, "service_account_email", value)
|
|
477
|
+
|
|
313
478
|
|
|
314
479
|
class SecretBackend(pulumi.CustomResource):
|
|
315
480
|
@overload
|
|
@@ -320,19 +485,36 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
320
485
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
321
486
|
description: Optional[pulumi.Input[str]] = None,
|
|
322
487
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
|
488
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
|
489
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
|
490
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
|
323
491
|
local: Optional[pulumi.Input[bool]] = None,
|
|
324
492
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
325
493
|
namespace: Optional[pulumi.Input[str]] = None,
|
|
326
494
|
path: Optional[pulumi.Input[str]] = None,
|
|
495
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
|
327
496
|
__props__=None):
|
|
328
497
|
"""
|
|
329
498
|
## Example Usage
|
|
330
499
|
|
|
500
|
+
You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
|
501
|
+
```python
|
|
502
|
+
import pulumi
|
|
503
|
+
import pulumi_vault as vault
|
|
504
|
+
|
|
505
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
|
506
|
+
identity_token_key="example-key",
|
|
507
|
+
identity_token_ttl=1800,
|
|
508
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
|
509
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
|
510
|
+
```
|
|
511
|
+
|
|
331
512
|
```python
|
|
332
513
|
import pulumi
|
|
514
|
+
import pulumi_std as std
|
|
333
515
|
import pulumi_vault as vault
|
|
334
516
|
|
|
335
|
-
gcp = vault.gcp.SecretBackend("gcp", credentials=
|
|
517
|
+
gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
|
|
336
518
|
```
|
|
337
519
|
|
|
338
520
|
:param str resource_name: The name of the resource.
|
|
@@ -343,15 +525,23 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
343
525
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
|
344
526
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
|
345
527
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
|
528
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
|
529
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
530
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
531
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
|
532
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
533
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
|
346
534
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
|
347
535
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
|
348
536
|
for credentials issued by this backend. Defaults to '0'.
|
|
349
537
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
|
350
538
|
The value should not contain leading or trailing forward slashes.
|
|
351
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
539
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
352
540
|
*Available only for Vault Enterprise*.
|
|
353
541
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
|
354
542
|
not begin or end with a `/`. Defaults to `gcp`.
|
|
543
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
|
544
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
355
545
|
"""
|
|
356
546
|
...
|
|
357
547
|
@overload
|
|
@@ -362,11 +552,24 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
362
552
|
"""
|
|
363
553
|
## Example Usage
|
|
364
554
|
|
|
555
|
+
You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
|
556
|
+
```python
|
|
557
|
+
import pulumi
|
|
558
|
+
import pulumi_vault as vault
|
|
559
|
+
|
|
560
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
|
561
|
+
identity_token_key="example-key",
|
|
562
|
+
identity_token_ttl=1800,
|
|
563
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
|
564
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
|
565
|
+
```
|
|
566
|
+
|
|
365
567
|
```python
|
|
366
568
|
import pulumi
|
|
569
|
+
import pulumi_std as std
|
|
367
570
|
import pulumi_vault as vault
|
|
368
571
|
|
|
369
|
-
gcp = vault.gcp.SecretBackend("gcp", credentials=
|
|
572
|
+
gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
|
|
370
573
|
```
|
|
371
574
|
|
|
372
575
|
:param str resource_name: The name of the resource.
|
|
@@ -388,10 +591,14 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
388
591
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
389
592
|
description: Optional[pulumi.Input[str]] = None,
|
|
390
593
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
|
594
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
|
595
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
|
596
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
|
391
597
|
local: Optional[pulumi.Input[bool]] = None,
|
|
392
598
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
393
599
|
namespace: Optional[pulumi.Input[str]] = None,
|
|
394
600
|
path: Optional[pulumi.Input[str]] = None,
|
|
601
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
|
395
602
|
__props__=None):
|
|
396
603
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
|
397
604
|
if not isinstance(opts, pulumi.ResourceOptions):
|
|
@@ -405,10 +612,15 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
405
612
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
|
406
613
|
__props__.__dict__["description"] = description
|
|
407
614
|
__props__.__dict__["disable_remount"] = disable_remount
|
|
615
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
|
616
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
|
617
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
|
408
618
|
__props__.__dict__["local"] = local
|
|
409
619
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
|
410
620
|
__props__.__dict__["namespace"] = namespace
|
|
411
621
|
__props__.__dict__["path"] = path
|
|
622
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
|
623
|
+
__props__.__dict__["accessor"] = None
|
|
412
624
|
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
|
|
413
625
|
opts = pulumi.ResourceOptions.merge(opts, secret_opts)
|
|
414
626
|
super(SecretBackend, __self__).__init__(
|
|
@@ -421,14 +633,19 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
421
633
|
def get(resource_name: str,
|
|
422
634
|
id: pulumi.Input[str],
|
|
423
635
|
opts: Optional[pulumi.ResourceOptions] = None,
|
|
636
|
+
accessor: Optional[pulumi.Input[str]] = None,
|
|
424
637
|
credentials: Optional[pulumi.Input[str]] = None,
|
|
425
638
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
426
639
|
description: Optional[pulumi.Input[str]] = None,
|
|
427
640
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
|
641
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
|
642
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
|
643
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
|
428
644
|
local: Optional[pulumi.Input[bool]] = None,
|
|
429
645
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
|
430
646
|
namespace: Optional[pulumi.Input[str]] = None,
|
|
431
|
-
path: Optional[pulumi.Input[str]] = None
|
|
647
|
+
path: Optional[pulumi.Input[str]] = None,
|
|
648
|
+
service_account_email: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
|
|
432
649
|
"""
|
|
433
650
|
Get an existing SecretBackend resource's state with the given name, id, and optional extra
|
|
434
651
|
properties used to qualify the lookup.
|
|
@@ -436,36 +653,58 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
436
653
|
:param str resource_name: The unique name of the resulting resource.
|
|
437
654
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
|
438
655
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
|
656
|
+
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
|
439
657
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
|
440
658
|
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
|
441
659
|
issued by this backend. Defaults to '0'.
|
|
442
660
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
|
443
661
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
|
444
662
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
|
663
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
|
664
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
665
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
666
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
|
667
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
668
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
|
445
669
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
|
446
670
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
|
447
671
|
for credentials issued by this backend. Defaults to '0'.
|
|
448
672
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
|
449
673
|
The value should not contain leading or trailing forward slashes.
|
|
450
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
674
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
451
675
|
*Available only for Vault Enterprise*.
|
|
452
676
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
|
453
677
|
not begin or end with a `/`. Defaults to `gcp`.
|
|
678
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
|
679
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
454
680
|
"""
|
|
455
681
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
|
456
682
|
|
|
457
683
|
__props__ = _SecretBackendState.__new__(_SecretBackendState)
|
|
458
684
|
|
|
685
|
+
__props__.__dict__["accessor"] = accessor
|
|
459
686
|
__props__.__dict__["credentials"] = credentials
|
|
460
687
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
|
461
688
|
__props__.__dict__["description"] = description
|
|
462
689
|
__props__.__dict__["disable_remount"] = disable_remount
|
|
690
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
|
691
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
|
692
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
|
463
693
|
__props__.__dict__["local"] = local
|
|
464
694
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
|
465
695
|
__props__.__dict__["namespace"] = namespace
|
|
466
696
|
__props__.__dict__["path"] = path
|
|
697
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
|
467
698
|
return SecretBackend(resource_name, opts=opts, __props__=__props__)
|
|
468
699
|
|
|
700
|
+
@property
|
|
701
|
+
@pulumi.getter
|
|
702
|
+
def accessor(self) -> pulumi.Output[str]:
|
|
703
|
+
"""
|
|
704
|
+
The accessor of the created GCP mount.
|
|
705
|
+
"""
|
|
706
|
+
return pulumi.get(self, "accessor")
|
|
707
|
+
|
|
469
708
|
@property
|
|
470
709
|
@pulumi.getter
|
|
471
710
|
def credentials(self) -> pulumi.Output[Optional[str]]:
|
|
@@ -500,6 +739,33 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
500
739
|
"""
|
|
501
740
|
return pulumi.get(self, "disable_remount")
|
|
502
741
|
|
|
742
|
+
@property
|
|
743
|
+
@pulumi.getter(name="identityTokenAudience")
|
|
744
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
|
745
|
+
"""
|
|
746
|
+
The audience claim value for plugin identity
|
|
747
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
|
748
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
749
|
+
"""
|
|
750
|
+
return pulumi.get(self, "identity_token_audience")
|
|
751
|
+
|
|
752
|
+
@property
|
|
753
|
+
@pulumi.getter(name="identityTokenKey")
|
|
754
|
+
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
|
755
|
+
"""
|
|
756
|
+
The key to use for signing plugin identity
|
|
757
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
758
|
+
"""
|
|
759
|
+
return pulumi.get(self, "identity_token_key")
|
|
760
|
+
|
|
761
|
+
@property
|
|
762
|
+
@pulumi.getter(name="identityTokenTtl")
|
|
763
|
+
def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
|
|
764
|
+
"""
|
|
765
|
+
The TTL of generated tokens.
|
|
766
|
+
"""
|
|
767
|
+
return pulumi.get(self, "identity_token_ttl")
|
|
768
|
+
|
|
503
769
|
@property
|
|
504
770
|
@pulumi.getter
|
|
505
771
|
def local(self) -> pulumi.Output[Optional[bool]]:
|
|
@@ -523,7 +789,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
523
789
|
"""
|
|
524
790
|
The namespace to provision the resource in.
|
|
525
791
|
The value should not contain leading or trailing forward slashes.
|
|
526
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
|
792
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
527
793
|
*Available only for Vault Enterprise*.
|
|
528
794
|
"""
|
|
529
795
|
return pulumi.get(self, "namespace")
|
|
@@ -537,3 +803,12 @@ class SecretBackend(pulumi.CustomResource):
|
|
|
537
803
|
"""
|
|
538
804
|
return pulumi.get(self, "path")
|
|
539
805
|
|
|
806
|
+
@property
|
|
807
|
+
@pulumi.getter(name="serviceAccountEmail")
|
|
808
|
+
def service_account_email(self) -> pulumi.Output[Optional[str]]:
|
|
809
|
+
"""
|
|
810
|
+
Service Account to impersonate for plugin workload identity federation.
|
|
811
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
|
812
|
+
"""
|
|
813
|
+
return pulumi.get(self, "service_account_email")
|
|
814
|
+
|