pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi_vault/kubernetes/secret_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
@@ -14,8 +19,9 @@ __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
 @pulumi.input_type
 class SecretBackendRoleArgs:
     def __init__(__self__, *,
-                 allowed_kubernetes_namespaces: pulumi.Input[Sequence[pulumi.Input[str]]],
                  backend: pulumi.Input[str],
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
+                 allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  extra_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  generated_role_rules: Optional[pulumi.Input[str]] = None,
@@ -29,10 +35,15 @@ class SecretBackendRoleArgs:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         The set of arguments for constructing a SecretBackendRole resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
                Kubernetes objects.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_labels: Additional labels to apply to all generated Kubernetes 
@@ -54,7 +65,7 @@ class SecretBackendRoleArgs:
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -62,8 +73,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
-        pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         pulumi.set(__self__, "backend", backend)
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
+        if allowed_kubernetes_namespaces is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if extra_annotations is not None:
             pulumi.set(__self__, "extra_annotations", extra_annotations)
         if extra_labels is not None:
@@ -87,19 +101,6 @@ class SecretBackendRoleArgs:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
 
-    @property
-    @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
-        """
-        The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
-        """
-        return pulumi.get(self, "allowed_kubernetes_namespaces")
-
-    @allowed_kubernetes_namespaces.setter
-    def allowed_kubernetes_namespaces(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
-        pulumi.set(self, "allowed_kubernetes_namespaces", value)
-
     @property
     @pulumi.getter
     def backend(self) -> pulumi.Input[str]:
@@ -113,6 +114,35 @@ class SecretBackendRoleArgs:
     def backend(self, value: pulumi.Input[str]):
         pulumi.set(self, "backend", value)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
+
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaces")
+    def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        The list of Kubernetes namespaces this role 
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespaces")
+
+    @allowed_kubernetes_namespaces.setter
+    def allowed_kubernetes_namespaces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_kubernetes_namespaces", value)
+
     @property
     @pulumi.getter(name="extraAnnotations")
     def extra_annotations(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
@@ -215,7 +245,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -266,6 +296,7 @@ class SecretBackendRoleArgs:
 @pulumi.input_type
 class _SecretBackendRoleState:
     def __init__(__self__, *,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -281,8 +312,13 @@ class _SecretBackendRoleState:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         Input properties used for looking up and filtering SecretBackendRole resources.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -306,7 +342,7 @@ class _SecretBackendRoleState:
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -314,6 +350,8 @@ class _SecretBackendRoleState:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
         if allowed_kubernetes_namespaces is not None:
             pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if backend is not None:
@@ -341,12 +379,28 @@ class _SecretBackendRoleState:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
+
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
     def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
         The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
 
@@ -469,7 +523,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -522,6 +576,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -543,17 +598,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         sa_example = vault.kubernetes.SecretBackendRole("sa-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -572,17 +629,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         name_example = vault.kubernetes.SecretBackendRole("name-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -601,17 +660,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         rules_example = vault.kubernetes.SecretBackendRole("rules-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -635,7 +696,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         The Kubernetes secret backend role can be imported using the full path to the role
 
-         of the form: `<backend_path>/roles/<role_name>` e.g.
+        of the form: `<backend_path>/roles/<role_name>` e.g.
 
         ```sh
         $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
@@ -643,8 +704,13 @@ class SecretBackendRole(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -668,7 +734,7 @@ class SecretBackendRole(pulumi.CustomResource):
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -689,17 +755,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         sa_example = vault.kubernetes.SecretBackendRole("sa-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -718,17 +786,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         name_example = vault.kubernetes.SecretBackendRole("name-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -747,17 +817,19 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
 
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         rules_example = vault.kubernetes.SecretBackendRole("rules-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -781,7 +853,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         The Kubernetes secret backend role can be imported using the full path to the role
 
-         of the form: `<backend_path>/roles/<role_name>` e.g.
+        of the form: `<backend_path>/roles/<role_name>` e.g.
 
         ```sh
         $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
@@ -802,6 +874,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -824,8 +897,7 @@ class SecretBackendRole(pulumi.CustomResource):
                 raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
             __props__ = SecretBackendRoleArgs.__new__(SecretBackendRoleArgs)
 
-            if allowed_kubernetes_namespaces is None and not opts.urn:
-                raise TypeError("Missing required property 'allowed_kubernetes_namespaces'")
+            __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
             __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
             if backend is None and not opts.urn:
                 raise TypeError("Missing required property 'backend'")
@@ -851,6 +923,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
+            allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
             allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -871,8 +944,13 @@ class SecretBackendRole(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -896,7 +974,7 @@ class SecretBackendRole(pulumi.CustomResource):
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -908,6 +986,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         __props__ = _SecretBackendRoleState.__new__(_SecretBackendRoleState)
 
+        __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
         __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
         __props__.__dict__["backend"] = backend
         __props__.__dict__["extra_annotations"] = extra_annotations
@@ -923,12 +1002,24 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["token_max_ttl"] = token_max_ttl
         return SecretBackendRole(resource_name, opts=opts, __props__=__props__)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> pulumi.Output[Optional[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Sequence[str]]:
+    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
         The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
 
@@ -1015,7 +1106,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kv/_inputs.py

@@ -4,25 +4,57 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = [
     'SecretV2CustomMetadataArgs',
+    'SecretV2CustomMetadataArgsDict',
 ]
 
+MYPY = False
+
+if not MYPY:
+    class SecretV2CustomMetadataArgsDict(TypedDict):
+        cas_required: NotRequired[pulumi.Input[bool]]
+        """
+        If true, all keys will require the cas parameter to be set on all write requests.
+        """
+        data: NotRequired[pulumi.Input[Mapping[str, pulumi.Input[str]]]]
+        """
+        A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only
+        represent string data, so any non-string values returned from Vault are
+        serialized as JSON.
+        """
+        delete_version_after: NotRequired[pulumi.Input[int]]
+        """
+        If set, specifies the length of time before a version is deleted.
+        """
+        max_versions: NotRequired[pulumi.Input[int]]
+        """
+        The number of versions to keep per key.
+        """
+elif False:
+    SecretV2CustomMetadataArgsDict: TypeAlias = Mapping[str, Any]
+
 @pulumi.input_type
 class SecretV2CustomMetadataArgs:
     def __init__(__self__, *,
                  cas_required: Optional[pulumi.Input[bool]] = None,
-                 data: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 data: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  delete_version_after: Optional[pulumi.Input[int]] = None,
                  max_versions: Optional[pulumi.Input[int]] = None):
         """
         :param pulumi.Input[bool] cas_required: If true, all keys will require the cas parameter to be set on all write requests.
-        :param pulumi.Input[Mapping[str, Any]] data: A mapping whose keys are the top-level data keys returned from
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] data: A mapping whose keys are the top-level data keys returned from
                Vault and whose values are the corresponding values. This map can only
                represent string data, so any non-string values returned from Vault are
                serialized as JSON.
@@ -52,7 +84,7 @@ class SecretV2CustomMetadataArgs:
 
     @property
     @pulumi.getter
-    def data(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def data(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         A mapping whose keys are the top-level data keys returned from
         Vault and whose values are the corresponding values. This map can only
@@ -62,7 +94,7 @@ class SecretV2CustomMetadataArgs:
         return pulumi.get(self, "data")
 
     @data.setter
-    def data(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def data(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "data", value)
 
     @property

pulumi_vault/kv/get_secret.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = [
@@ -49,7 +54,7 @@ class GetSecretResult:
 
     @property
     @pulumi.getter
-    def data(self) -> Mapping[str, Any]:
+    def data(self) -> Mapping[str, str]:
         """
         A mapping whose keys are the top-level data keys returned from
         Vault and whose values are the corresponding values. This map can only
@@ -154,6 +159,7 @@ def get_secret(namespace: Optional[str] = None,
         }))
     secret_data = vault.kv.get_secret_output(path=secret.path)
     ```
+
     ## Required Vault Capabilities
 
     Use of this resource requires the `read` capability on the given path.
@@ -161,7 +167,7 @@ def get_secret(namespace: Optional[str] = None,
 
     :param str namespace: The namespace of the target resource.
            The value should not contain leading or trailing forward slashes.
-           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
            *Available only for Vault Enterprise*.
     :param str path: Full path of the KV-V1 secret.
     """
@@ -180,12 +186,9 @@ def get_secret(namespace: Optional[str] = None,
         lease_renewable=pulumi.get(__ret__, 'lease_renewable'),
         namespace=pulumi.get(__ret__, 'namespace'),
         path=pulumi.get(__ret__, 'path'))
-
-
-@_utilities.lift_output_func(get_secret)
 def get_secret_output(namespace: Optional[pulumi.Input[Optional[str]]] = None,
                       path: Optional[pulumi.Input[str]] = None,
-                      opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetSecretResult]:
+                      opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetSecretResult]:
     """
     ## Example Usage
 
@@ -209,6 +212,7 @@ def get_secret_output(namespace: Optional[pulumi.Input[Optional[str]]] = None,
         }))
     secret_data = vault.kv.get_secret_output(path=secret.path)
     ```
+
     ## Required Vault Capabilities
 
     Use of this resource requires the `read` capability on the given path.
@@ -216,8 +220,21 @@ def get_secret_output(namespace: Optional[pulumi.Input[Optional[str]]] = None,
 
     :param str namespace: The namespace of the target resource.
            The value should not contain leading or trailing forward slashes.
-           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
            *Available only for Vault Enterprise*.
     :param str path: Full path of the KV-V1 secret.
     """
-    ...
+    __args__ = dict()
+    __args__['namespace'] = namespace
+    __args__['path'] = path
+    opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke_output('vault:kv/getSecret:getSecret', __args__, opts=opts, typ=GetSecretResult)
+    return __ret__.apply(lambda __response__: GetSecretResult(
+        data=pulumi.get(__response__, 'data'),
+        data_json=pulumi.get(__response__, 'data_json'),
+        id=pulumi.get(__response__, 'id'),
+        lease_duration=pulumi.get(__response__, 'lease_duration'),
+        lease_id=pulumi.get(__response__, 'lease_id'),
+        lease_renewable=pulumi.get(__response__, 'lease_renewable'),
+        namespace=pulumi.get(__response__, 'namespace'),
+        path=pulumi.get(__response__, 'path')))