PyPI - pulumi-vault - Versions diffs - 5.21.0a1710160723__py3-none-any.whl → 6.5.0__py3-none-any.whl - Mend

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (233) hide show

pulumi_vault/__init__.py +76 -0
pulumi_vault/_inputs.py +560 -0
pulumi_vault/_utilities.py +41 -5
pulumi_vault/ad/get_access_credentials.py +22 -7
pulumi_vault/ad/secret_backend.py +14 -144
pulumi_vault/ad/secret_library.py +14 -11
pulumi_vault/ad/secret_role.py +12 -11
pulumi_vault/alicloud/auth_backend_role.py +74 -192
pulumi_vault/approle/auth_backend_login.py +12 -11
pulumi_vault/approle/auth_backend_role.py +75 -193
pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
pulumi_vault/audit.py +24 -27
pulumi_vault/audit_request_header.py +11 -6
pulumi_vault/auth_backend.py +64 -12
pulumi_vault/aws/auth_backend_cert.py +12 -7
pulumi_vault/aws/auth_backend_client.py +265 -24
pulumi_vault/aws/auth_backend_config_identity.py +12 -11
pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
pulumi_vault/aws/auth_backend_login.py +19 -22
pulumi_vault/aws/auth_backend_role.py +75 -193
pulumi_vault/aws/auth_backend_role_tag.py +12 -7
pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
pulumi_vault/aws/auth_backend_sts_role.py +59 -11
pulumi_vault/aws/get_access_credentials.py +34 -7
pulumi_vault/aws/get_static_access_credentials.py +19 -5
pulumi_vault/aws/secret_backend.py +216 -7
pulumi_vault/aws/secret_backend_role.py +183 -11
pulumi_vault/aws/secret_backend_static_role.py +14 -11
pulumi_vault/azure/_inputs.py +24 -0
pulumi_vault/azure/auth_backend_config.py +151 -17
pulumi_vault/azure/auth_backend_role.py +75 -193
pulumi_vault/azure/backend.py +223 -29
pulumi_vault/azure/backend_role.py +42 -41
pulumi_vault/azure/get_access_credentials.py +39 -11
pulumi_vault/azure/outputs.py +5 -0
pulumi_vault/cert_auth_backend_role.py +87 -271
pulumi_vault/config/__init__.pyi +5 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +35 -0
pulumi_vault/config/ui_custom_message.py +529 -0
pulumi_vault/config/vars.py +5 -0
pulumi_vault/consul/secret_backend.py +22 -25
pulumi_vault/consul/secret_backend_role.py +14 -80
pulumi_vault/database/_inputs.py +2808 -879
pulumi_vault/database/outputs.py +749 -838
pulumi_vault/database/secret_backend_connection.py +117 -114
pulumi_vault/database/secret_backend_role.py +29 -24
pulumi_vault/database/secret_backend_static_role.py +85 -15
pulumi_vault/database/secrets_mount.py +425 -138
pulumi_vault/egp_policy.py +16 -15
pulumi_vault/gcp/_inputs.py +111 -0
pulumi_vault/gcp/auth_backend.py +248 -35
pulumi_vault/gcp/auth_backend_role.py +75 -271
pulumi_vault/gcp/get_auth_backend_role.py +43 -9
pulumi_vault/gcp/outputs.py +5 -0
pulumi_vault/gcp/secret_backend.py +287 -16
pulumi_vault/gcp/secret_impersonated_account.py +74 -17
pulumi_vault/gcp/secret_roleset.py +29 -26
pulumi_vault/gcp/secret_static_account.py +37 -34
pulumi_vault/generic/endpoint.py +22 -21
pulumi_vault/generic/get_secret.py +68 -12
pulumi_vault/generic/secret.py +19 -14
pulumi_vault/get_auth_backend.py +24 -11
pulumi_vault/get_auth_backends.py +33 -11
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +153 -0
pulumi_vault/get_nomad_access_token.py +31 -15
pulumi_vault/get_policy_document.py +34 -23
pulumi_vault/get_raft_autopilot_state.py +29 -14
pulumi_vault/github/_inputs.py +55 -0
pulumi_vault/github/auth_backend.py +17 -16
pulumi_vault/github/outputs.py +5 -0
pulumi_vault/github/team.py +14 -13
pulumi_vault/github/user.py +14 -13
pulumi_vault/identity/entity.py +18 -15
pulumi_vault/identity/entity_alias.py +18 -15
pulumi_vault/identity/entity_policies.py +24 -19
pulumi_vault/identity/get_entity.py +40 -14
pulumi_vault/identity/get_group.py +45 -13
pulumi_vault/identity/get_oidc_client_creds.py +21 -11
pulumi_vault/identity/get_oidc_openid_config.py +39 -13
pulumi_vault/identity/get_oidc_public_keys.py +29 -14
pulumi_vault/identity/group.py +50 -49
pulumi_vault/identity/group_alias.py +14 -11
pulumi_vault/identity/group_member_entity_ids.py +24 -74
pulumi_vault/identity/group_member_group_ids.py +36 -27
pulumi_vault/identity/group_policies.py +16 -15
pulumi_vault/identity/mfa_duo.py +9 -8
pulumi_vault/identity/mfa_login_enforcement.py +13 -8
pulumi_vault/identity/mfa_okta.py +9 -8
pulumi_vault/identity/mfa_pingid.py +5 -4
pulumi_vault/identity/mfa_totp.py +5 -4
pulumi_vault/identity/oidc.py +12 -11
pulumi_vault/identity/oidc_assignment.py +22 -13
pulumi_vault/identity/oidc_client.py +34 -25
pulumi_vault/identity/oidc_key.py +28 -19
pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
pulumi_vault/identity/oidc_provider.py +34 -23
pulumi_vault/identity/oidc_role.py +40 -27
pulumi_vault/identity/oidc_scope.py +18 -15
pulumi_vault/identity/outputs.py +8 -3
pulumi_vault/jwt/_inputs.py +55 -0
pulumi_vault/jwt/auth_backend.py +39 -46
pulumi_vault/jwt/auth_backend_role.py +131 -260
pulumi_vault/jwt/outputs.py +5 -0
pulumi_vault/kmip/secret_backend.py +22 -21
pulumi_vault/kmip/secret_role.py +12 -11
pulumi_vault/kmip/secret_scope.py +12 -11
pulumi_vault/kubernetes/auth_backend_config.py +55 -7
pulumi_vault/kubernetes/auth_backend_role.py +68 -179
pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
pulumi_vault/kubernetes/get_service_account_token.py +39 -15
pulumi_vault/kubernetes/secret_backend.py +314 -29
pulumi_vault/kubernetes/secret_backend_role.py +135 -56
pulumi_vault/kv/_inputs.py +36 -4
pulumi_vault/kv/get_secret.py +23 -12
pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
pulumi_vault/kv/get_secret_v2.py +89 -9
pulumi_vault/kv/get_secrets_list.py +22 -15
pulumi_vault/kv/get_secrets_list_v2.py +35 -19
pulumi_vault/kv/outputs.py +8 -3
pulumi_vault/kv/secret.py +19 -18
pulumi_vault/kv/secret_backend_v2.py +12 -11
pulumi_vault/kv/secret_v2.py +55 -52
pulumi_vault/ldap/auth_backend.py +125 -168
pulumi_vault/ldap/auth_backend_group.py +12 -11
pulumi_vault/ldap/auth_backend_user.py +12 -11
pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
pulumi_vault/ldap/get_static_credentials.py +24 -5
pulumi_vault/ldap/secret_backend.py +352 -84
pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
pulumi_vault/ldap/secret_backend_library_set.py +14 -11
pulumi_vault/ldap/secret_backend_static_role.py +67 -12
pulumi_vault/managed/_inputs.py +289 -132
pulumi_vault/managed/keys.py +27 -43
pulumi_vault/managed/outputs.py +89 -132
pulumi_vault/mfa_duo.py +16 -13
pulumi_vault/mfa_okta.py +16 -13
pulumi_vault/mfa_pingid.py +16 -13
pulumi_vault/mfa_totp.py +22 -19
pulumi_vault/mongodbatlas/secret_backend.py +18 -17
pulumi_vault/mongodbatlas/secret_role.py +41 -38
pulumi_vault/mount.py +389 -65
pulumi_vault/namespace.py +26 -21
pulumi_vault/nomad_secret_backend.py +16 -15
pulumi_vault/nomad_secret_role.py +12 -11
pulumi_vault/okta/_inputs.py +47 -8
pulumi_vault/okta/auth_backend.py +483 -41
pulumi_vault/okta/auth_backend_group.py +12 -11
pulumi_vault/okta/auth_backend_user.py +12 -11
pulumi_vault/okta/outputs.py +13 -8
pulumi_vault/outputs.py +5 -0
pulumi_vault/password_policy.py +18 -15
pulumi_vault/pkisecret/__init__.py +7 -0
pulumi_vault/pkisecret/_inputs.py +115 -0
pulumi_vault/pkisecret/backend_acme_eab.py +549 -0
pulumi_vault/pkisecret/backend_config_acme.py +642 -0
pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
pulumi_vault/pkisecret/backend_config_cmpv2.py +525 -0
pulumi_vault/pkisecret/backend_config_est.py +619 -0
pulumi_vault/pkisecret/get_backend_config_cmpv2.py +209 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
pulumi_vault/pkisecret/get_backend_key.py +24 -13
pulumi_vault/pkisecret/get_backend_keys.py +21 -12
pulumi_vault/pkisecret/outputs.py +109 -0
pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
pulumi_vault/pkisecret/secret_backend_key.py +12 -7
pulumi_vault/pkisecret/secret_backend_role.py +66 -16
pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
pulumi_vault/plugin.py +595 -0
pulumi_vault/plugin_pinned_version.py +298 -0
pulumi_vault/policy.py +12 -7
pulumi_vault/provider.py +48 -53
pulumi_vault/pulumi-plugin.json +2 -1
pulumi_vault/quota_lease_count.py +58 -8
pulumi_vault/quota_rate_limit.py +54 -4
pulumi_vault/rabbitmq/_inputs.py +61 -0
pulumi_vault/rabbitmq/outputs.py +5 -0
pulumi_vault/rabbitmq/secret_backend.py +16 -15
pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
pulumi_vault/raft_autopilot.py +12 -11
pulumi_vault/raft_snapshot_agent_config.py +121 -311
pulumi_vault/rgp_policy.py +14 -13
pulumi_vault/saml/auth_backend.py +20 -19
pulumi_vault/saml/auth_backend_role.py +90 -199
pulumi_vault/secrets/__init__.py +3 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +56 -75
pulumi_vault/secrets/sync_aws_destination.py +240 -29
pulumi_vault/secrets/sync_azure_destination.py +90 -33
pulumi_vault/secrets/sync_config.py +7 -6
pulumi_vault/secrets/sync_gcp_destination.py +156 -27
pulumi_vault/secrets/sync_gh_destination.py +187 -15
pulumi_vault/secrets/sync_github_apps.py +375 -0
pulumi_vault/secrets/sync_vercel_destination.py +72 -15
pulumi_vault/ssh/_inputs.py +28 -32
pulumi_vault/ssh/outputs.py +11 -32
pulumi_vault/ssh/secret_backend_ca.py +106 -11
pulumi_vault/ssh/secret_backend_role.py +110 -120
pulumi_vault/terraformcloud/secret_backend.py +5 -56
pulumi_vault/terraformcloud/secret_creds.py +14 -24
pulumi_vault/terraformcloud/secret_role.py +14 -76
pulumi_vault/token.py +26 -25
pulumi_vault/tokenauth/auth_backend_role.py +76 -201
pulumi_vault/transform/alphabet.py +16 -13
pulumi_vault/transform/get_decode.py +45 -21
pulumi_vault/transform/get_encode.py +45 -21
pulumi_vault/transform/role.py +16 -13
pulumi_vault/transform/template.py +30 -25
pulumi_vault/transform/transformation.py +12 -7
pulumi_vault/transit/get_decrypt.py +26 -25
pulumi_vault/transit/get_encrypt.py +24 -19
pulumi_vault/transit/secret_backend_key.py +25 -97
pulumi_vault/transit/secret_cache_config.py +12 -11
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0.dist-info}/METADATA +8 -7
pulumi_vault-6.5.0.dist-info/RECORD +260 -0
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0.dist-info}/WHEEL +1 -1
pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0.dist-info}/top_level.txt +0 -0

pulumi_vault/ssh/secret_backend_role.py CHANGED Viewed

@@ -4,9 +4,14 @@
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 from . import outputs
 from ._inputs import *
@@ -20,6 +25,7 @@ class SecretBackendRoleArgs:
                  key_type: pulumi.Input[str],
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -29,12 +35,11 @@ class SecretBackendRoleArgs:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -49,6 +54,9 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[str] key_type: Specifies the type of credentials generated by this role. This can be either `otp`, `dynamic` or `ca`.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -61,14 +69,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -76,7 +81,7 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -87,6 +92,8 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -105,11 +112,6 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -185,6 +187,20 @@ class SecretBackendRoleArgs:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -296,23 +312,6 @@ class SecretBackendRoleArgs:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        return pulumi.get(self, "allowed_user_key_lengths")
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -351,26 +350,26 @@ class SecretBackendRoleArgs:
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
     @property
@@ -439,7 +438,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -478,6 +477,7 @@ class _SecretBackendRoleState:
     def __init__(__self__, *,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -487,13 +487,12 @@ class _SecretBackendRoleState:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -507,6 +506,9 @@ class _SecretBackendRoleState:
         Input properties used for looking up and filtering SecretBackendRole resources.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -519,15 +521,12 @@ class _SecretBackendRoleState:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -536,7 +535,7 @@ class _SecretBackendRoleState:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -545,6 +544,8 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -563,11 +564,6 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -623,6 +619,20 @@ class _SecretBackendRoleState:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -734,23 +744,6 @@ class _SecretBackendRoleState:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        return pulumi.get(self, "allowed_user_key_lengths")
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -801,26 +794,26 @@ class _SecretBackendRoleState:
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
     @property
@@ -901,7 +894,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -942,6 +935,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -950,14 +944,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -974,24 +967,24 @@ class SecretBackendRole(pulumi.CustomResource):
         ## Example Usage
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
             allowed_users="default,baz",
             cidr_list="0.0.0.0/0")
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -1005,6 +998,9 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -1014,18 +1010,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1034,7 +1027,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1051,24 +1044,24 @@ class SecretBackendRole(pulumi.CustomResource):
         ## Example Usage
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
             allowed_users="default,baz",
             cidr_list="0.0.0.0/0")
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -1095,6 +1088,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1103,14 +1097,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1131,6 +1124,7 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["algorithm_signer"] = algorithm_signer
             __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+            __props__.__dict__["allow_empty_principals"] = allow_empty_principals
             __props__.__dict__["allow_host_certificates"] = allow_host_certificates
             __props__.__dict__["allow_subdomains"] = allow_subdomains
             __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1140,7 +1134,6 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["allowed_domains_template"] = allowed_domains_template
             __props__.__dict__["allowed_extensions"] = allowed_extensions
             __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-            __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
             __props__.__dict__["allowed_users"] = allowed_users
             __props__.__dict__["allowed_users_template"] = allowed_users_template
             if backend is None and not opts.urn:
@@ -1172,6 +1165,7 @@ class SecretBackendRole(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             algorithm_signer: Optional[pulumi.Input[str]] = None,
             allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+            allow_empty_principals: Optional[pulumi.Input[bool]] = None,
             allow_host_certificates: Optional[pulumi.Input[bool]] = None,
             allow_subdomains: Optional[pulumi.Input[bool]] = None,
             allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1180,14 +1174,13 @@ class SecretBackendRole(pulumi.CustomResource):
             allowed_domains: Optional[pulumi.Input[str]] = None,
             allowed_domains_template: Optional[pulumi.Input[bool]] = None,
             allowed_extensions: Optional[pulumi.Input[str]] = None,
-            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-            allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
             allowed_users: Optional[pulumi.Input[str]] = None,
             allowed_users_template: Optional[pulumi.Input[bool]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             cidr_list: Optional[pulumi.Input[str]] = None,
-            default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-            default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+            default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             default_user: Optional[pulumi.Input[str]] = None,
             default_user_template: Optional[pulumi.Input[bool]] = None,
             key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1206,6 +1199,9 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
         :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.
+        :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no
+               valid principals (e.g. any valid principal). For backwards compatibility
+               only. The default of false is highly recommended.
         :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'.
         :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`.
         :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'.
@@ -1215,18 +1211,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1235,7 +1228,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1246,6 +1239,7 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["algorithm_signer"] = algorithm_signer
         __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+        __props__.__dict__["allow_empty_principals"] = allow_empty_principals
         __props__.__dict__["allow_host_certificates"] = allow_host_certificates
         __props__.__dict__["allow_subdomains"] = allow_subdomains
         __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1255,7 +1249,6 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["allowed_domains_template"] = allowed_domains_template
         __props__.__dict__["allowed_extensions"] = allowed_extensions
         __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-        __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
         __props__.__dict__["allowed_users"] = allowed_users
         __props__.__dict__["allowed_users_template"] = allowed_users_template
         __props__.__dict__["backend"] = backend
@@ -1289,6 +1282,16 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allow_bare_domains")
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> pulumi.Output[Optional[bool]]:
+        """
+        Allow signing certificates with no
+        valid principals (e.g. any valid principal). For backwards compatibility
+        only. The default of false is highly recommended.
+        """
+        return pulumi.get(self, "allow_empty_principals")
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> pulumi.Output[Optional[bool]]:
@@ -1364,19 +1367,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allowed_user_key_configs")
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> pulumi.Output[Optional[Mapping[str, int]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        return pulumi.get(self, "allowed_user_key_lengths")
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> pulumi.Output[Optional[str]]:
@@ -1411,7 +1401,7 @@ class SecretBackendRole(pulumi.CustomResource):
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
@@ -1419,7 +1409,7 @@ class SecretBackendRole(pulumi.CustomResource):
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
@@ -1479,7 +1469,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0__py3-none-any.whl

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0py3-none-any.whl