pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['SecretBackendArgs', 'SecretBackend']
|
@@ -18,10 +23,14 @@ class SecretBackendArgs:
|
|
18
23
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
19
24
|
description: Optional[pulumi.Input[str]] = None,
|
20
25
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
26
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
27
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
28
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
21
29
|
local: Optional[pulumi.Input[bool]] = None,
|
22
30
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
23
31
|
namespace: Optional[pulumi.Input[str]] = None,
|
24
|
-
path: Optional[pulumi.Input[str]] = None
|
32
|
+
path: Optional[pulumi.Input[str]] = None,
|
33
|
+
service_account_email: Optional[pulumi.Input[str]] = None):
|
25
34
|
"""
|
26
35
|
The set of arguments for constructing a SecretBackend resource.
|
27
36
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
@@ -30,15 +39,23 @@ class SecretBackendArgs:
|
|
30
39
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
31
40
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
32
41
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
42
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
43
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
44
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
45
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
46
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
47
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
33
48
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
34
49
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
35
50
|
for credentials issued by this backend. Defaults to '0'.
|
36
51
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
37
52
|
The value should not contain leading or trailing forward slashes.
|
38
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
53
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
39
54
|
*Available only for Vault Enterprise*.
|
40
55
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
41
56
|
not begin or end with a `/`. Defaults to `gcp`.
|
57
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
58
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
42
59
|
"""
|
43
60
|
if credentials is not None:
|
44
61
|
pulumi.set(__self__, "credentials", credentials)
|
@@ -48,6 +65,12 @@ class SecretBackendArgs:
|
|
48
65
|
pulumi.set(__self__, "description", description)
|
49
66
|
if disable_remount is not None:
|
50
67
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
68
|
+
if identity_token_audience is not None:
|
69
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
70
|
+
if identity_token_key is not None:
|
71
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
72
|
+
if identity_token_ttl is not None:
|
73
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
51
74
|
if local is not None:
|
52
75
|
pulumi.set(__self__, "local", local)
|
53
76
|
if max_lease_ttl_seconds is not None:
|
@@ -56,6 +79,8 @@ class SecretBackendArgs:
|
|
56
79
|
pulumi.set(__self__, "namespace", namespace)
|
57
80
|
if path is not None:
|
58
81
|
pulumi.set(__self__, "path", path)
|
82
|
+
if service_account_email is not None:
|
83
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
59
84
|
|
60
85
|
@property
|
61
86
|
@pulumi.getter
|
@@ -107,6 +132,45 @@ class SecretBackendArgs:
|
|
107
132
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
108
133
|
pulumi.set(self, "disable_remount", value)
|
109
134
|
|
135
|
+
@property
|
136
|
+
@pulumi.getter(name="identityTokenAudience")
|
137
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
138
|
+
"""
|
139
|
+
The audience claim value for plugin identity
|
140
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
141
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
142
|
+
"""
|
143
|
+
return pulumi.get(self, "identity_token_audience")
|
144
|
+
|
145
|
+
@identity_token_audience.setter
|
146
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
147
|
+
pulumi.set(self, "identity_token_audience", value)
|
148
|
+
|
149
|
+
@property
|
150
|
+
@pulumi.getter(name="identityTokenKey")
|
151
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
152
|
+
"""
|
153
|
+
The key to use for signing plugin identity
|
154
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
155
|
+
"""
|
156
|
+
return pulumi.get(self, "identity_token_key")
|
157
|
+
|
158
|
+
@identity_token_key.setter
|
159
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
160
|
+
pulumi.set(self, "identity_token_key", value)
|
161
|
+
|
162
|
+
@property
|
163
|
+
@pulumi.getter(name="identityTokenTtl")
|
164
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
165
|
+
"""
|
166
|
+
The TTL of generated tokens.
|
167
|
+
"""
|
168
|
+
return pulumi.get(self, "identity_token_ttl")
|
169
|
+
|
170
|
+
@identity_token_ttl.setter
|
171
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
172
|
+
pulumi.set(self, "identity_token_ttl", value)
|
173
|
+
|
110
174
|
@property
|
111
175
|
@pulumi.getter
|
112
176
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -138,7 +202,7 @@ class SecretBackendArgs:
|
|
138
202
|
"""
|
139
203
|
The namespace to provision the resource in.
|
140
204
|
The value should not contain leading or trailing forward slashes.
|
141
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
205
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
142
206
|
*Available only for Vault Enterprise*.
|
143
207
|
"""
|
144
208
|
return pulumi.get(self, "namespace")
|
@@ -160,36 +224,65 @@ class SecretBackendArgs:
|
|
160
224
|
def path(self, value: Optional[pulumi.Input[str]]):
|
161
225
|
pulumi.set(self, "path", value)
|
162
226
|
|
227
|
+
@property
|
228
|
+
@pulumi.getter(name="serviceAccountEmail")
|
229
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
230
|
+
"""
|
231
|
+
Service Account to impersonate for plugin workload identity federation.
|
232
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
233
|
+
"""
|
234
|
+
return pulumi.get(self, "service_account_email")
|
235
|
+
|
236
|
+
@service_account_email.setter
|
237
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
238
|
+
pulumi.set(self, "service_account_email", value)
|
239
|
+
|
163
240
|
|
164
241
|
@pulumi.input_type
|
165
242
|
class _SecretBackendState:
|
166
243
|
def __init__(__self__, *,
|
244
|
+
accessor: Optional[pulumi.Input[str]] = None,
|
167
245
|
credentials: Optional[pulumi.Input[str]] = None,
|
168
246
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
169
247
|
description: Optional[pulumi.Input[str]] = None,
|
170
248
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
249
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
250
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
251
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
171
252
|
local: Optional[pulumi.Input[bool]] = None,
|
172
253
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
173
254
|
namespace: Optional[pulumi.Input[str]] = None,
|
174
|
-
path: Optional[pulumi.Input[str]] = None
|
255
|
+
path: Optional[pulumi.Input[str]] = None,
|
256
|
+
service_account_email: Optional[pulumi.Input[str]] = None):
|
175
257
|
"""
|
176
258
|
Input properties used for looking up and filtering SecretBackend resources.
|
259
|
+
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
177
260
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
178
261
|
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
179
262
|
issued by this backend. Defaults to '0'.
|
180
263
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
181
264
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
182
265
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
266
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
267
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
268
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
269
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
270
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
271
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
183
272
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
184
273
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
185
274
|
for credentials issued by this backend. Defaults to '0'.
|
186
275
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
187
276
|
The value should not contain leading or trailing forward slashes.
|
188
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
277
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
189
278
|
*Available only for Vault Enterprise*.
|
190
279
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
191
280
|
not begin or end with a `/`. Defaults to `gcp`.
|
281
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
282
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
192
283
|
"""
|
284
|
+
if accessor is not None:
|
285
|
+
pulumi.set(__self__, "accessor", accessor)
|
193
286
|
if credentials is not None:
|
194
287
|
pulumi.set(__self__, "credentials", credentials)
|
195
288
|
if default_lease_ttl_seconds is not None:
|
@@ -198,6 +291,12 @@ class _SecretBackendState:
|
|
198
291
|
pulumi.set(__self__, "description", description)
|
199
292
|
if disable_remount is not None:
|
200
293
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
294
|
+
if identity_token_audience is not None:
|
295
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
296
|
+
if identity_token_key is not None:
|
297
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
298
|
+
if identity_token_ttl is not None:
|
299
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
201
300
|
if local is not None:
|
202
301
|
pulumi.set(__self__, "local", local)
|
203
302
|
if max_lease_ttl_seconds is not None:
|
@@ -206,6 +305,20 @@ class _SecretBackendState:
|
|
206
305
|
pulumi.set(__self__, "namespace", namespace)
|
207
306
|
if path is not None:
|
208
307
|
pulumi.set(__self__, "path", path)
|
308
|
+
if service_account_email is not None:
|
309
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
310
|
+
|
311
|
+
@property
|
312
|
+
@pulumi.getter
|
313
|
+
def accessor(self) -> Optional[pulumi.Input[str]]:
|
314
|
+
"""
|
315
|
+
The accessor of the created GCP mount.
|
316
|
+
"""
|
317
|
+
return pulumi.get(self, "accessor")
|
318
|
+
|
319
|
+
@accessor.setter
|
320
|
+
def accessor(self, value: Optional[pulumi.Input[str]]):
|
321
|
+
pulumi.set(self, "accessor", value)
|
209
322
|
|
210
323
|
@property
|
211
324
|
@pulumi.getter
|
@@ -257,6 +370,45 @@ class _SecretBackendState:
|
|
257
370
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
258
371
|
pulumi.set(self, "disable_remount", value)
|
259
372
|
|
373
|
+
@property
|
374
|
+
@pulumi.getter(name="identityTokenAudience")
|
375
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
376
|
+
"""
|
377
|
+
The audience claim value for plugin identity
|
378
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
379
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
380
|
+
"""
|
381
|
+
return pulumi.get(self, "identity_token_audience")
|
382
|
+
|
383
|
+
@identity_token_audience.setter
|
384
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
385
|
+
pulumi.set(self, "identity_token_audience", value)
|
386
|
+
|
387
|
+
@property
|
388
|
+
@pulumi.getter(name="identityTokenKey")
|
389
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
390
|
+
"""
|
391
|
+
The key to use for signing plugin identity
|
392
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
393
|
+
"""
|
394
|
+
return pulumi.get(self, "identity_token_key")
|
395
|
+
|
396
|
+
@identity_token_key.setter
|
397
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
398
|
+
pulumi.set(self, "identity_token_key", value)
|
399
|
+
|
400
|
+
@property
|
401
|
+
@pulumi.getter(name="identityTokenTtl")
|
402
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
403
|
+
"""
|
404
|
+
The TTL of generated tokens.
|
405
|
+
"""
|
406
|
+
return pulumi.get(self, "identity_token_ttl")
|
407
|
+
|
408
|
+
@identity_token_ttl.setter
|
409
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
410
|
+
pulumi.set(self, "identity_token_ttl", value)
|
411
|
+
|
260
412
|
@property
|
261
413
|
@pulumi.getter
|
262
414
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -288,7 +440,7 @@ class _SecretBackendState:
|
|
288
440
|
"""
|
289
441
|
The namespace to provision the resource in.
|
290
442
|
The value should not contain leading or trailing forward slashes.
|
291
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
443
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
292
444
|
*Available only for Vault Enterprise*.
|
293
445
|
"""
|
294
446
|
return pulumi.get(self, "namespace")
|
@@ -310,6 +462,19 @@ class _SecretBackendState:
|
|
310
462
|
def path(self, value: Optional[pulumi.Input[str]]):
|
311
463
|
pulumi.set(self, "path", value)
|
312
464
|
|
465
|
+
@property
|
466
|
+
@pulumi.getter(name="serviceAccountEmail")
|
467
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
468
|
+
"""
|
469
|
+
Service Account to impersonate for plugin workload identity federation.
|
470
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
471
|
+
"""
|
472
|
+
return pulumi.get(self, "service_account_email")
|
473
|
+
|
474
|
+
@service_account_email.setter
|
475
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
476
|
+
pulumi.set(self, "service_account_email", value)
|
477
|
+
|
313
478
|
|
314
479
|
class SecretBackend(pulumi.CustomResource):
|
315
480
|
@overload
|
@@ -320,22 +485,37 @@ class SecretBackend(pulumi.CustomResource):
|
|
320
485
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
321
486
|
description: Optional[pulumi.Input[str]] = None,
|
322
487
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
488
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
489
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
490
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
323
491
|
local: Optional[pulumi.Input[bool]] = None,
|
324
492
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
325
493
|
namespace: Optional[pulumi.Input[str]] = None,
|
326
494
|
path: Optional[pulumi.Input[str]] = None,
|
495
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
327
496
|
__props__=None):
|
328
497
|
"""
|
329
498
|
## Example Usage
|
330
499
|
|
331
|
-
|
500
|
+
You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
501
|
+
```python
|
502
|
+
import pulumi
|
503
|
+
import pulumi_vault as vault
|
504
|
+
|
505
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
506
|
+
identity_token_key="example-key",
|
507
|
+
identity_token_ttl=1800,
|
508
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
509
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
510
|
+
```
|
511
|
+
|
332
512
|
```python
|
333
513
|
import pulumi
|
514
|
+
import pulumi_std as std
|
334
515
|
import pulumi_vault as vault
|
335
516
|
|
336
|
-
gcp = vault.gcp.SecretBackend("gcp", credentials=
|
517
|
+
gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
|
337
518
|
```
|
338
|
-
<!--End PulumiCodeChooser -->
|
339
519
|
|
340
520
|
:param str resource_name: The name of the resource.
|
341
521
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
@@ -345,15 +525,23 @@ class SecretBackend(pulumi.CustomResource):
|
|
345
525
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
346
526
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
347
527
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
528
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
529
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
530
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
531
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
532
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
533
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
348
534
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
349
535
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
350
536
|
for credentials issued by this backend. Defaults to '0'.
|
351
537
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
352
538
|
The value should not contain leading or trailing forward slashes.
|
353
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
539
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
354
540
|
*Available only for Vault Enterprise*.
|
355
541
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
356
542
|
not begin or end with a `/`. Defaults to `gcp`.
|
543
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
544
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
357
545
|
"""
|
358
546
|
...
|
359
547
|
@overload
|
@@ -364,14 +552,25 @@ class SecretBackend(pulumi.CustomResource):
|
|
364
552
|
"""
|
365
553
|
## Example Usage
|
366
554
|
|
367
|
-
|
555
|
+
You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
556
|
+
```python
|
557
|
+
import pulumi
|
558
|
+
import pulumi_vault as vault
|
559
|
+
|
560
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
561
|
+
identity_token_key="example-key",
|
562
|
+
identity_token_ttl=1800,
|
563
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
564
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
565
|
+
```
|
566
|
+
|
368
567
|
```python
|
369
568
|
import pulumi
|
569
|
+
import pulumi_std as std
|
370
570
|
import pulumi_vault as vault
|
371
571
|
|
372
|
-
gcp = vault.gcp.SecretBackend("gcp", credentials=
|
572
|
+
gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
|
373
573
|
```
|
374
|
-
<!--End PulumiCodeChooser -->
|
375
574
|
|
376
575
|
:param str resource_name: The name of the resource.
|
377
576
|
:param SecretBackendArgs args: The arguments to use to populate this resource's properties.
|
@@ -392,10 +591,14 @@ class SecretBackend(pulumi.CustomResource):
|
|
392
591
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
393
592
|
description: Optional[pulumi.Input[str]] = None,
|
394
593
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
594
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
595
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
596
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
395
597
|
local: Optional[pulumi.Input[bool]] = None,
|
396
598
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
397
599
|
namespace: Optional[pulumi.Input[str]] = None,
|
398
600
|
path: Optional[pulumi.Input[str]] = None,
|
601
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
399
602
|
__props__=None):
|
400
603
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
401
604
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -409,10 +612,15 @@ class SecretBackend(pulumi.CustomResource):
|
|
409
612
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
410
613
|
__props__.__dict__["description"] = description
|
411
614
|
__props__.__dict__["disable_remount"] = disable_remount
|
615
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
616
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
617
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
412
618
|
__props__.__dict__["local"] = local
|
413
619
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
414
620
|
__props__.__dict__["namespace"] = namespace
|
415
621
|
__props__.__dict__["path"] = path
|
622
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
623
|
+
__props__.__dict__["accessor"] = None
|
416
624
|
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
|
417
625
|
opts = pulumi.ResourceOptions.merge(opts, secret_opts)
|
418
626
|
super(SecretBackend, __self__).__init__(
|
@@ -425,14 +633,19 @@ class SecretBackend(pulumi.CustomResource):
|
|
425
633
|
def get(resource_name: str,
|
426
634
|
id: pulumi.Input[str],
|
427
635
|
opts: Optional[pulumi.ResourceOptions] = None,
|
636
|
+
accessor: Optional[pulumi.Input[str]] = None,
|
428
637
|
credentials: Optional[pulumi.Input[str]] = None,
|
429
638
|
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
430
639
|
description: Optional[pulumi.Input[str]] = None,
|
431
640
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
641
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
642
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
643
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
432
644
|
local: Optional[pulumi.Input[bool]] = None,
|
433
645
|
max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
434
646
|
namespace: Optional[pulumi.Input[str]] = None,
|
435
|
-
path: Optional[pulumi.Input[str]] = None
|
647
|
+
path: Optional[pulumi.Input[str]] = None,
|
648
|
+
service_account_email: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
|
436
649
|
"""
|
437
650
|
Get an existing SecretBackend resource's state with the given name, id, and optional extra
|
438
651
|
properties used to qualify the lookup.
|
@@ -440,36 +653,58 @@ class SecretBackend(pulumi.CustomResource):
|
|
440
653
|
:param str resource_name: The unique name of the resulting resource.
|
441
654
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
442
655
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
656
|
+
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
443
657
|
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
444
658
|
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
445
659
|
issued by this backend. Defaults to '0'.
|
446
660
|
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
447
661
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
448
662
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
663
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
664
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
665
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
666
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
667
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
668
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
449
669
|
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
450
670
|
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
451
671
|
for credentials issued by this backend. Defaults to '0'.
|
452
672
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
453
673
|
The value should not contain leading or trailing forward slashes.
|
454
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
674
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
455
675
|
*Available only for Vault Enterprise*.
|
456
676
|
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
457
677
|
not begin or end with a `/`. Defaults to `gcp`.
|
678
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
679
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
458
680
|
"""
|
459
681
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
460
682
|
|
461
683
|
__props__ = _SecretBackendState.__new__(_SecretBackendState)
|
462
684
|
|
685
|
+
__props__.__dict__["accessor"] = accessor
|
463
686
|
__props__.__dict__["credentials"] = credentials
|
464
687
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
465
688
|
__props__.__dict__["description"] = description
|
466
689
|
__props__.__dict__["disable_remount"] = disable_remount
|
690
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
691
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
692
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
467
693
|
__props__.__dict__["local"] = local
|
468
694
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
469
695
|
__props__.__dict__["namespace"] = namespace
|
470
696
|
__props__.__dict__["path"] = path
|
697
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
471
698
|
return SecretBackend(resource_name, opts=opts, __props__=__props__)
|
472
699
|
|
700
|
+
@property
|
701
|
+
@pulumi.getter
|
702
|
+
def accessor(self) -> pulumi.Output[str]:
|
703
|
+
"""
|
704
|
+
The accessor of the created GCP mount.
|
705
|
+
"""
|
706
|
+
return pulumi.get(self, "accessor")
|
707
|
+
|
473
708
|
@property
|
474
709
|
@pulumi.getter
|
475
710
|
def credentials(self) -> pulumi.Output[Optional[str]]:
|
@@ -504,6 +739,33 @@ class SecretBackend(pulumi.CustomResource):
|
|
504
739
|
"""
|
505
740
|
return pulumi.get(self, "disable_remount")
|
506
741
|
|
742
|
+
@property
|
743
|
+
@pulumi.getter(name="identityTokenAudience")
|
744
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
745
|
+
"""
|
746
|
+
The audience claim value for plugin identity
|
747
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
748
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
749
|
+
"""
|
750
|
+
return pulumi.get(self, "identity_token_audience")
|
751
|
+
|
752
|
+
@property
|
753
|
+
@pulumi.getter(name="identityTokenKey")
|
754
|
+
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
755
|
+
"""
|
756
|
+
The key to use for signing plugin identity
|
757
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
758
|
+
"""
|
759
|
+
return pulumi.get(self, "identity_token_key")
|
760
|
+
|
761
|
+
@property
|
762
|
+
@pulumi.getter(name="identityTokenTtl")
|
763
|
+
def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
|
764
|
+
"""
|
765
|
+
The TTL of generated tokens.
|
766
|
+
"""
|
767
|
+
return pulumi.get(self, "identity_token_ttl")
|
768
|
+
|
507
769
|
@property
|
508
770
|
@pulumi.getter
|
509
771
|
def local(self) -> pulumi.Output[Optional[bool]]:
|
@@ -527,7 +789,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
527
789
|
"""
|
528
790
|
The namespace to provision the resource in.
|
529
791
|
The value should not contain leading or trailing forward slashes.
|
530
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
792
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
531
793
|
*Available only for Vault Enterprise*.
|
532
794
|
"""
|
533
795
|
return pulumi.get(self, "namespace")
|
@@ -541,3 +803,12 @@ class SecretBackend(pulumi.CustomResource):
|
|
541
803
|
"""
|
542
804
|
return pulumi.get(self, "path")
|
543
805
|
|
806
|
+
@property
|
807
|
+
@pulumi.getter(name="serviceAccountEmail")
|
808
|
+
def service_account_email(self) -> pulumi.Output[Optional[str]]:
|
809
|
+
"""
|
810
|
+
Service Account to impersonate for plugin workload identity federation.
|
811
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
812
|
+
"""
|
813
|
+
return pulumi.get(self, "service_account_email")
|
814
|
+
|