pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -16,31 +21,40 @@ class SecretBackendArgs:
16
21
  def __init__(__self__, *,
17
22
  path: pulumi.Input[str],
18
23
  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
24
+ allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
19
25
  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
20
26
  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
21
27
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
28
+ delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
22
29
  description: Optional[pulumi.Input[str]] = None,
23
30
  disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
24
31
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
32
+ identity_token_key: Optional[pulumi.Input[str]] = None,
25
33
  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
26
34
  kubernetes_host: Optional[pulumi.Input[str]] = None,
35
+ listing_visibility: Optional[pulumi.Input[str]] = None,
27
36
  local: Optional[pulumi.Input[bool]] = None,
28
37
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
29
38
  namespace: Optional[pulumi.Input[str]] = None,
30
- options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
39
+ options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
40
+ passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
41
+ plugin_version: Optional[pulumi.Input[str]] = None,
31
42
  seal_wrap: Optional[pulumi.Input[bool]] = None,
32
43
  service_account_jwt: Optional[pulumi.Input[str]] = None):
33
44
  """
34
45
  The set of arguments for constructing a SecretBackend resource.
35
46
  :param pulumi.Input[str] path: Where the secret backend will be mounted
36
47
  :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
48
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
37
49
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
38
50
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
39
51
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for tokens and secrets in seconds
52
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
40
53
  :param pulumi.Input[str] description: Human-friendly description of the mount
41
54
  :param pulumi.Input[bool] disable_local_ca_jwt: Disable defaulting to the local CA certificate and
42
55
  service account JWT when Vault is running in a Kubernetes pod.
43
56
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
57
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
44
58
  :param pulumi.Input[str] kubernetes_ca_cert: A PEM-encoded CA certificate used by the
45
59
  secrets engine to verify the Kubernetes API server certificate. Defaults to the local
46
60
  pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
@@ -48,13 +62,16 @@ class SecretBackendArgs:
48
62
  :param pulumi.Input[str] kubernetes_host: The Kubernetes API URL to connect to. Required if the
49
63
  standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
50
64
  are not set on the host that Vault is running on.
65
+ :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
51
66
  :param pulumi.Input[bool] local: Local mount flag that can be explicitly set to true to enforce local mount in HA environment
52
67
  :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for tokens and secrets in seconds
53
68
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
54
69
  The value should not contain leading or trailing forward slashes.
55
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
70
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
56
71
  *Available only for Vault Enterprise*.
57
- :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
72
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
73
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
74
+ :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
58
75
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
59
76
  :param pulumi.Input[str] service_account_jwt: The JSON web token of the service account used by the
60
77
  secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
@@ -63,22 +80,30 @@ class SecretBackendArgs:
63
80
  pulumi.set(__self__, "path", path)
64
81
  if allowed_managed_keys is not None:
65
82
  pulumi.set(__self__, "allowed_managed_keys", allowed_managed_keys)
83
+ if allowed_response_headers is not None:
84
+ pulumi.set(__self__, "allowed_response_headers", allowed_response_headers)
66
85
  if audit_non_hmac_request_keys is not None:
67
86
  pulumi.set(__self__, "audit_non_hmac_request_keys", audit_non_hmac_request_keys)
68
87
  if audit_non_hmac_response_keys is not None:
69
88
  pulumi.set(__self__, "audit_non_hmac_response_keys", audit_non_hmac_response_keys)
70
89
  if default_lease_ttl_seconds is not None:
71
90
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
91
+ if delegated_auth_accessors is not None:
92
+ pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
72
93
  if description is not None:
73
94
  pulumi.set(__self__, "description", description)
74
95
  if disable_local_ca_jwt is not None:
75
96
  pulumi.set(__self__, "disable_local_ca_jwt", disable_local_ca_jwt)
76
97
  if external_entropy_access is not None:
77
98
  pulumi.set(__self__, "external_entropy_access", external_entropy_access)
99
+ if identity_token_key is not None:
100
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
78
101
  if kubernetes_ca_cert is not None:
79
102
  pulumi.set(__self__, "kubernetes_ca_cert", kubernetes_ca_cert)
80
103
  if kubernetes_host is not None:
81
104
  pulumi.set(__self__, "kubernetes_host", kubernetes_host)
105
+ if listing_visibility is not None:
106
+ pulumi.set(__self__, "listing_visibility", listing_visibility)
82
107
  if local is not None:
83
108
  pulumi.set(__self__, "local", local)
84
109
  if max_lease_ttl_seconds is not None:
@@ -87,6 +112,10 @@ class SecretBackendArgs:
87
112
  pulumi.set(__self__, "namespace", namespace)
88
113
  if options is not None:
89
114
  pulumi.set(__self__, "options", options)
115
+ if passthrough_request_headers is not None:
116
+ pulumi.set(__self__, "passthrough_request_headers", passthrough_request_headers)
117
+ if plugin_version is not None:
118
+ pulumi.set(__self__, "plugin_version", plugin_version)
90
119
  if seal_wrap is not None:
91
120
  pulumi.set(__self__, "seal_wrap", seal_wrap)
92
121
  if service_account_jwt is not None:
@@ -116,6 +145,18 @@ class SecretBackendArgs:
116
145
  def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
117
146
  pulumi.set(self, "allowed_managed_keys", value)
118
147
 
148
+ @property
149
+ @pulumi.getter(name="allowedResponseHeaders")
150
+ def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
151
+ """
152
+ List of headers to allow and pass from the request to the plugin
153
+ """
154
+ return pulumi.get(self, "allowed_response_headers")
155
+
156
+ @allowed_response_headers.setter
157
+ def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
158
+ pulumi.set(self, "allowed_response_headers", value)
159
+
119
160
  @property
120
161
  @pulumi.getter(name="auditNonHmacRequestKeys")
121
162
  def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -152,6 +193,18 @@ class SecretBackendArgs:
152
193
  def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
153
194
  pulumi.set(self, "default_lease_ttl_seconds", value)
154
195
 
196
+ @property
197
+ @pulumi.getter(name="delegatedAuthAccessors")
198
+ def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
199
+ """
200
+ List of headers to allow and pass from the request to the plugin
201
+ """
202
+ return pulumi.get(self, "delegated_auth_accessors")
203
+
204
+ @delegated_auth_accessors.setter
205
+ def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
206
+ pulumi.set(self, "delegated_auth_accessors", value)
207
+
155
208
  @property
156
209
  @pulumi.getter
157
210
  def description(self) -> Optional[pulumi.Input[str]]:
@@ -189,6 +242,18 @@ class SecretBackendArgs:
189
242
  def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
190
243
  pulumi.set(self, "external_entropy_access", value)
191
244
 
245
+ @property
246
+ @pulumi.getter(name="identityTokenKey")
247
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
248
+ """
249
+ The key to use for signing plugin workload identity tokens
250
+ """
251
+ return pulumi.get(self, "identity_token_key")
252
+
253
+ @identity_token_key.setter
254
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
255
+ pulumi.set(self, "identity_token_key", value)
256
+
192
257
  @property
193
258
  @pulumi.getter(name="kubernetesCaCert")
194
259
  def kubernetes_ca_cert(self) -> Optional[pulumi.Input[str]]:
@@ -218,6 +283,18 @@ class SecretBackendArgs:
218
283
  def kubernetes_host(self, value: Optional[pulumi.Input[str]]):
219
284
  pulumi.set(self, "kubernetes_host", value)
220
285
 
286
+ @property
287
+ @pulumi.getter(name="listingVisibility")
288
+ def listing_visibility(self) -> Optional[pulumi.Input[str]]:
289
+ """
290
+ Specifies whether to show this mount in the UI-specific listing endpoint
291
+ """
292
+ return pulumi.get(self, "listing_visibility")
293
+
294
+ @listing_visibility.setter
295
+ def listing_visibility(self, value: Optional[pulumi.Input[str]]):
296
+ pulumi.set(self, "listing_visibility", value)
297
+
221
298
  @property
222
299
  @pulumi.getter
223
300
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -248,7 +325,7 @@ class SecretBackendArgs:
248
325
  """
249
326
  The namespace to provision the resource in.
250
327
  The value should not contain leading or trailing forward slashes.
251
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
328
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
252
329
  *Available only for Vault Enterprise*.
253
330
  """
254
331
  return pulumi.get(self, "namespace")
@@ -259,16 +336,40 @@ class SecretBackendArgs:
259
336
 
260
337
  @property
261
338
  @pulumi.getter
262
- def options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
339
+ def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
263
340
  """
264
341
  Specifies mount type specific options that are passed to the backend
265
342
  """
266
343
  return pulumi.get(self, "options")
267
344
 
268
345
  @options.setter
269
- def options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
346
+ def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
270
347
  pulumi.set(self, "options", value)
271
348
 
349
+ @property
350
+ @pulumi.getter(name="passthroughRequestHeaders")
351
+ def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
352
+ """
353
+ List of headers to allow and pass from the request to the plugin
354
+ """
355
+ return pulumi.get(self, "passthrough_request_headers")
356
+
357
+ @passthrough_request_headers.setter
358
+ def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
359
+ pulumi.set(self, "passthrough_request_headers", value)
360
+
361
+ @property
362
+ @pulumi.getter(name="pluginVersion")
363
+ def plugin_version(self) -> Optional[pulumi.Input[str]]:
364
+ """
365
+ Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
366
+ """
367
+ return pulumi.get(self, "plugin_version")
368
+
369
+ @plugin_version.setter
370
+ def plugin_version(self, value: Optional[pulumi.Input[str]]):
371
+ pulumi.set(self, "plugin_version", value)
372
+
272
373
  @property
273
374
  @pulumi.getter(name="sealWrap")
274
375
  def seal_wrap(self) -> Optional[pulumi.Input[bool]]:
@@ -301,32 +402,41 @@ class _SecretBackendState:
301
402
  def __init__(__self__, *,
302
403
  accessor: Optional[pulumi.Input[str]] = None,
303
404
  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
405
+ allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
304
406
  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
305
407
  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
306
408
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
409
+ delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
307
410
  description: Optional[pulumi.Input[str]] = None,
308
411
  disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
309
412
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
413
+ identity_token_key: Optional[pulumi.Input[str]] = None,
310
414
  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
311
415
  kubernetes_host: Optional[pulumi.Input[str]] = None,
416
+ listing_visibility: Optional[pulumi.Input[str]] = None,
312
417
  local: Optional[pulumi.Input[bool]] = None,
313
418
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
314
419
  namespace: Optional[pulumi.Input[str]] = None,
315
- options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
420
+ options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
421
+ passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
316
422
  path: Optional[pulumi.Input[str]] = None,
423
+ plugin_version: Optional[pulumi.Input[str]] = None,
317
424
  seal_wrap: Optional[pulumi.Input[bool]] = None,
318
425
  service_account_jwt: Optional[pulumi.Input[str]] = None):
319
426
  """
320
427
  Input properties used for looking up and filtering SecretBackend resources.
321
428
  :param pulumi.Input[str] accessor: Accessor of the mount
322
429
  :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
430
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
323
431
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
324
432
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
325
433
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for tokens and secrets in seconds
434
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
326
435
  :param pulumi.Input[str] description: Human-friendly description of the mount
327
436
  :param pulumi.Input[bool] disable_local_ca_jwt: Disable defaulting to the local CA certificate and
328
437
  service account JWT when Vault is running in a Kubernetes pod.
329
438
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
439
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
330
440
  :param pulumi.Input[str] kubernetes_ca_cert: A PEM-encoded CA certificate used by the
331
441
  secrets engine to verify the Kubernetes API server certificate. Defaults to the local
332
442
  pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
@@ -334,14 +444,17 @@ class _SecretBackendState:
334
444
  :param pulumi.Input[str] kubernetes_host: The Kubernetes API URL to connect to. Required if the
335
445
  standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
336
446
  are not set on the host that Vault is running on.
447
+ :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
337
448
  :param pulumi.Input[bool] local: Local mount flag that can be explicitly set to true to enforce local mount in HA environment
338
449
  :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for tokens and secrets in seconds
339
450
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
340
451
  The value should not contain leading or trailing forward slashes.
341
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
452
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
342
453
  *Available only for Vault Enterprise*.
343
- :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
454
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
455
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
344
456
  :param pulumi.Input[str] path: Where the secret backend will be mounted
457
+ :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
345
458
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
346
459
  :param pulumi.Input[str] service_account_jwt: The JSON web token of the service account used by the
347
460
  secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
@@ -351,22 +464,30 @@ class _SecretBackendState:
351
464
  pulumi.set(__self__, "accessor", accessor)
352
465
  if allowed_managed_keys is not None:
353
466
  pulumi.set(__self__, "allowed_managed_keys", allowed_managed_keys)
467
+ if allowed_response_headers is not None:
468
+ pulumi.set(__self__, "allowed_response_headers", allowed_response_headers)
354
469
  if audit_non_hmac_request_keys is not None:
355
470
  pulumi.set(__self__, "audit_non_hmac_request_keys", audit_non_hmac_request_keys)
356
471
  if audit_non_hmac_response_keys is not None:
357
472
  pulumi.set(__self__, "audit_non_hmac_response_keys", audit_non_hmac_response_keys)
358
473
  if default_lease_ttl_seconds is not None:
359
474
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
475
+ if delegated_auth_accessors is not None:
476
+ pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
360
477
  if description is not None:
361
478
  pulumi.set(__self__, "description", description)
362
479
  if disable_local_ca_jwt is not None:
363
480
  pulumi.set(__self__, "disable_local_ca_jwt", disable_local_ca_jwt)
364
481
  if external_entropy_access is not None:
365
482
  pulumi.set(__self__, "external_entropy_access", external_entropy_access)
483
+ if identity_token_key is not None:
484
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
366
485
  if kubernetes_ca_cert is not None:
367
486
  pulumi.set(__self__, "kubernetes_ca_cert", kubernetes_ca_cert)
368
487
  if kubernetes_host is not None:
369
488
  pulumi.set(__self__, "kubernetes_host", kubernetes_host)
489
+ if listing_visibility is not None:
490
+ pulumi.set(__self__, "listing_visibility", listing_visibility)
370
491
  if local is not None:
371
492
  pulumi.set(__self__, "local", local)
372
493
  if max_lease_ttl_seconds is not None:
@@ -375,8 +496,12 @@ class _SecretBackendState:
375
496
  pulumi.set(__self__, "namespace", namespace)
376
497
  if options is not None:
377
498
  pulumi.set(__self__, "options", options)
499
+ if passthrough_request_headers is not None:
500
+ pulumi.set(__self__, "passthrough_request_headers", passthrough_request_headers)
378
501
  if path is not None:
379
502
  pulumi.set(__self__, "path", path)
503
+ if plugin_version is not None:
504
+ pulumi.set(__self__, "plugin_version", plugin_version)
380
505
  if seal_wrap is not None:
381
506
  pulumi.set(__self__, "seal_wrap", seal_wrap)
382
507
  if service_account_jwt is not None:
@@ -406,6 +531,18 @@ class _SecretBackendState:
406
531
  def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
407
532
  pulumi.set(self, "allowed_managed_keys", value)
408
533
 
534
+ @property
535
+ @pulumi.getter(name="allowedResponseHeaders")
536
+ def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
537
+ """
538
+ List of headers to allow and pass from the request to the plugin
539
+ """
540
+ return pulumi.get(self, "allowed_response_headers")
541
+
542
+ @allowed_response_headers.setter
543
+ def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
544
+ pulumi.set(self, "allowed_response_headers", value)
545
+
409
546
  @property
410
547
  @pulumi.getter(name="auditNonHmacRequestKeys")
411
548
  def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -442,6 +579,18 @@ class _SecretBackendState:
442
579
  def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
443
580
  pulumi.set(self, "default_lease_ttl_seconds", value)
444
581
 
582
+ @property
583
+ @pulumi.getter(name="delegatedAuthAccessors")
584
+ def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
585
+ """
586
+ List of headers to allow and pass from the request to the plugin
587
+ """
588
+ return pulumi.get(self, "delegated_auth_accessors")
589
+
590
+ @delegated_auth_accessors.setter
591
+ def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
592
+ pulumi.set(self, "delegated_auth_accessors", value)
593
+
445
594
  @property
446
595
  @pulumi.getter
447
596
  def description(self) -> Optional[pulumi.Input[str]]:
@@ -479,6 +628,18 @@ class _SecretBackendState:
479
628
  def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
480
629
  pulumi.set(self, "external_entropy_access", value)
481
630
 
631
+ @property
632
+ @pulumi.getter(name="identityTokenKey")
633
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
634
+ """
635
+ The key to use for signing plugin workload identity tokens
636
+ """
637
+ return pulumi.get(self, "identity_token_key")
638
+
639
+ @identity_token_key.setter
640
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
641
+ pulumi.set(self, "identity_token_key", value)
642
+
482
643
  @property
483
644
  @pulumi.getter(name="kubernetesCaCert")
484
645
  def kubernetes_ca_cert(self) -> Optional[pulumi.Input[str]]:
@@ -508,6 +669,18 @@ class _SecretBackendState:
508
669
  def kubernetes_host(self, value: Optional[pulumi.Input[str]]):
509
670
  pulumi.set(self, "kubernetes_host", value)
510
671
 
672
+ @property
673
+ @pulumi.getter(name="listingVisibility")
674
+ def listing_visibility(self) -> Optional[pulumi.Input[str]]:
675
+ """
676
+ Specifies whether to show this mount in the UI-specific listing endpoint
677
+ """
678
+ return pulumi.get(self, "listing_visibility")
679
+
680
+ @listing_visibility.setter
681
+ def listing_visibility(self, value: Optional[pulumi.Input[str]]):
682
+ pulumi.set(self, "listing_visibility", value)
683
+
511
684
  @property
512
685
  @pulumi.getter
513
686
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -538,7 +711,7 @@ class _SecretBackendState:
538
711
  """
539
712
  The namespace to provision the resource in.
540
713
  The value should not contain leading or trailing forward slashes.
541
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
714
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
542
715
  *Available only for Vault Enterprise*.
543
716
  """
544
717
  return pulumi.get(self, "namespace")
@@ -549,16 +722,28 @@ class _SecretBackendState:
549
722
 
550
723
  @property
551
724
  @pulumi.getter
552
- def options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
725
+ def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
553
726
  """
554
727
  Specifies mount type specific options that are passed to the backend
555
728
  """
556
729
  return pulumi.get(self, "options")
557
730
 
558
731
  @options.setter
559
- def options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
732
+ def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
560
733
  pulumi.set(self, "options", value)
561
734
 
735
+ @property
736
+ @pulumi.getter(name="passthroughRequestHeaders")
737
+ def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
738
+ """
739
+ List of headers to allow and pass from the request to the plugin
740
+ """
741
+ return pulumi.get(self, "passthrough_request_headers")
742
+
743
+ @passthrough_request_headers.setter
744
+ def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
745
+ pulumi.set(self, "passthrough_request_headers", value)
746
+
562
747
  @property
563
748
  @pulumi.getter
564
749
  def path(self) -> Optional[pulumi.Input[str]]:
@@ -571,6 +756,18 @@ class _SecretBackendState:
571
756
  def path(self, value: Optional[pulumi.Input[str]]):
572
757
  pulumi.set(self, "path", value)
573
758
 
759
+ @property
760
+ @pulumi.getter(name="pluginVersion")
761
+ def plugin_version(self) -> Optional[pulumi.Input[str]]:
762
+ """
763
+ Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
764
+ """
765
+ return pulumi.get(self, "plugin_version")
766
+
767
+ @plugin_version.setter
768
+ def plugin_version(self, value: Optional[pulumi.Input[str]]):
769
+ pulumi.set(self, "plugin_version", value)
770
+
574
771
  @property
575
772
  @pulumi.getter(name="sealWrap")
576
773
  def seal_wrap(self) -> Optional[pulumi.Input[bool]]:
@@ -604,28 +801,34 @@ class SecretBackend(pulumi.CustomResource):
604
801
  resource_name: str,
605
802
  opts: Optional[pulumi.ResourceOptions] = None,
606
803
  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
804
+ allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
607
805
  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
608
806
  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
609
807
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
808
+ delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
610
809
  description: Optional[pulumi.Input[str]] = None,
611
810
  disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
612
811
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
812
+ identity_token_key: Optional[pulumi.Input[str]] = None,
613
813
  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
614
814
  kubernetes_host: Optional[pulumi.Input[str]] = None,
815
+ listing_visibility: Optional[pulumi.Input[str]] = None,
615
816
  local: Optional[pulumi.Input[bool]] = None,
616
817
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
617
818
  namespace: Optional[pulumi.Input[str]] = None,
618
- options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
819
+ options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
820
+ passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
619
821
  path: Optional[pulumi.Input[str]] = None,
822
+ plugin_version: Optional[pulumi.Input[str]] = None,
620
823
  seal_wrap: Optional[pulumi.Input[bool]] = None,
621
824
  service_account_jwt: Optional[pulumi.Input[str]] = None,
622
825
  __props__=None):
623
826
  """
624
827
  ## Example Usage
625
828
 
626
- <!--Start PulumiCodeChooser -->
627
829
  ```python
628
830
  import pulumi
831
+ import pulumi_std as std
629
832
  import pulumi_vault as vault
630
833
 
631
834
  config = vault.kubernetes.SecretBackend("config",
@@ -634,11 +837,10 @@ class SecretBackend(pulumi.CustomResource):
634
837
  default_lease_ttl_seconds=43200,
635
838
  max_lease_ttl_seconds=86400,
636
839
  kubernetes_host="https://127.0.0.1:61233",
637
- kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
638
- service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
840
+ kubernetes_ca_cert=std.file(input="/path/to/cert").result,
841
+ service_account_jwt=std.file(input="/path/to/token").result,
639
842
  disable_local_ca_jwt=False)
640
843
  ```
641
- <!--End PulumiCodeChooser -->
642
844
 
643
845
  ## Import
644
846
 
@@ -651,13 +853,16 @@ class SecretBackend(pulumi.CustomResource):
651
853
  :param str resource_name: The name of the resource.
652
854
  :param pulumi.ResourceOptions opts: Options for the resource.
653
855
  :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
856
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
654
857
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
655
858
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
656
859
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for tokens and secrets in seconds
860
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
657
861
  :param pulumi.Input[str] description: Human-friendly description of the mount
658
862
  :param pulumi.Input[bool] disable_local_ca_jwt: Disable defaulting to the local CA certificate and
659
863
  service account JWT when Vault is running in a Kubernetes pod.
660
864
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
865
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
661
866
  :param pulumi.Input[str] kubernetes_ca_cert: A PEM-encoded CA certificate used by the
662
867
  secrets engine to verify the Kubernetes API server certificate. Defaults to the local
663
868
  pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
@@ -665,14 +870,17 @@ class SecretBackend(pulumi.CustomResource):
665
870
  :param pulumi.Input[str] kubernetes_host: The Kubernetes API URL to connect to. Required if the
666
871
  standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
667
872
  are not set on the host that Vault is running on.
873
+ :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
668
874
  :param pulumi.Input[bool] local: Local mount flag that can be explicitly set to true to enforce local mount in HA environment
669
875
  :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for tokens and secrets in seconds
670
876
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
671
877
  The value should not contain leading or trailing forward slashes.
672
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
878
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
673
879
  *Available only for Vault Enterprise*.
674
- :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
880
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
881
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
675
882
  :param pulumi.Input[str] path: Where the secret backend will be mounted
883
+ :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
676
884
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
677
885
  :param pulumi.Input[str] service_account_jwt: The JSON web token of the service account used by the
678
886
  secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
@@ -687,9 +895,9 @@ class SecretBackend(pulumi.CustomResource):
687
895
  """
688
896
  ## Example Usage
689
897
 
690
- <!--Start PulumiCodeChooser -->
691
898
  ```python
692
899
  import pulumi
900
+ import pulumi_std as std
693
901
  import pulumi_vault as vault
694
902
 
695
903
  config = vault.kubernetes.SecretBackend("config",
@@ -698,11 +906,10 @@ class SecretBackend(pulumi.CustomResource):
698
906
  default_lease_ttl_seconds=43200,
699
907
  max_lease_ttl_seconds=86400,
700
908
  kubernetes_host="https://127.0.0.1:61233",
701
- kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
702
- service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
909
+ kubernetes_ca_cert=std.file(input="/path/to/cert").result,
910
+ service_account_jwt=std.file(input="/path/to/token").result,
703
911
  disable_local_ca_jwt=False)
704
912
  ```
705
- <!--End PulumiCodeChooser -->
706
913
 
707
914
  ## Import
708
915
 
@@ -728,19 +935,25 @@ class SecretBackend(pulumi.CustomResource):
728
935
  resource_name: str,
729
936
  opts: Optional[pulumi.ResourceOptions] = None,
730
937
  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
938
+ allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
731
939
  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
732
940
  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
733
941
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
942
+ delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
734
943
  description: Optional[pulumi.Input[str]] = None,
735
944
  disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
736
945
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
946
+ identity_token_key: Optional[pulumi.Input[str]] = None,
737
947
  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
738
948
  kubernetes_host: Optional[pulumi.Input[str]] = None,
949
+ listing_visibility: Optional[pulumi.Input[str]] = None,
739
950
  local: Optional[pulumi.Input[bool]] = None,
740
951
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
741
952
  namespace: Optional[pulumi.Input[str]] = None,
742
- options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
953
+ options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
954
+ passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
743
955
  path: Optional[pulumi.Input[str]] = None,
956
+ plugin_version: Optional[pulumi.Input[str]] = None,
744
957
  seal_wrap: Optional[pulumi.Input[bool]] = None,
745
958
  service_account_jwt: Optional[pulumi.Input[str]] = None,
746
959
  __props__=None):
@@ -753,21 +966,27 @@ class SecretBackend(pulumi.CustomResource):
753
966
  __props__ = SecretBackendArgs.__new__(SecretBackendArgs)
754
967
 
755
968
  __props__.__dict__["allowed_managed_keys"] = allowed_managed_keys
969
+ __props__.__dict__["allowed_response_headers"] = allowed_response_headers
756
970
  __props__.__dict__["audit_non_hmac_request_keys"] = audit_non_hmac_request_keys
757
971
  __props__.__dict__["audit_non_hmac_response_keys"] = audit_non_hmac_response_keys
758
972
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
973
+ __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
759
974
  __props__.__dict__["description"] = description
760
975
  __props__.__dict__["disable_local_ca_jwt"] = disable_local_ca_jwt
761
976
  __props__.__dict__["external_entropy_access"] = external_entropy_access
977
+ __props__.__dict__["identity_token_key"] = identity_token_key
762
978
  __props__.__dict__["kubernetes_ca_cert"] = kubernetes_ca_cert
763
979
  __props__.__dict__["kubernetes_host"] = kubernetes_host
980
+ __props__.__dict__["listing_visibility"] = listing_visibility
764
981
  __props__.__dict__["local"] = local
765
982
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
766
983
  __props__.__dict__["namespace"] = namespace
767
984
  __props__.__dict__["options"] = options
985
+ __props__.__dict__["passthrough_request_headers"] = passthrough_request_headers
768
986
  if path is None and not opts.urn:
769
987
  raise TypeError("Missing required property 'path'")
770
988
  __props__.__dict__["path"] = path
989
+ __props__.__dict__["plugin_version"] = plugin_version
771
990
  __props__.__dict__["seal_wrap"] = seal_wrap
772
991
  __props__.__dict__["service_account_jwt"] = None if service_account_jwt is None else pulumi.Output.secret(service_account_jwt)
773
992
  __props__.__dict__["accessor"] = None
@@ -785,19 +1004,25 @@ class SecretBackend(pulumi.CustomResource):
785
1004
  opts: Optional[pulumi.ResourceOptions] = None,
786
1005
  accessor: Optional[pulumi.Input[str]] = None,
787
1006
  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1007
+ allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
788
1008
  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
789
1009
  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
790
1010
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
1011
+ delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
791
1012
  description: Optional[pulumi.Input[str]] = None,
792
1013
  disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
793
1014
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
1015
+ identity_token_key: Optional[pulumi.Input[str]] = None,
794
1016
  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
795
1017
  kubernetes_host: Optional[pulumi.Input[str]] = None,
1018
+ listing_visibility: Optional[pulumi.Input[str]] = None,
796
1019
  local: Optional[pulumi.Input[bool]] = None,
797
1020
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
798
1021
  namespace: Optional[pulumi.Input[str]] = None,
799
- options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1022
+ options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1023
+ passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
800
1024
  path: Optional[pulumi.Input[str]] = None,
1025
+ plugin_version: Optional[pulumi.Input[str]] = None,
801
1026
  seal_wrap: Optional[pulumi.Input[bool]] = None,
802
1027
  service_account_jwt: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
803
1028
  """
@@ -809,13 +1034,16 @@ class SecretBackend(pulumi.CustomResource):
809
1034
  :param pulumi.ResourceOptions opts: Options for the resource.
810
1035
  :param pulumi.Input[str] accessor: Accessor of the mount
811
1036
  :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
1037
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
812
1038
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
813
1039
  :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
814
1040
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for tokens and secrets in seconds
1041
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
815
1042
  :param pulumi.Input[str] description: Human-friendly description of the mount
816
1043
  :param pulumi.Input[bool] disable_local_ca_jwt: Disable defaulting to the local CA certificate and
817
1044
  service account JWT when Vault is running in a Kubernetes pod.
818
1045
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
1046
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
819
1047
  :param pulumi.Input[str] kubernetes_ca_cert: A PEM-encoded CA certificate used by the
820
1048
  secrets engine to verify the Kubernetes API server certificate. Defaults to the local
821
1049
  pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
@@ -823,14 +1051,17 @@ class SecretBackend(pulumi.CustomResource):
823
1051
  :param pulumi.Input[str] kubernetes_host: The Kubernetes API URL to connect to. Required if the
824
1052
  standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
825
1053
  are not set on the host that Vault is running on.
1054
+ :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
826
1055
  :param pulumi.Input[bool] local: Local mount flag that can be explicitly set to true to enforce local mount in HA environment
827
1056
  :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for tokens and secrets in seconds
828
1057
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
829
1058
  The value should not contain leading or trailing forward slashes.
830
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1059
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
831
1060
  *Available only for Vault Enterprise*.
832
- :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
1061
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
1062
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
833
1063
  :param pulumi.Input[str] path: Where the secret backend will be mounted
1064
+ :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
834
1065
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
835
1066
  :param pulumi.Input[str] service_account_jwt: The JSON web token of the service account used by the
836
1067
  secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
@@ -842,19 +1073,25 @@ class SecretBackend(pulumi.CustomResource):
842
1073
 
843
1074
  __props__.__dict__["accessor"] = accessor
844
1075
  __props__.__dict__["allowed_managed_keys"] = allowed_managed_keys
1076
+ __props__.__dict__["allowed_response_headers"] = allowed_response_headers
845
1077
  __props__.__dict__["audit_non_hmac_request_keys"] = audit_non_hmac_request_keys
846
1078
  __props__.__dict__["audit_non_hmac_response_keys"] = audit_non_hmac_response_keys
847
1079
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
1080
+ __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
848
1081
  __props__.__dict__["description"] = description
849
1082
  __props__.__dict__["disable_local_ca_jwt"] = disable_local_ca_jwt
850
1083
  __props__.__dict__["external_entropy_access"] = external_entropy_access
1084
+ __props__.__dict__["identity_token_key"] = identity_token_key
851
1085
  __props__.__dict__["kubernetes_ca_cert"] = kubernetes_ca_cert
852
1086
  __props__.__dict__["kubernetes_host"] = kubernetes_host
1087
+ __props__.__dict__["listing_visibility"] = listing_visibility
853
1088
  __props__.__dict__["local"] = local
854
1089
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
855
1090
  __props__.__dict__["namespace"] = namespace
856
1091
  __props__.__dict__["options"] = options
1092
+ __props__.__dict__["passthrough_request_headers"] = passthrough_request_headers
857
1093
  __props__.__dict__["path"] = path
1094
+ __props__.__dict__["plugin_version"] = plugin_version
858
1095
  __props__.__dict__["seal_wrap"] = seal_wrap
859
1096
  __props__.__dict__["service_account_jwt"] = service_account_jwt
860
1097
  return SecretBackend(resource_name, opts=opts, __props__=__props__)
@@ -875,6 +1112,14 @@ class SecretBackend(pulumi.CustomResource):
875
1112
  """
876
1113
  return pulumi.get(self, "allowed_managed_keys")
877
1114
 
1115
+ @property
1116
+ @pulumi.getter(name="allowedResponseHeaders")
1117
+ def allowed_response_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
1118
+ """
1119
+ List of headers to allow and pass from the request to the plugin
1120
+ """
1121
+ return pulumi.get(self, "allowed_response_headers")
1122
+
878
1123
  @property
879
1124
  @pulumi.getter(name="auditNonHmacRequestKeys")
880
1125
  def audit_non_hmac_request_keys(self) -> pulumi.Output[Sequence[str]]:
@@ -899,6 +1144,14 @@ class SecretBackend(pulumi.CustomResource):
899
1144
  """
900
1145
  return pulumi.get(self, "default_lease_ttl_seconds")
901
1146
 
1147
+ @property
1148
+ @pulumi.getter(name="delegatedAuthAccessors")
1149
+ def delegated_auth_accessors(self) -> pulumi.Output[Optional[Sequence[str]]]:
1150
+ """
1151
+ List of headers to allow and pass from the request to the plugin
1152
+ """
1153
+ return pulumi.get(self, "delegated_auth_accessors")
1154
+
902
1155
  @property
903
1156
  @pulumi.getter
904
1157
  def description(self) -> pulumi.Output[Optional[str]]:
@@ -924,6 +1177,14 @@ class SecretBackend(pulumi.CustomResource):
924
1177
  """
925
1178
  return pulumi.get(self, "external_entropy_access")
926
1179
 
1180
+ @property
1181
+ @pulumi.getter(name="identityTokenKey")
1182
+ def identity_token_key(self) -> pulumi.Output[Optional[str]]:
1183
+ """
1184
+ The key to use for signing plugin workload identity tokens
1185
+ """
1186
+ return pulumi.get(self, "identity_token_key")
1187
+
927
1188
  @property
928
1189
  @pulumi.getter(name="kubernetesCaCert")
929
1190
  def kubernetes_ca_cert(self) -> pulumi.Output[Optional[str]]:
@@ -945,6 +1206,14 @@ class SecretBackend(pulumi.CustomResource):
945
1206
  """
946
1207
  return pulumi.get(self, "kubernetes_host")
947
1208
 
1209
+ @property
1210
+ @pulumi.getter(name="listingVisibility")
1211
+ def listing_visibility(self) -> pulumi.Output[Optional[str]]:
1212
+ """
1213
+ Specifies whether to show this mount in the UI-specific listing endpoint
1214
+ """
1215
+ return pulumi.get(self, "listing_visibility")
1216
+
948
1217
  @property
949
1218
  @pulumi.getter
950
1219
  def local(self) -> pulumi.Output[Optional[bool]]:
@@ -967,19 +1236,27 @@ class SecretBackend(pulumi.CustomResource):
967
1236
  """
968
1237
  The namespace to provision the resource in.
969
1238
  The value should not contain leading or trailing forward slashes.
970
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1239
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
971
1240
  *Available only for Vault Enterprise*.
972
1241
  """
973
1242
  return pulumi.get(self, "namespace")
974
1243
 
975
1244
  @property
976
1245
  @pulumi.getter
977
- def options(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
1246
+ def options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
978
1247
  """
979
1248
  Specifies mount type specific options that are passed to the backend
980
1249
  """
981
1250
  return pulumi.get(self, "options")
982
1251
 
1252
+ @property
1253
+ @pulumi.getter(name="passthroughRequestHeaders")
1254
+ def passthrough_request_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
1255
+ """
1256
+ List of headers to allow and pass from the request to the plugin
1257
+ """
1258
+ return pulumi.get(self, "passthrough_request_headers")
1259
+
983
1260
  @property
984
1261
  @pulumi.getter
985
1262
  def path(self) -> pulumi.Output[str]:
@@ -988,6 +1265,14 @@ class SecretBackend(pulumi.CustomResource):
988
1265
  """
989
1266
  return pulumi.get(self, "path")
990
1267
 
1268
+ @property
1269
+ @pulumi.getter(name="pluginVersion")
1270
+ def plugin_version(self) -> pulumi.Output[Optional[str]]:
1271
+ """
1272
+ Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
1273
+ """
1274
+ return pulumi.get(self, "plugin_version")
1275
+
991
1276
  @property
992
1277
  @pulumi.getter(name="sealWrap")
993
1278
  def seal_wrap(self) -> pulumi.Output[bool]: