PyPI - pulumi-vault - Versions diffs - 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl - Mend

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0a1736836139py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

pulumi_vault/__init__.py +52 -0
pulumi_vault/_inputs.py +560 -0
pulumi_vault/_utilities.py +41 -5
pulumi_vault/ad/get_access_credentials.py +22 -7
pulumi_vault/ad/secret_backend.py +14 -144
pulumi_vault/ad/secret_library.py +14 -11
pulumi_vault/ad/secret_role.py +12 -11
pulumi_vault/alicloud/auth_backend_role.py +74 -192
pulumi_vault/approle/auth_backend_login.py +12 -11
pulumi_vault/approle/auth_backend_role.py +75 -193
pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
pulumi_vault/audit.py +24 -27
pulumi_vault/audit_request_header.py +11 -6
pulumi_vault/auth_backend.py +64 -12
pulumi_vault/aws/auth_backend_cert.py +12 -7
pulumi_vault/aws/auth_backend_client.py +265 -24
pulumi_vault/aws/auth_backend_config_identity.py +12 -11
pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
pulumi_vault/aws/auth_backend_login.py +19 -22
pulumi_vault/aws/auth_backend_role.py +75 -193
pulumi_vault/aws/auth_backend_role_tag.py +12 -7
pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
pulumi_vault/aws/auth_backend_sts_role.py +12 -11
pulumi_vault/aws/get_access_credentials.py +34 -7
pulumi_vault/aws/get_static_access_credentials.py +19 -5
pulumi_vault/aws/secret_backend.py +75 -7
pulumi_vault/aws/secret_backend_role.py +183 -11
pulumi_vault/aws/secret_backend_static_role.py +14 -11
pulumi_vault/azure/_inputs.py +24 -0
pulumi_vault/azure/auth_backend_config.py +151 -17
pulumi_vault/azure/auth_backend_role.py +75 -193
pulumi_vault/azure/backend.py +223 -29
pulumi_vault/azure/backend_role.py +42 -41
pulumi_vault/azure/get_access_credentials.py +39 -11
pulumi_vault/azure/outputs.py +5 -0
pulumi_vault/cert_auth_backend_role.py +87 -271
pulumi_vault/config/__init__.pyi +5 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +35 -0
pulumi_vault/config/ui_custom_message.py +529 -0
pulumi_vault/config/vars.py +5 -0
pulumi_vault/consul/secret_backend.py +22 -25
pulumi_vault/consul/secret_backend_role.py +14 -80
pulumi_vault/database/_inputs.py +2770 -881
pulumi_vault/database/outputs.py +721 -838
pulumi_vault/database/secret_backend_connection.py +117 -114
pulumi_vault/database/secret_backend_role.py +29 -24
pulumi_vault/database/secret_backend_static_role.py +85 -15
pulumi_vault/database/secrets_mount.py +425 -138
pulumi_vault/egp_policy.py +16 -15
pulumi_vault/gcp/_inputs.py +111 -0
pulumi_vault/gcp/auth_backend.py +248 -35
pulumi_vault/gcp/auth_backend_role.py +75 -271
pulumi_vault/gcp/get_auth_backend_role.py +43 -9
pulumi_vault/gcp/outputs.py +5 -0
pulumi_vault/gcp/secret_backend.py +287 -16
pulumi_vault/gcp/secret_impersonated_account.py +74 -17
pulumi_vault/gcp/secret_roleset.py +29 -26
pulumi_vault/gcp/secret_static_account.py +37 -34
pulumi_vault/generic/endpoint.py +22 -21
pulumi_vault/generic/get_secret.py +68 -12
pulumi_vault/generic/secret.py +19 -14
pulumi_vault/get_auth_backend.py +24 -11
pulumi_vault/get_auth_backends.py +33 -11
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +153 -0
pulumi_vault/get_nomad_access_token.py +31 -15
pulumi_vault/get_policy_document.py +34 -23
pulumi_vault/get_raft_autopilot_state.py +29 -14
pulumi_vault/github/_inputs.py +55 -0
pulumi_vault/github/auth_backend.py +17 -16
pulumi_vault/github/outputs.py +5 -0
pulumi_vault/github/team.py +14 -13
pulumi_vault/github/user.py +14 -13
pulumi_vault/identity/entity.py +18 -15
pulumi_vault/identity/entity_alias.py +18 -15
pulumi_vault/identity/entity_policies.py +24 -19
pulumi_vault/identity/get_entity.py +40 -14
pulumi_vault/identity/get_group.py +45 -13
pulumi_vault/identity/get_oidc_client_creds.py +21 -11
pulumi_vault/identity/get_oidc_openid_config.py +39 -13
pulumi_vault/identity/get_oidc_public_keys.py +29 -14
pulumi_vault/identity/group.py +50 -49
pulumi_vault/identity/group_alias.py +14 -11
pulumi_vault/identity/group_member_entity_ids.py +24 -74
pulumi_vault/identity/group_member_group_ids.py +36 -27
pulumi_vault/identity/group_policies.py +16 -15
pulumi_vault/identity/mfa_duo.py +9 -8
pulumi_vault/identity/mfa_login_enforcement.py +13 -8
pulumi_vault/identity/mfa_okta.py +9 -8
pulumi_vault/identity/mfa_pingid.py +5 -4
pulumi_vault/identity/mfa_totp.py +5 -4
pulumi_vault/identity/oidc.py +12 -11
pulumi_vault/identity/oidc_assignment.py +22 -13
pulumi_vault/identity/oidc_client.py +34 -25
pulumi_vault/identity/oidc_key.py +28 -19
pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
pulumi_vault/identity/oidc_provider.py +34 -23
pulumi_vault/identity/oidc_role.py +40 -27
pulumi_vault/identity/oidc_scope.py +18 -15
pulumi_vault/identity/outputs.py +8 -3
pulumi_vault/jwt/_inputs.py +55 -0
pulumi_vault/jwt/auth_backend.py +39 -46
pulumi_vault/jwt/auth_backend_role.py +131 -260
pulumi_vault/jwt/outputs.py +5 -0
pulumi_vault/kmip/secret_backend.py +22 -21
pulumi_vault/kmip/secret_role.py +12 -11
pulumi_vault/kmip/secret_scope.py +12 -11
pulumi_vault/kubernetes/auth_backend_config.py +55 -7
pulumi_vault/kubernetes/auth_backend_role.py +68 -179
pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
pulumi_vault/kubernetes/get_service_account_token.py +39 -15
pulumi_vault/kubernetes/secret_backend.py +314 -29
pulumi_vault/kubernetes/secret_backend_role.py +135 -56
pulumi_vault/kv/_inputs.py +36 -4
pulumi_vault/kv/get_secret.py +23 -12
pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
pulumi_vault/kv/get_secret_v2.py +89 -9
pulumi_vault/kv/get_secrets_list.py +22 -15
pulumi_vault/kv/get_secrets_list_v2.py +35 -19
pulumi_vault/kv/outputs.py +8 -3
pulumi_vault/kv/secret.py +19 -18
pulumi_vault/kv/secret_backend_v2.py +12 -11
pulumi_vault/kv/secret_v2.py +55 -52
pulumi_vault/ldap/auth_backend.py +125 -168
pulumi_vault/ldap/auth_backend_group.py +12 -11
pulumi_vault/ldap/auth_backend_user.py +12 -11
pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
pulumi_vault/ldap/get_static_credentials.py +24 -5
pulumi_vault/ldap/secret_backend.py +352 -84
pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
pulumi_vault/ldap/secret_backend_library_set.py +14 -11
pulumi_vault/ldap/secret_backend_static_role.py +67 -12
pulumi_vault/managed/_inputs.py +289 -132
pulumi_vault/managed/keys.py +27 -43
pulumi_vault/managed/outputs.py +89 -132
pulumi_vault/mfa_duo.py +16 -13
pulumi_vault/mfa_okta.py +16 -13
pulumi_vault/mfa_pingid.py +16 -13
pulumi_vault/mfa_totp.py +22 -19
pulumi_vault/mongodbatlas/secret_backend.py +18 -17
pulumi_vault/mongodbatlas/secret_role.py +41 -38
pulumi_vault/mount.py +389 -65
pulumi_vault/namespace.py +26 -21
pulumi_vault/nomad_secret_backend.py +16 -15
pulumi_vault/nomad_secret_role.py +12 -11
pulumi_vault/okta/_inputs.py +47 -8
pulumi_vault/okta/auth_backend.py +483 -41
pulumi_vault/okta/auth_backend_group.py +12 -11
pulumi_vault/okta/auth_backend_user.py +12 -11
pulumi_vault/okta/outputs.py +13 -8
pulumi_vault/outputs.py +5 -0
pulumi_vault/password_policy.py +18 -15
pulumi_vault/pkisecret/__init__.py +3 -0
pulumi_vault/pkisecret/_inputs.py +81 -0
pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
pulumi_vault/pkisecret/backend_config_est.py +619 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
pulumi_vault/pkisecret/get_backend_key.py +24 -13
pulumi_vault/pkisecret/get_backend_keys.py +21 -12
pulumi_vault/pkisecret/outputs.py +69 -0
pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
pulumi_vault/pkisecret/secret_backend_key.py +12 -7
pulumi_vault/pkisecret/secret_backend_role.py +19 -16
pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
pulumi_vault/plugin.py +595 -0
pulumi_vault/plugin_pinned_version.py +298 -0
pulumi_vault/policy.py +12 -7
pulumi_vault/provider.py +48 -53
pulumi_vault/pulumi-plugin.json +2 -1
pulumi_vault/quota_lease_count.py +58 -8
pulumi_vault/quota_rate_limit.py +54 -4
pulumi_vault/rabbitmq/_inputs.py +61 -0
pulumi_vault/rabbitmq/outputs.py +5 -0
pulumi_vault/rabbitmq/secret_backend.py +16 -15
pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
pulumi_vault/raft_autopilot.py +12 -11
pulumi_vault/raft_snapshot_agent_config.py +121 -311
pulumi_vault/rgp_policy.py +14 -13
pulumi_vault/saml/auth_backend.py +20 -19
pulumi_vault/saml/auth_backend_role.py +90 -199
pulumi_vault/secrets/__init__.py +3 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +56 -75
pulumi_vault/secrets/sync_aws_destination.py +240 -29
pulumi_vault/secrets/sync_azure_destination.py +90 -33
pulumi_vault/secrets/sync_config.py +7 -6
pulumi_vault/secrets/sync_gcp_destination.py +156 -27
pulumi_vault/secrets/sync_gh_destination.py +187 -15
pulumi_vault/secrets/sync_github_apps.py +375 -0
pulumi_vault/secrets/sync_vercel_destination.py +72 -15
pulumi_vault/ssh/_inputs.py +28 -32
pulumi_vault/ssh/outputs.py +11 -32
pulumi_vault/ssh/secret_backend_ca.py +106 -11
pulumi_vault/ssh/secret_backend_role.py +83 -120
pulumi_vault/terraformcloud/secret_backend.py +5 -56
pulumi_vault/terraformcloud/secret_creds.py +14 -24
pulumi_vault/terraformcloud/secret_role.py +14 -76
pulumi_vault/token.py +26 -25
pulumi_vault/tokenauth/auth_backend_role.py +76 -201
pulumi_vault/transform/alphabet.py +16 -13
pulumi_vault/transform/get_decode.py +45 -21
pulumi_vault/transform/get_encode.py +45 -21
pulumi_vault/transform/role.py +16 -13
pulumi_vault/transform/template.py +30 -25
pulumi_vault/transform/transformation.py +12 -7
pulumi_vault/transit/get_decrypt.py +26 -25
pulumi_vault/transit/get_encrypt.py +24 -19
pulumi_vault/transit/secret_backend_key.py +25 -97
pulumi_vault/transit/secret_cache_config.py +12 -11
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0

pulumi_vault/kubernetes/secret_backend_role.py CHANGED Viewed

@@ -4,9 +4,14 @@
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
@@ -14,8 +19,9 @@ __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
 @pulumi.input_type
 class SecretBackendRoleArgs:
     def __init__(__self__, *,
-                 allowed_kubernetes_namespaces: pulumi.Input[Sequence[pulumi.Input[str]]],
                  backend: pulumi.Input[str],
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
+                 allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  extra_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  generated_role_rules: Optional[pulumi.Input[str]] = None,
@@ -29,10 +35,15 @@ class SecretBackendRoleArgs:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         The set of arguments for constructing a SecretBackendRole resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role
-               can generate credentials for. If set to `*` all namespaces are allowed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated
                Kubernetes objects.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_labels: Additional labels to apply to all generated Kubernetes
@@ -54,7 +65,7 @@ class SecretBackendRoleArgs:
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -62,8 +73,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
-        pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         pulumi.set(__self__, "backend", backend)
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
+        if allowed_kubernetes_namespaces is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if extra_annotations is not None:
             pulumi.set(__self__, "extra_annotations", extra_annotations)
         if extra_labels is not None:
@@ -87,19 +101,6 @@ class SecretBackendRoleArgs:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
-    @property
-    @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
-        """
-        The list of Kubernetes namespaces this role
-        can generate credentials for. If set to `*` all namespaces are allowed.
-        """
-        return pulumi.get(self, "allowed_kubernetes_namespaces")
-    @allowed_kubernetes_namespaces.setter
-    def allowed_kubernetes_namespaces(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
-        pulumi.set(self, "allowed_kubernetes_namespaces", value)
     @property
     @pulumi.getter
     def backend(self) -> pulumi.Input[str]:
@@ -113,6 +114,35 @@ class SecretBackendRoleArgs:
     def backend(self, value: pulumi.Input[str]):
         pulumi.set(self, "backend", value)
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaces")
+    def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        The list of Kubernetes namespaces this role
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespaces")
+    @allowed_kubernetes_namespaces.setter
+    def allowed_kubernetes_namespaces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_kubernetes_namespaces", value)
     @property
     @pulumi.getter(name="extraAnnotations")
     def extra_annotations(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
@@ -215,7 +245,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -266,6 +296,7 @@ class SecretBackendRoleArgs:
 @pulumi.input_type
 class _SecretBackendRoleState:
     def __init__(__self__, *,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -281,8 +312,13 @@ class _SecretBackendRoleState:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         Input properties used for looking up and filtering SecretBackendRole resources.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated
@@ -306,7 +342,7 @@ class _SecretBackendRoleState:
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -314,6 +350,8 @@ class _SecretBackendRoleState:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
         if allowed_kubernetes_namespaces is not None:
             pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if backend is not None:
@@ -341,12 +379,28 @@ class _SecretBackendRoleState:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
     def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
         The list of Kubernetes namespaces this role
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
@@ -469,7 +523,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -522,6 +576,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -541,20 +596,21 @@ class SecretBackendRole(pulumi.CustomResource):
         Example using `service_account_name` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         sa_example = vault.kubernetes.SecretBackendRole("sa-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -568,24 +624,24 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         Example using `kubernetes_role_name` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         name_example = vault.kubernetes.SecretBackendRole("name-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -599,24 +655,24 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         Example using `generated_role_rules` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         rules_example = vault.kubernetes.SecretBackendRole("rules-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -635,7 +691,6 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -649,8 +704,13 @@ class SecretBackendRole(pulumi.CustomResource):
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated
@@ -674,7 +734,7 @@ class SecretBackendRole(pulumi.CustomResource):
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -693,20 +753,21 @@ class SecretBackendRole(pulumi.CustomResource):
         Example using `service_account_name` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         sa_example = vault.kubernetes.SecretBackendRole("sa-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -720,24 +781,24 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         Example using `kubernetes_role_name` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         name_example = vault.kubernetes.SecretBackendRole("name-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -751,24 +812,24 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         Example using `generated_role_rules` mode:
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
+        import pulumi_std as std
         import pulumi_vault as vault
         config = vault.kubernetes.SecretBackend("config",
             path="kubernetes",
             description="kubernetes secrets engine description",
             kubernetes_host="https://127.0.0.1:61233",
-            kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
-            service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
+            kubernetes_ca_cert=std.file(input="/path/to/cert").result,
+            service_account_jwt=std.file(input="/path/to/token").result,
             disable_local_ca_jwt=False)
         rules_example = vault.kubernetes.SecretBackendRole("rules-example",
             backend=config.path,
+            name="service-account-name-role",
             allowed_kubernetes_namespaces=["*"],
             token_max_ttl=43200,
             token_default_ttl=21600,
@@ -787,7 +848,6 @@ class SecretBackendRole(pulumi.CustomResource):
                 "location": "earth",
             })
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -814,6 +874,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -836,8 +897,7 @@ class SecretBackendRole(pulumi.CustomResource):
                 raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
             __props__ = SecretBackendRoleArgs.__new__(SecretBackendRoleArgs)
-            if allowed_kubernetes_namespaces is None and not opts.urn:
-                raise TypeError("Missing required property 'allowed_kubernetes_namespaces'")
+            __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
             __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
             if backend is None and not opts.urn:
                 raise TypeError("Missing required property 'backend'")
@@ -863,6 +923,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
+            allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
             allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -883,8 +944,13 @@ class SecretBackendRole(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated
@@ -908,7 +974,7 @@ class SecretBackendRole(pulumi.CustomResource):
                roles and role bindings. If unset, a default template is used.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] service_account_name: The pre-existing service account to generate tokens for.
                Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
@@ -920,6 +986,7 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__ = _SecretBackendRoleState.__new__(_SecretBackendRoleState)
+        __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
         __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
         __props__.__dict__["backend"] = backend
         __props__.__dict__["extra_annotations"] = extra_annotations
@@ -935,12 +1002,24 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["token_max_ttl"] = token_max_ttl
         return SecretBackendRole(resource_name, opts=opts, __props__=__props__)
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> pulumi.Output[Optional[str]]:
+        """
+        A label selector for Kubernetes namespaces
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Sequence[str]]:
+    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
         The list of Kubernetes namespaces this role
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
@@ -1027,7 +1106,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kv/_inputs.py CHANGED Viewed

@@ -4,25 +4,57 @@
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 __all__ = [
     'SecretV2CustomMetadataArgs',
+    'SecretV2CustomMetadataArgsDict',
 ]
+MYPY = False
+if not MYPY:
+    class SecretV2CustomMetadataArgsDict(TypedDict):
+        cas_required: NotRequired[pulumi.Input[bool]]
+        """
+        If true, all keys will require the cas parameter to be set on all write requests.
+        """
+        data: NotRequired[pulumi.Input[Mapping[str, pulumi.Input[str]]]]
+        """
+        A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only
+        represent string data, so any non-string values returned from Vault are
+        serialized as JSON.
+        """
+        delete_version_after: NotRequired[pulumi.Input[int]]
+        """
+        If set, specifies the length of time before a version is deleted.
+        """
+        max_versions: NotRequired[pulumi.Input[int]]
+        """
+        The number of versions to keep per key.
+        """
+elif False:
+    SecretV2CustomMetadataArgsDict: TypeAlias = Mapping[str, Any]
 @pulumi.input_type
 class SecretV2CustomMetadataArgs:
     def __init__(__self__, *,
                  cas_required: Optional[pulumi.Input[bool]] = None,
-                 data: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 data: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  delete_version_after: Optional[pulumi.Input[int]] = None,
                  max_versions: Optional[pulumi.Input[int]] = None):
         """
         :param pulumi.Input[bool] cas_required: If true, all keys will require the cas parameter to be set on all write requests.
-        :param pulumi.Input[Mapping[str, Any]] data: A mapping whose keys are the top-level data keys returned from
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] data: A mapping whose keys are the top-level data keys returned from
                Vault and whose values are the corresponding values. This map can only
                represent string data, so any non-string values returned from Vault are
                serialized as JSON.
@@ -52,7 +84,7 @@ class SecretV2CustomMetadataArgs:
     @property
     @pulumi.getter
-    def data(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def data(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         A mapping whose keys are the top-level data keys returned from
         Vault and whose values are the corresponding values. This map can only
@@ -62,7 +94,7 @@ class SecretV2CustomMetadataArgs:
         return pulumi.get(self, "data")
     @data.setter
-    def data(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def data(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "data", value)
     @property

pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0a1736836139py3-none-any.whl