pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
|
@@ -15,10 +20,13 @@ __all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
|
|
15
20
|
class SyncAwsDestinationArgs:
|
16
21
|
def __init__(__self__, *,
|
17
22
|
access_key_id: Optional[pulumi.Input[str]] = None,
|
18
|
-
custom_tags: Optional[pulumi.Input[Mapping[str,
|
23
|
+
custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
24
|
+
external_id: Optional[pulumi.Input[str]] = None,
|
25
|
+
granularity: Optional[pulumi.Input[str]] = None,
|
19
26
|
name: Optional[pulumi.Input[str]] = None,
|
20
27
|
namespace: Optional[pulumi.Input[str]] = None,
|
21
28
|
region: Optional[pulumi.Input[str]] = None,
|
29
|
+
role_arn: Optional[pulumi.Input[str]] = None,
|
22
30
|
secret_access_key: Optional[pulumi.Input[str]] = None,
|
23
31
|
secret_name_template: Optional[pulumi.Input[str]] = None):
|
24
32
|
"""
|
@@ -26,14 +34,26 @@ class SyncAwsDestinationArgs:
|
|
26
34
|
:param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
|
27
35
|
Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
|
28
36
|
variable.
|
29
|
-
:param pulumi.Input[Mapping[str,
|
37
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
|
38
|
+
:param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
|
39
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
40
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
41
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
42
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
43
|
+
:param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
|
44
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
30
45
|
:param pulumi.Input[str] name: Unique name of the AWS destination.
|
31
46
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
32
47
|
The value should not contain leading or trailing forward slashes.
|
33
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
48
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
34
49
|
:param pulumi.Input[str] region: Region where to manage the secrets manager entries.
|
35
50
|
Can be omitted and directly provided to Vault using the `AWS_REGION` environment
|
36
51
|
variable.
|
52
|
+
:param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
|
53
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
54
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
55
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
56
|
+
It is possible to provide both an access key pair and a role to assume.
|
37
57
|
:param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
|
38
58
|
Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
|
39
59
|
variable.
|
@@ -44,12 +64,18 @@ class SyncAwsDestinationArgs:
|
|
44
64
|
pulumi.set(__self__, "access_key_id", access_key_id)
|
45
65
|
if custom_tags is not None:
|
46
66
|
pulumi.set(__self__, "custom_tags", custom_tags)
|
67
|
+
if external_id is not None:
|
68
|
+
pulumi.set(__self__, "external_id", external_id)
|
69
|
+
if granularity is not None:
|
70
|
+
pulumi.set(__self__, "granularity", granularity)
|
47
71
|
if name is not None:
|
48
72
|
pulumi.set(__self__, "name", name)
|
49
73
|
if namespace is not None:
|
50
74
|
pulumi.set(__self__, "namespace", namespace)
|
51
75
|
if region is not None:
|
52
76
|
pulumi.set(__self__, "region", region)
|
77
|
+
if role_arn is not None:
|
78
|
+
pulumi.set(__self__, "role_arn", role_arn)
|
53
79
|
if secret_access_key is not None:
|
54
80
|
pulumi.set(__self__, "secret_access_key", secret_access_key)
|
55
81
|
if secret_name_template is not None:
|
@@ -71,16 +97,45 @@ class SyncAwsDestinationArgs:
|
|
71
97
|
|
72
98
|
@property
|
73
99
|
@pulumi.getter(name="customTags")
|
74
|
-
def custom_tags(self) -> Optional[pulumi.Input[Mapping[str,
|
100
|
+
def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
75
101
|
"""
|
76
102
|
Custom tags to set on the secret managed at the destination.
|
77
103
|
"""
|
78
104
|
return pulumi.get(self, "custom_tags")
|
79
105
|
|
80
106
|
@custom_tags.setter
|
81
|
-
def custom_tags(self, value: Optional[pulumi.Input[Mapping[str,
|
107
|
+
def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
82
108
|
pulumi.set(self, "custom_tags", value)
|
83
109
|
|
110
|
+
@property
|
111
|
+
@pulumi.getter(name="externalId")
|
112
|
+
def external_id(self) -> Optional[pulumi.Input[str]]:
|
113
|
+
"""
|
114
|
+
Optional extra protection that must match the trust policy granting access to the
|
115
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
116
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
117
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
118
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
119
|
+
"""
|
120
|
+
return pulumi.get(self, "external_id")
|
121
|
+
|
122
|
+
@external_id.setter
|
123
|
+
def external_id(self, value: Optional[pulumi.Input[str]]):
|
124
|
+
pulumi.set(self, "external_id", value)
|
125
|
+
|
126
|
+
@property
|
127
|
+
@pulumi.getter
|
128
|
+
def granularity(self) -> Optional[pulumi.Input[str]]:
|
129
|
+
"""
|
130
|
+
Determines what level of information is synced as a distinct resource
|
131
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
132
|
+
"""
|
133
|
+
return pulumi.get(self, "granularity")
|
134
|
+
|
135
|
+
@granularity.setter
|
136
|
+
def granularity(self, value: Optional[pulumi.Input[str]]):
|
137
|
+
pulumi.set(self, "granularity", value)
|
138
|
+
|
84
139
|
@property
|
85
140
|
@pulumi.getter
|
86
141
|
def name(self) -> Optional[pulumi.Input[str]]:
|
@@ -99,7 +154,7 @@ class SyncAwsDestinationArgs:
|
|
99
154
|
"""
|
100
155
|
The namespace to provision the resource in.
|
101
156
|
The value should not contain leading or trailing forward slashes.
|
102
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
157
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
103
158
|
"""
|
104
159
|
return pulumi.get(self, "namespace")
|
105
160
|
|
@@ -121,6 +176,22 @@ class SyncAwsDestinationArgs:
|
|
121
176
|
def region(self, value: Optional[pulumi.Input[str]]):
|
122
177
|
pulumi.set(self, "region", value)
|
123
178
|
|
179
|
+
@property
|
180
|
+
@pulumi.getter(name="roleArn")
|
181
|
+
def role_arn(self) -> Optional[pulumi.Input[str]]:
|
182
|
+
"""
|
183
|
+
Specifies a role to assume when connecting to AWS. When assuming a role,
|
184
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
185
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
186
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
187
|
+
It is possible to provide both an access key pair and a role to assume.
|
188
|
+
"""
|
189
|
+
return pulumi.get(self, "role_arn")
|
190
|
+
|
191
|
+
@role_arn.setter
|
192
|
+
def role_arn(self, value: Optional[pulumi.Input[str]]):
|
193
|
+
pulumi.set(self, "role_arn", value)
|
194
|
+
|
124
195
|
@property
|
125
196
|
@pulumi.getter(name="secretAccessKey")
|
126
197
|
def secret_access_key(self) -> Optional[pulumi.Input[str]]:
|
@@ -153,10 +224,13 @@ class SyncAwsDestinationArgs:
|
|
153
224
|
class _SyncAwsDestinationState:
|
154
225
|
def __init__(__self__, *,
|
155
226
|
access_key_id: Optional[pulumi.Input[str]] = None,
|
156
|
-
custom_tags: Optional[pulumi.Input[Mapping[str,
|
227
|
+
custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
228
|
+
external_id: Optional[pulumi.Input[str]] = None,
|
229
|
+
granularity: Optional[pulumi.Input[str]] = None,
|
157
230
|
name: Optional[pulumi.Input[str]] = None,
|
158
231
|
namespace: Optional[pulumi.Input[str]] = None,
|
159
232
|
region: Optional[pulumi.Input[str]] = None,
|
233
|
+
role_arn: Optional[pulumi.Input[str]] = None,
|
160
234
|
secret_access_key: Optional[pulumi.Input[str]] = None,
|
161
235
|
secret_name_template: Optional[pulumi.Input[str]] = None,
|
162
236
|
type: Optional[pulumi.Input[str]] = None):
|
@@ -165,14 +239,26 @@ class _SyncAwsDestinationState:
|
|
165
239
|
:param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
|
166
240
|
Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
|
167
241
|
variable.
|
168
|
-
:param pulumi.Input[Mapping[str,
|
242
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
|
243
|
+
:param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
|
244
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
245
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
246
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
247
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
248
|
+
:param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
|
249
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
169
250
|
:param pulumi.Input[str] name: Unique name of the AWS destination.
|
170
251
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
171
252
|
The value should not contain leading or trailing forward slashes.
|
172
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
253
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
173
254
|
:param pulumi.Input[str] region: Region where to manage the secrets manager entries.
|
174
255
|
Can be omitted and directly provided to Vault using the `AWS_REGION` environment
|
175
256
|
variable.
|
257
|
+
:param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
|
258
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
259
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
260
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
261
|
+
It is possible to provide both an access key pair and a role to assume.
|
176
262
|
:param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
|
177
263
|
Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
|
178
264
|
variable.
|
@@ -184,12 +270,18 @@ class _SyncAwsDestinationState:
|
|
184
270
|
pulumi.set(__self__, "access_key_id", access_key_id)
|
185
271
|
if custom_tags is not None:
|
186
272
|
pulumi.set(__self__, "custom_tags", custom_tags)
|
273
|
+
if external_id is not None:
|
274
|
+
pulumi.set(__self__, "external_id", external_id)
|
275
|
+
if granularity is not None:
|
276
|
+
pulumi.set(__self__, "granularity", granularity)
|
187
277
|
if name is not None:
|
188
278
|
pulumi.set(__self__, "name", name)
|
189
279
|
if namespace is not None:
|
190
280
|
pulumi.set(__self__, "namespace", namespace)
|
191
281
|
if region is not None:
|
192
282
|
pulumi.set(__self__, "region", region)
|
283
|
+
if role_arn is not None:
|
284
|
+
pulumi.set(__self__, "role_arn", role_arn)
|
193
285
|
if secret_access_key is not None:
|
194
286
|
pulumi.set(__self__, "secret_access_key", secret_access_key)
|
195
287
|
if secret_name_template is not None:
|
@@ -213,16 +305,45 @@ class _SyncAwsDestinationState:
|
|
213
305
|
|
214
306
|
@property
|
215
307
|
@pulumi.getter(name="customTags")
|
216
|
-
def custom_tags(self) -> Optional[pulumi.Input[Mapping[str,
|
308
|
+
def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
217
309
|
"""
|
218
310
|
Custom tags to set on the secret managed at the destination.
|
219
311
|
"""
|
220
312
|
return pulumi.get(self, "custom_tags")
|
221
313
|
|
222
314
|
@custom_tags.setter
|
223
|
-
def custom_tags(self, value: Optional[pulumi.Input[Mapping[str,
|
315
|
+
def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
224
316
|
pulumi.set(self, "custom_tags", value)
|
225
317
|
|
318
|
+
@property
|
319
|
+
@pulumi.getter(name="externalId")
|
320
|
+
def external_id(self) -> Optional[pulumi.Input[str]]:
|
321
|
+
"""
|
322
|
+
Optional extra protection that must match the trust policy granting access to the
|
323
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
324
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
325
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
326
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
327
|
+
"""
|
328
|
+
return pulumi.get(self, "external_id")
|
329
|
+
|
330
|
+
@external_id.setter
|
331
|
+
def external_id(self, value: Optional[pulumi.Input[str]]):
|
332
|
+
pulumi.set(self, "external_id", value)
|
333
|
+
|
334
|
+
@property
|
335
|
+
@pulumi.getter
|
336
|
+
def granularity(self) -> Optional[pulumi.Input[str]]:
|
337
|
+
"""
|
338
|
+
Determines what level of information is synced as a distinct resource
|
339
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
340
|
+
"""
|
341
|
+
return pulumi.get(self, "granularity")
|
342
|
+
|
343
|
+
@granularity.setter
|
344
|
+
def granularity(self, value: Optional[pulumi.Input[str]]):
|
345
|
+
pulumi.set(self, "granularity", value)
|
346
|
+
|
226
347
|
@property
|
227
348
|
@pulumi.getter
|
228
349
|
def name(self) -> Optional[pulumi.Input[str]]:
|
@@ -241,7 +362,7 @@ class _SyncAwsDestinationState:
|
|
241
362
|
"""
|
242
363
|
The namespace to provision the resource in.
|
243
364
|
The value should not contain leading or trailing forward slashes.
|
244
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
365
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
245
366
|
"""
|
246
367
|
return pulumi.get(self, "namespace")
|
247
368
|
|
@@ -263,6 +384,22 @@ class _SyncAwsDestinationState:
|
|
263
384
|
def region(self, value: Optional[pulumi.Input[str]]):
|
264
385
|
pulumi.set(self, "region", value)
|
265
386
|
|
387
|
+
@property
|
388
|
+
@pulumi.getter(name="roleArn")
|
389
|
+
def role_arn(self) -> Optional[pulumi.Input[str]]:
|
390
|
+
"""
|
391
|
+
Specifies a role to assume when connecting to AWS. When assuming a role,
|
392
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
393
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
394
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
395
|
+
It is possible to provide both an access key pair and a role to assume.
|
396
|
+
"""
|
397
|
+
return pulumi.get(self, "role_arn")
|
398
|
+
|
399
|
+
@role_arn.setter
|
400
|
+
def role_arn(self, value: Optional[pulumi.Input[str]]):
|
401
|
+
pulumi.set(self, "role_arn", value)
|
402
|
+
|
266
403
|
@property
|
267
404
|
@pulumi.getter(name="secretAccessKey")
|
268
405
|
def secret_access_key(self) -> Optional[pulumi.Input[str]]:
|
@@ -309,31 +446,35 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
309
446
|
resource_name: str,
|
310
447
|
opts: Optional[pulumi.ResourceOptions] = None,
|
311
448
|
access_key_id: Optional[pulumi.Input[str]] = None,
|
312
|
-
custom_tags: Optional[pulumi.Input[Mapping[str,
|
449
|
+
custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
450
|
+
external_id: Optional[pulumi.Input[str]] = None,
|
451
|
+
granularity: Optional[pulumi.Input[str]] = None,
|
313
452
|
name: Optional[pulumi.Input[str]] = None,
|
314
453
|
namespace: Optional[pulumi.Input[str]] = None,
|
315
454
|
region: Optional[pulumi.Input[str]] = None,
|
455
|
+
role_arn: Optional[pulumi.Input[str]] = None,
|
316
456
|
secret_access_key: Optional[pulumi.Input[str]] = None,
|
317
457
|
secret_name_template: Optional[pulumi.Input[str]] = None,
|
318
458
|
__props__=None):
|
319
459
|
"""
|
320
460
|
## Example Usage
|
321
461
|
|
322
|
-
<!--Start PulumiCodeChooser -->
|
323
462
|
```python
|
324
463
|
import pulumi
|
325
464
|
import pulumi_vault as vault
|
326
465
|
|
327
466
|
aws = vault.secrets.SyncAwsDestination("aws",
|
328
|
-
|
329
|
-
|
467
|
+
name="aws-dest",
|
468
|
+
access_key_id=access_key_id,
|
469
|
+
secret_access_key=secret_access_key,
|
330
470
|
region="us-east-1",
|
471
|
+
role_arn="role-arn",
|
472
|
+
external_id="external-id",
|
331
473
|
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
|
332
474
|
custom_tags={
|
333
475
|
"foo": "bar",
|
334
476
|
})
|
335
477
|
```
|
336
|
-
<!--End PulumiCodeChooser -->
|
337
478
|
|
338
479
|
## Import
|
339
480
|
|
@@ -348,14 +489,26 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
348
489
|
:param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
|
349
490
|
Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
|
350
491
|
variable.
|
351
|
-
:param pulumi.Input[Mapping[str,
|
492
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
|
493
|
+
:param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
|
494
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
495
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
496
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
497
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
498
|
+
:param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
|
499
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
352
500
|
:param pulumi.Input[str] name: Unique name of the AWS destination.
|
353
501
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
354
502
|
The value should not contain leading or trailing forward slashes.
|
355
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
503
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
356
504
|
:param pulumi.Input[str] region: Region where to manage the secrets manager entries.
|
357
505
|
Can be omitted and directly provided to Vault using the `AWS_REGION` environment
|
358
506
|
variable.
|
507
|
+
:param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
|
508
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
509
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
510
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
511
|
+
It is possible to provide both an access key pair and a role to assume.
|
359
512
|
:param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
|
360
513
|
Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
|
361
514
|
variable.
|
@@ -371,21 +524,22 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
371
524
|
"""
|
372
525
|
## Example Usage
|
373
526
|
|
374
|
-
<!--Start PulumiCodeChooser -->
|
375
527
|
```python
|
376
528
|
import pulumi
|
377
529
|
import pulumi_vault as vault
|
378
530
|
|
379
531
|
aws = vault.secrets.SyncAwsDestination("aws",
|
380
|
-
|
381
|
-
|
532
|
+
name="aws-dest",
|
533
|
+
access_key_id=access_key_id,
|
534
|
+
secret_access_key=secret_access_key,
|
382
535
|
region="us-east-1",
|
536
|
+
role_arn="role-arn",
|
537
|
+
external_id="external-id",
|
383
538
|
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
|
384
539
|
custom_tags={
|
385
540
|
"foo": "bar",
|
386
541
|
})
|
387
542
|
```
|
388
|
-
<!--End PulumiCodeChooser -->
|
389
543
|
|
390
544
|
## Import
|
391
545
|
|
@@ -411,10 +565,13 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
411
565
|
resource_name: str,
|
412
566
|
opts: Optional[pulumi.ResourceOptions] = None,
|
413
567
|
access_key_id: Optional[pulumi.Input[str]] = None,
|
414
|
-
custom_tags: Optional[pulumi.Input[Mapping[str,
|
568
|
+
custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
569
|
+
external_id: Optional[pulumi.Input[str]] = None,
|
570
|
+
granularity: Optional[pulumi.Input[str]] = None,
|
415
571
|
name: Optional[pulumi.Input[str]] = None,
|
416
572
|
namespace: Optional[pulumi.Input[str]] = None,
|
417
573
|
region: Optional[pulumi.Input[str]] = None,
|
574
|
+
role_arn: Optional[pulumi.Input[str]] = None,
|
418
575
|
secret_access_key: Optional[pulumi.Input[str]] = None,
|
419
576
|
secret_name_template: Optional[pulumi.Input[str]] = None,
|
420
577
|
__props__=None):
|
@@ -428,9 +585,12 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
428
585
|
|
429
586
|
__props__.__dict__["access_key_id"] = access_key_id
|
430
587
|
__props__.__dict__["custom_tags"] = custom_tags
|
588
|
+
__props__.__dict__["external_id"] = external_id
|
589
|
+
__props__.__dict__["granularity"] = granularity
|
431
590
|
__props__.__dict__["name"] = name
|
432
591
|
__props__.__dict__["namespace"] = namespace
|
433
592
|
__props__.__dict__["region"] = region
|
593
|
+
__props__.__dict__["role_arn"] = role_arn
|
434
594
|
__props__.__dict__["secret_access_key"] = None if secret_access_key is None else pulumi.Output.secret(secret_access_key)
|
435
595
|
__props__.__dict__["secret_name_template"] = secret_name_template
|
436
596
|
__props__.__dict__["type"] = None
|
@@ -447,10 +607,13 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
447
607
|
id: pulumi.Input[str],
|
448
608
|
opts: Optional[pulumi.ResourceOptions] = None,
|
449
609
|
access_key_id: Optional[pulumi.Input[str]] = None,
|
450
|
-
custom_tags: Optional[pulumi.Input[Mapping[str,
|
610
|
+
custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
611
|
+
external_id: Optional[pulumi.Input[str]] = None,
|
612
|
+
granularity: Optional[pulumi.Input[str]] = None,
|
451
613
|
name: Optional[pulumi.Input[str]] = None,
|
452
614
|
namespace: Optional[pulumi.Input[str]] = None,
|
453
615
|
region: Optional[pulumi.Input[str]] = None,
|
616
|
+
role_arn: Optional[pulumi.Input[str]] = None,
|
454
617
|
secret_access_key: Optional[pulumi.Input[str]] = None,
|
455
618
|
secret_name_template: Optional[pulumi.Input[str]] = None,
|
456
619
|
type: Optional[pulumi.Input[str]] = None) -> 'SyncAwsDestination':
|
@@ -464,14 +627,26 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
464
627
|
:param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
|
465
628
|
Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
|
466
629
|
variable.
|
467
|
-
:param pulumi.Input[Mapping[str,
|
630
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
|
631
|
+
:param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
|
632
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
633
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
634
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
635
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
636
|
+
:param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
|
637
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
468
638
|
:param pulumi.Input[str] name: Unique name of the AWS destination.
|
469
639
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
470
640
|
The value should not contain leading or trailing forward slashes.
|
471
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
641
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
472
642
|
:param pulumi.Input[str] region: Region where to manage the secrets manager entries.
|
473
643
|
Can be omitted and directly provided to Vault using the `AWS_REGION` environment
|
474
644
|
variable.
|
645
|
+
:param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
|
646
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
647
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
648
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
649
|
+
It is possible to provide both an access key pair and a role to assume.
|
475
650
|
:param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
|
476
651
|
Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
|
477
652
|
variable.
|
@@ -485,9 +660,12 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
485
660
|
|
486
661
|
__props__.__dict__["access_key_id"] = access_key_id
|
487
662
|
__props__.__dict__["custom_tags"] = custom_tags
|
663
|
+
__props__.__dict__["external_id"] = external_id
|
664
|
+
__props__.__dict__["granularity"] = granularity
|
488
665
|
__props__.__dict__["name"] = name
|
489
666
|
__props__.__dict__["namespace"] = namespace
|
490
667
|
__props__.__dict__["region"] = region
|
668
|
+
__props__.__dict__["role_arn"] = role_arn
|
491
669
|
__props__.__dict__["secret_access_key"] = secret_access_key
|
492
670
|
__props__.__dict__["secret_name_template"] = secret_name_template
|
493
671
|
__props__.__dict__["type"] = type
|
@@ -505,12 +683,33 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
505
683
|
|
506
684
|
@property
|
507
685
|
@pulumi.getter(name="customTags")
|
508
|
-
def custom_tags(self) -> pulumi.Output[Optional[Mapping[str,
|
686
|
+
def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
509
687
|
"""
|
510
688
|
Custom tags to set on the secret managed at the destination.
|
511
689
|
"""
|
512
690
|
return pulumi.get(self, "custom_tags")
|
513
691
|
|
692
|
+
@property
|
693
|
+
@pulumi.getter(name="externalId")
|
694
|
+
def external_id(self) -> pulumi.Output[Optional[str]]:
|
695
|
+
"""
|
696
|
+
Optional extra protection that must match the trust policy granting access to the
|
697
|
+
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
|
698
|
+
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
|
699
|
+
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
|
700
|
+
denied errors. Ignored if the `role_arn` field is empty.
|
701
|
+
"""
|
702
|
+
return pulumi.get(self, "external_id")
|
703
|
+
|
704
|
+
@property
|
705
|
+
@pulumi.getter
|
706
|
+
def granularity(self) -> pulumi.Output[Optional[str]]:
|
707
|
+
"""
|
708
|
+
Determines what level of information is synced as a distinct resource
|
709
|
+
at the destination. Supports `secret-path` and `secret-key`.
|
710
|
+
"""
|
711
|
+
return pulumi.get(self, "granularity")
|
712
|
+
|
514
713
|
@property
|
515
714
|
@pulumi.getter
|
516
715
|
def name(self) -> pulumi.Output[str]:
|
@@ -525,7 +724,7 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
525
724
|
"""
|
526
725
|
The namespace to provision the resource in.
|
527
726
|
The value should not contain leading or trailing forward slashes.
|
528
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
727
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
529
728
|
"""
|
530
729
|
return pulumi.get(self, "namespace")
|
531
730
|
|
@@ -539,6 +738,18 @@ class SyncAwsDestination(pulumi.CustomResource):
|
|
539
738
|
"""
|
540
739
|
return pulumi.get(self, "region")
|
541
740
|
|
741
|
+
@property
|
742
|
+
@pulumi.getter(name="roleArn")
|
743
|
+
def role_arn(self) -> pulumi.Output[Optional[str]]:
|
744
|
+
"""
|
745
|
+
Specifies a role to assume when connecting to AWS. When assuming a role,
|
746
|
+
Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
|
747
|
+
exist for Vault to be able to assume this role. The role can be in a different account.
|
748
|
+
The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
|
749
|
+
It is possible to provide both an access key pair and a role to assume.
|
750
|
+
"""
|
751
|
+
return pulumi.get(self, "role_arn")
|
752
|
+
|
542
753
|
@property
|
543
754
|
@pulumi.getter(name="secretAccessKey")
|
544
755
|
def secret_access_key(self) -> pulumi.Output[Optional[str]]:
|