pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
@@ -15,10 +20,13 @@ __all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
15
20
  class SyncAwsDestinationArgs:
16
21
  def __init__(__self__, *,
17
22
  access_key_id: Optional[pulumi.Input[str]] = None,
18
- custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
23
+ custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
24
+ external_id: Optional[pulumi.Input[str]] = None,
25
+ granularity: Optional[pulumi.Input[str]] = None,
19
26
  name: Optional[pulumi.Input[str]] = None,
20
27
  namespace: Optional[pulumi.Input[str]] = None,
21
28
  region: Optional[pulumi.Input[str]] = None,
29
+ role_arn: Optional[pulumi.Input[str]] = None,
22
30
  secret_access_key: Optional[pulumi.Input[str]] = None,
23
31
  secret_name_template: Optional[pulumi.Input[str]] = None):
24
32
  """
@@ -26,14 +34,26 @@ class SyncAwsDestinationArgs:
26
34
  :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
27
35
  Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
28
36
  variable.
29
- :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
37
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
38
+ :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
39
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
40
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
41
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
42
+ denied errors. Ignored if the `role_arn` field is empty.
43
+ :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
44
+ at the destination. Supports `secret-path` and `secret-key`.
30
45
  :param pulumi.Input[str] name: Unique name of the AWS destination.
31
46
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
32
47
  The value should not contain leading or trailing forward slashes.
33
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
48
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
34
49
  :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
35
50
  Can be omitted and directly provided to Vault using the `AWS_REGION` environment
36
51
  variable.
52
+ :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
53
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
54
+ exist for Vault to be able to assume this role. The role can be in a different account.
55
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
56
+ It is possible to provide both an access key pair and a role to assume.
37
57
  :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
38
58
  Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
39
59
  variable.
@@ -44,12 +64,18 @@ class SyncAwsDestinationArgs:
44
64
  pulumi.set(__self__, "access_key_id", access_key_id)
45
65
  if custom_tags is not None:
46
66
  pulumi.set(__self__, "custom_tags", custom_tags)
67
+ if external_id is not None:
68
+ pulumi.set(__self__, "external_id", external_id)
69
+ if granularity is not None:
70
+ pulumi.set(__self__, "granularity", granularity)
47
71
  if name is not None:
48
72
  pulumi.set(__self__, "name", name)
49
73
  if namespace is not None:
50
74
  pulumi.set(__self__, "namespace", namespace)
51
75
  if region is not None:
52
76
  pulumi.set(__self__, "region", region)
77
+ if role_arn is not None:
78
+ pulumi.set(__self__, "role_arn", role_arn)
53
79
  if secret_access_key is not None:
54
80
  pulumi.set(__self__, "secret_access_key", secret_access_key)
55
81
  if secret_name_template is not None:
@@ -71,16 +97,45 @@ class SyncAwsDestinationArgs:
71
97
 
72
98
  @property
73
99
  @pulumi.getter(name="customTags")
74
- def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
100
+ def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
75
101
  """
76
102
  Custom tags to set on the secret managed at the destination.
77
103
  """
78
104
  return pulumi.get(self, "custom_tags")
79
105
 
80
106
  @custom_tags.setter
81
- def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
107
+ def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
82
108
  pulumi.set(self, "custom_tags", value)
83
109
 
110
+ @property
111
+ @pulumi.getter(name="externalId")
112
+ def external_id(self) -> Optional[pulumi.Input[str]]:
113
+ """
114
+ Optional extra protection that must match the trust policy granting access to the
115
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
116
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
117
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
118
+ denied errors. Ignored if the `role_arn` field is empty.
119
+ """
120
+ return pulumi.get(self, "external_id")
121
+
122
+ @external_id.setter
123
+ def external_id(self, value: Optional[pulumi.Input[str]]):
124
+ pulumi.set(self, "external_id", value)
125
+
126
+ @property
127
+ @pulumi.getter
128
+ def granularity(self) -> Optional[pulumi.Input[str]]:
129
+ """
130
+ Determines what level of information is synced as a distinct resource
131
+ at the destination. Supports `secret-path` and `secret-key`.
132
+ """
133
+ return pulumi.get(self, "granularity")
134
+
135
+ @granularity.setter
136
+ def granularity(self, value: Optional[pulumi.Input[str]]):
137
+ pulumi.set(self, "granularity", value)
138
+
84
139
  @property
85
140
  @pulumi.getter
86
141
  def name(self) -> Optional[pulumi.Input[str]]:
@@ -99,7 +154,7 @@ class SyncAwsDestinationArgs:
99
154
  """
100
155
  The namespace to provision the resource in.
101
156
  The value should not contain leading or trailing forward slashes.
102
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
157
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
103
158
  """
104
159
  return pulumi.get(self, "namespace")
105
160
 
@@ -121,6 +176,22 @@ class SyncAwsDestinationArgs:
121
176
  def region(self, value: Optional[pulumi.Input[str]]):
122
177
  pulumi.set(self, "region", value)
123
178
 
179
+ @property
180
+ @pulumi.getter(name="roleArn")
181
+ def role_arn(self) -> Optional[pulumi.Input[str]]:
182
+ """
183
+ Specifies a role to assume when connecting to AWS. When assuming a role,
184
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
185
+ exist for Vault to be able to assume this role. The role can be in a different account.
186
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
187
+ It is possible to provide both an access key pair and a role to assume.
188
+ """
189
+ return pulumi.get(self, "role_arn")
190
+
191
+ @role_arn.setter
192
+ def role_arn(self, value: Optional[pulumi.Input[str]]):
193
+ pulumi.set(self, "role_arn", value)
194
+
124
195
  @property
125
196
  @pulumi.getter(name="secretAccessKey")
126
197
  def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -153,10 +224,13 @@ class SyncAwsDestinationArgs:
153
224
  class _SyncAwsDestinationState:
154
225
  def __init__(__self__, *,
155
226
  access_key_id: Optional[pulumi.Input[str]] = None,
156
- custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
227
+ custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
228
+ external_id: Optional[pulumi.Input[str]] = None,
229
+ granularity: Optional[pulumi.Input[str]] = None,
157
230
  name: Optional[pulumi.Input[str]] = None,
158
231
  namespace: Optional[pulumi.Input[str]] = None,
159
232
  region: Optional[pulumi.Input[str]] = None,
233
+ role_arn: Optional[pulumi.Input[str]] = None,
160
234
  secret_access_key: Optional[pulumi.Input[str]] = None,
161
235
  secret_name_template: Optional[pulumi.Input[str]] = None,
162
236
  type: Optional[pulumi.Input[str]] = None):
@@ -165,14 +239,26 @@ class _SyncAwsDestinationState:
165
239
  :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
166
240
  Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
167
241
  variable.
168
- :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
242
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
243
+ :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
244
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
245
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
246
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
247
+ denied errors. Ignored if the `role_arn` field is empty.
248
+ :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
249
+ at the destination. Supports `secret-path` and `secret-key`.
169
250
  :param pulumi.Input[str] name: Unique name of the AWS destination.
170
251
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
171
252
  The value should not contain leading or trailing forward slashes.
172
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
253
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
173
254
  :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
174
255
  Can be omitted and directly provided to Vault using the `AWS_REGION` environment
175
256
  variable.
257
+ :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
258
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
259
+ exist for Vault to be able to assume this role. The role can be in a different account.
260
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
261
+ It is possible to provide both an access key pair and a role to assume.
176
262
  :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
177
263
  Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
178
264
  variable.
@@ -184,12 +270,18 @@ class _SyncAwsDestinationState:
184
270
  pulumi.set(__self__, "access_key_id", access_key_id)
185
271
  if custom_tags is not None:
186
272
  pulumi.set(__self__, "custom_tags", custom_tags)
273
+ if external_id is not None:
274
+ pulumi.set(__self__, "external_id", external_id)
275
+ if granularity is not None:
276
+ pulumi.set(__self__, "granularity", granularity)
187
277
  if name is not None:
188
278
  pulumi.set(__self__, "name", name)
189
279
  if namespace is not None:
190
280
  pulumi.set(__self__, "namespace", namespace)
191
281
  if region is not None:
192
282
  pulumi.set(__self__, "region", region)
283
+ if role_arn is not None:
284
+ pulumi.set(__self__, "role_arn", role_arn)
193
285
  if secret_access_key is not None:
194
286
  pulumi.set(__self__, "secret_access_key", secret_access_key)
195
287
  if secret_name_template is not None:
@@ -213,16 +305,45 @@ class _SyncAwsDestinationState:
213
305
 
214
306
  @property
215
307
  @pulumi.getter(name="customTags")
216
- def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
308
+ def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
217
309
  """
218
310
  Custom tags to set on the secret managed at the destination.
219
311
  """
220
312
  return pulumi.get(self, "custom_tags")
221
313
 
222
314
  @custom_tags.setter
223
- def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
315
+ def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
224
316
  pulumi.set(self, "custom_tags", value)
225
317
 
318
+ @property
319
+ @pulumi.getter(name="externalId")
320
+ def external_id(self) -> Optional[pulumi.Input[str]]:
321
+ """
322
+ Optional extra protection that must match the trust policy granting access to the
323
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
324
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
325
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
326
+ denied errors. Ignored if the `role_arn` field is empty.
327
+ """
328
+ return pulumi.get(self, "external_id")
329
+
330
+ @external_id.setter
331
+ def external_id(self, value: Optional[pulumi.Input[str]]):
332
+ pulumi.set(self, "external_id", value)
333
+
334
+ @property
335
+ @pulumi.getter
336
+ def granularity(self) -> Optional[pulumi.Input[str]]:
337
+ """
338
+ Determines what level of information is synced as a distinct resource
339
+ at the destination. Supports `secret-path` and `secret-key`.
340
+ """
341
+ return pulumi.get(self, "granularity")
342
+
343
+ @granularity.setter
344
+ def granularity(self, value: Optional[pulumi.Input[str]]):
345
+ pulumi.set(self, "granularity", value)
346
+
226
347
  @property
227
348
  @pulumi.getter
228
349
  def name(self) -> Optional[pulumi.Input[str]]:
@@ -241,7 +362,7 @@ class _SyncAwsDestinationState:
241
362
  """
242
363
  The namespace to provision the resource in.
243
364
  The value should not contain leading or trailing forward slashes.
244
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
365
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
245
366
  """
246
367
  return pulumi.get(self, "namespace")
247
368
 
@@ -263,6 +384,22 @@ class _SyncAwsDestinationState:
263
384
  def region(self, value: Optional[pulumi.Input[str]]):
264
385
  pulumi.set(self, "region", value)
265
386
 
387
+ @property
388
+ @pulumi.getter(name="roleArn")
389
+ def role_arn(self) -> Optional[pulumi.Input[str]]:
390
+ """
391
+ Specifies a role to assume when connecting to AWS. When assuming a role,
392
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
393
+ exist for Vault to be able to assume this role. The role can be in a different account.
394
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
395
+ It is possible to provide both an access key pair and a role to assume.
396
+ """
397
+ return pulumi.get(self, "role_arn")
398
+
399
+ @role_arn.setter
400
+ def role_arn(self, value: Optional[pulumi.Input[str]]):
401
+ pulumi.set(self, "role_arn", value)
402
+
266
403
  @property
267
404
  @pulumi.getter(name="secretAccessKey")
268
405
  def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -309,31 +446,35 @@ class SyncAwsDestination(pulumi.CustomResource):
309
446
  resource_name: str,
310
447
  opts: Optional[pulumi.ResourceOptions] = None,
311
448
  access_key_id: Optional[pulumi.Input[str]] = None,
312
- custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
449
+ custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
450
+ external_id: Optional[pulumi.Input[str]] = None,
451
+ granularity: Optional[pulumi.Input[str]] = None,
313
452
  name: Optional[pulumi.Input[str]] = None,
314
453
  namespace: Optional[pulumi.Input[str]] = None,
315
454
  region: Optional[pulumi.Input[str]] = None,
455
+ role_arn: Optional[pulumi.Input[str]] = None,
316
456
  secret_access_key: Optional[pulumi.Input[str]] = None,
317
457
  secret_name_template: Optional[pulumi.Input[str]] = None,
318
458
  __props__=None):
319
459
  """
320
460
  ## Example Usage
321
461
 
322
- <!--Start PulumiCodeChooser -->
323
462
  ```python
324
463
  import pulumi
325
464
  import pulumi_vault as vault
326
465
 
327
466
  aws = vault.secrets.SyncAwsDestination("aws",
328
- access_key_id=var["access_key_id"],
329
- secret_access_key=var["secret_access_key"],
467
+ name="aws-dest",
468
+ access_key_id=access_key_id,
469
+ secret_access_key=secret_access_key,
330
470
  region="us-east-1",
471
+ role_arn="role-arn",
472
+ external_id="external-id",
331
473
  secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
332
474
  custom_tags={
333
475
  "foo": "bar",
334
476
  })
335
477
  ```
336
- <!--End PulumiCodeChooser -->
337
478
 
338
479
  ## Import
339
480
 
@@ -348,14 +489,26 @@ class SyncAwsDestination(pulumi.CustomResource):
348
489
  :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
349
490
  Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
350
491
  variable.
351
- :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
492
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
493
+ :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
494
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
495
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
496
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
497
+ denied errors. Ignored if the `role_arn` field is empty.
498
+ :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
499
+ at the destination. Supports `secret-path` and `secret-key`.
352
500
  :param pulumi.Input[str] name: Unique name of the AWS destination.
353
501
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
354
502
  The value should not contain leading or trailing forward slashes.
355
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
503
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
356
504
  :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
357
505
  Can be omitted and directly provided to Vault using the `AWS_REGION` environment
358
506
  variable.
507
+ :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
508
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
509
+ exist for Vault to be able to assume this role. The role can be in a different account.
510
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
511
+ It is possible to provide both an access key pair and a role to assume.
359
512
  :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
360
513
  Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
361
514
  variable.
@@ -371,21 +524,22 @@ class SyncAwsDestination(pulumi.CustomResource):
371
524
  """
372
525
  ## Example Usage
373
526
 
374
- <!--Start PulumiCodeChooser -->
375
527
  ```python
376
528
  import pulumi
377
529
  import pulumi_vault as vault
378
530
 
379
531
  aws = vault.secrets.SyncAwsDestination("aws",
380
- access_key_id=var["access_key_id"],
381
- secret_access_key=var["secret_access_key"],
532
+ name="aws-dest",
533
+ access_key_id=access_key_id,
534
+ secret_access_key=secret_access_key,
382
535
  region="us-east-1",
536
+ role_arn="role-arn",
537
+ external_id="external-id",
383
538
  secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
384
539
  custom_tags={
385
540
  "foo": "bar",
386
541
  })
387
542
  ```
388
- <!--End PulumiCodeChooser -->
389
543
 
390
544
  ## Import
391
545
 
@@ -411,10 +565,13 @@ class SyncAwsDestination(pulumi.CustomResource):
411
565
  resource_name: str,
412
566
  opts: Optional[pulumi.ResourceOptions] = None,
413
567
  access_key_id: Optional[pulumi.Input[str]] = None,
414
- custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
568
+ custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
569
+ external_id: Optional[pulumi.Input[str]] = None,
570
+ granularity: Optional[pulumi.Input[str]] = None,
415
571
  name: Optional[pulumi.Input[str]] = None,
416
572
  namespace: Optional[pulumi.Input[str]] = None,
417
573
  region: Optional[pulumi.Input[str]] = None,
574
+ role_arn: Optional[pulumi.Input[str]] = None,
418
575
  secret_access_key: Optional[pulumi.Input[str]] = None,
419
576
  secret_name_template: Optional[pulumi.Input[str]] = None,
420
577
  __props__=None):
@@ -428,9 +585,12 @@ class SyncAwsDestination(pulumi.CustomResource):
428
585
 
429
586
  __props__.__dict__["access_key_id"] = access_key_id
430
587
  __props__.__dict__["custom_tags"] = custom_tags
588
+ __props__.__dict__["external_id"] = external_id
589
+ __props__.__dict__["granularity"] = granularity
431
590
  __props__.__dict__["name"] = name
432
591
  __props__.__dict__["namespace"] = namespace
433
592
  __props__.__dict__["region"] = region
593
+ __props__.__dict__["role_arn"] = role_arn
434
594
  __props__.__dict__["secret_access_key"] = None if secret_access_key is None else pulumi.Output.secret(secret_access_key)
435
595
  __props__.__dict__["secret_name_template"] = secret_name_template
436
596
  __props__.__dict__["type"] = None
@@ -447,10 +607,13 @@ class SyncAwsDestination(pulumi.CustomResource):
447
607
  id: pulumi.Input[str],
448
608
  opts: Optional[pulumi.ResourceOptions] = None,
449
609
  access_key_id: Optional[pulumi.Input[str]] = None,
450
- custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
610
+ custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
611
+ external_id: Optional[pulumi.Input[str]] = None,
612
+ granularity: Optional[pulumi.Input[str]] = None,
451
613
  name: Optional[pulumi.Input[str]] = None,
452
614
  namespace: Optional[pulumi.Input[str]] = None,
453
615
  region: Optional[pulumi.Input[str]] = None,
616
+ role_arn: Optional[pulumi.Input[str]] = None,
454
617
  secret_access_key: Optional[pulumi.Input[str]] = None,
455
618
  secret_name_template: Optional[pulumi.Input[str]] = None,
456
619
  type: Optional[pulumi.Input[str]] = None) -> 'SyncAwsDestination':
@@ -464,14 +627,26 @@ class SyncAwsDestination(pulumi.CustomResource):
464
627
  :param pulumi.Input[str] access_key_id: Access key id to authenticate against the AWS secrets manager.
465
628
  Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
466
629
  variable.
467
- :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
630
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] custom_tags: Custom tags to set on the secret managed at the destination.
631
+ :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
632
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
633
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
634
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
635
+ denied errors. Ignored if the `role_arn` field is empty.
636
+ :param pulumi.Input[str] granularity: Determines what level of information is synced as a distinct resource
637
+ at the destination. Supports `secret-path` and `secret-key`.
468
638
  :param pulumi.Input[str] name: Unique name of the AWS destination.
469
639
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
470
640
  The value should not contain leading or trailing forward slashes.
471
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
641
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
472
642
  :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
473
643
  Can be omitted and directly provided to Vault using the `AWS_REGION` environment
474
644
  variable.
645
+ :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
646
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
647
+ exist for Vault to be able to assume this role. The role can be in a different account.
648
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
649
+ It is possible to provide both an access key pair and a role to assume.
475
650
  :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
476
651
  Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
477
652
  variable.
@@ -485,9 +660,12 @@ class SyncAwsDestination(pulumi.CustomResource):
485
660
 
486
661
  __props__.__dict__["access_key_id"] = access_key_id
487
662
  __props__.__dict__["custom_tags"] = custom_tags
663
+ __props__.__dict__["external_id"] = external_id
664
+ __props__.__dict__["granularity"] = granularity
488
665
  __props__.__dict__["name"] = name
489
666
  __props__.__dict__["namespace"] = namespace
490
667
  __props__.__dict__["region"] = region
668
+ __props__.__dict__["role_arn"] = role_arn
491
669
  __props__.__dict__["secret_access_key"] = secret_access_key
492
670
  __props__.__dict__["secret_name_template"] = secret_name_template
493
671
  __props__.__dict__["type"] = type
@@ -505,12 +683,33 @@ class SyncAwsDestination(pulumi.CustomResource):
505
683
 
506
684
  @property
507
685
  @pulumi.getter(name="customTags")
508
- def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
686
+ def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
509
687
  """
510
688
  Custom tags to set on the secret managed at the destination.
511
689
  """
512
690
  return pulumi.get(self, "custom_tags")
513
691
 
692
+ @property
693
+ @pulumi.getter(name="externalId")
694
+ def external_id(self) -> pulumi.Output[Optional[str]]:
695
+ """
696
+ Optional extra protection that must match the trust policy granting access to the
697
+ AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
698
+ The field is mutable with no special condition, but users must be careful that the new value fits with the trust
699
+ relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
700
+ denied errors. Ignored if the `role_arn` field is empty.
701
+ """
702
+ return pulumi.get(self, "external_id")
703
+
704
+ @property
705
+ @pulumi.getter
706
+ def granularity(self) -> pulumi.Output[Optional[str]]:
707
+ """
708
+ Determines what level of information is synced as a distinct resource
709
+ at the destination. Supports `secret-path` and `secret-key`.
710
+ """
711
+ return pulumi.get(self, "granularity")
712
+
514
713
  @property
515
714
  @pulumi.getter
516
715
  def name(self) -> pulumi.Output[str]:
@@ -525,7 +724,7 @@ class SyncAwsDestination(pulumi.CustomResource):
525
724
  """
526
725
  The namespace to provision the resource in.
527
726
  The value should not contain leading or trailing forward slashes.
528
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
727
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
529
728
  """
530
729
  return pulumi.get(self, "namespace")
531
730
 
@@ -539,6 +738,18 @@ class SyncAwsDestination(pulumi.CustomResource):
539
738
  """
540
739
  return pulumi.get(self, "region")
541
740
 
741
+ @property
742
+ @pulumi.getter(name="roleArn")
743
+ def role_arn(self) -> pulumi.Output[Optional[str]]:
744
+ """
745
+ Specifies a role to assume when connecting to AWS. When assuming a role,
746
+ Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
747
+ exist for Vault to be able to assume this role. The role can be in a different account.
748
+ The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
749
+ It is possible to provide both an access key pair and a role to assume.
750
+ """
751
+ return pulumi.get(self, "role_arn")
752
+
542
753
  @property
543
754
  @pulumi.getter(name="secretAccessKey")
544
755
  def secret_access_key(self) -> pulumi.Output[Optional[str]]: