pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi_vault/ssh/secret_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 from . import outputs
 from ._inputs import *
@@ -20,6 +25,7 @@ class SecretBackendRoleArgs:
                  key_type: pulumi.Input[str],
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -29,12 +35,11 @@ class SecretBackendRoleArgs:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -61,14 +66,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -76,7 +78,7 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -87,6 +89,8 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -105,11 +109,6 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -185,6 +184,15 @@ class SecretBackendRoleArgs:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        return pulumi.get(self, "allow_empty_principals")
+
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -296,23 +304,6 @@ class SecretBackendRoleArgs:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -351,26 +342,26 @@ class SecretBackendRoleArgs:
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
 
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
 
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
 
     @property
@@ -439,7 +430,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -478,6 +469,7 @@ class _SecretBackendRoleState:
     def __init__(__self__, *,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -487,13 +479,12 @@ class _SecretBackendRoleState:
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
                  allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -519,15 +510,12 @@ class _SecretBackendRoleState:
         :param pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -536,7 +524,7 @@ class _SecretBackendRoleState:
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -545,6 +533,8 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "algorithm_signer", algorithm_signer)
         if allow_bare_domains is not None:
             pulumi.set(__self__, "allow_bare_domains", allow_bare_domains)
+        if allow_empty_principals is not None:
+            pulumi.set(__self__, "allow_empty_principals", allow_empty_principals)
         if allow_host_certificates is not None:
             pulumi.set(__self__, "allow_host_certificates", allow_host_certificates)
         if allow_subdomains is not None:
@@ -563,11 +553,6 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "allowed_extensions", allowed_extensions)
         if allowed_user_key_configs is not None:
             pulumi.set(__self__, "allowed_user_key_configs", allowed_user_key_configs)
-        if allowed_user_key_lengths is not None:
-            warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-            pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-        if allowed_user_key_lengths is not None:
-            pulumi.set(__self__, "allowed_user_key_lengths", allowed_user_key_lengths)
         if allowed_users is not None:
             pulumi.set(__self__, "allowed_users", allowed_users)
         if allowed_users_template is not None:
@@ -623,6 +608,15 @@ class _SecretBackendRoleState:
     def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "allow_bare_domains", value)
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]:
+        return pulumi.get(self, "allow_empty_principals")
+
+    @allow_empty_principals.setter
+    def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "allow_empty_principals", value)
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]:
@@ -734,23 +728,6 @@ class _SecretBackendRoleState:
     def allowed_user_key_configs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SecretBackendRoleAllowedUserKeyConfigArgs']]]]):
         pulumi.set(self, "allowed_user_key_configs", value)
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
-    @allowed_user_key_lengths.setter
-    def allowed_user_key_lengths(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]]):
-        pulumi.set(self, "allowed_user_key_lengths", value)
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> Optional[pulumi.Input[str]]:
@@ -801,26 +778,26 @@ class _SecretBackendRoleState:
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_critical_options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
         return pulumi.get(self, "default_critical_options")
 
     @default_critical_options.setter
-    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_critical_options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_critical_options", value)
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def default_extensions(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
         return pulumi.get(self, "default_extensions")
 
     @default_extensions.setter
-    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def default_extensions(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "default_extensions", value)
 
     @property
@@ -901,7 +878,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -942,6 +919,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -950,14 +928,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -974,24 +951,24 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
             allowed_users="default,baz",
             cidr_list="0.0.0.0/0")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1014,18 +991,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1034,7 +1008,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1051,24 +1025,24 @@ class SecretBackendRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         example = vault.Mount("example", type="ssh")
         foo = vault.ssh.SecretBackendRole("foo",
+            name="my-role",
             backend=example.path,
             key_type="ca",
             allow_user_certificates=True)
         bar = vault.ssh.SecretBackendRole("bar",
+            name="otp-role",
             backend=example.path,
             key_type="otp",
             default_user="default",
             allowed_users="default,baz",
             cidr_list="0.0.0.0/0")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1095,6 +1069,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  algorithm_signer: Optional[pulumi.Input[str]] = None,
                  allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+                 allow_empty_principals: Optional[pulumi.Input[bool]] = None,
                  allow_host_certificates: Optional[pulumi.Input[bool]] = None,
                  allow_subdomains: Optional[pulumi.Input[bool]] = None,
                  allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1103,14 +1078,13 @@ class SecretBackendRole(pulumi.CustomResource):
                  allowed_domains: Optional[pulumi.Input[str]] = None,
                  allowed_domains_template: Optional[pulumi.Input[bool]] = None,
                  allowed_extensions: Optional[pulumi.Input[str]] = None,
-                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-                 allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+                 allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
                  allowed_users: Optional[pulumi.Input[str]] = None,
                  allowed_users_template: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  cidr_list: Optional[pulumi.Input[str]] = None,
-                 default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-                 default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  default_user: Optional[pulumi.Input[str]] = None,
                  default_user_template: Optional[pulumi.Input[bool]] = None,
                  key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1131,6 +1105,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
             __props__.__dict__["algorithm_signer"] = algorithm_signer
             __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+            __props__.__dict__["allow_empty_principals"] = allow_empty_principals
             __props__.__dict__["allow_host_certificates"] = allow_host_certificates
             __props__.__dict__["allow_subdomains"] = allow_subdomains
             __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1140,7 +1115,6 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["allowed_domains_template"] = allowed_domains_template
             __props__.__dict__["allowed_extensions"] = allowed_extensions
             __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-            __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
             __props__.__dict__["allowed_users"] = allowed_users
             __props__.__dict__["allowed_users_template"] = allowed_users_template
             if backend is None and not opts.urn:
@@ -1172,6 +1146,7 @@ class SecretBackendRole(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             algorithm_signer: Optional[pulumi.Input[str]] = None,
             allow_bare_domains: Optional[pulumi.Input[bool]] = None,
+            allow_empty_principals: Optional[pulumi.Input[bool]] = None,
             allow_host_certificates: Optional[pulumi.Input[bool]] = None,
             allow_subdomains: Optional[pulumi.Input[bool]] = None,
             allow_user_certificates: Optional[pulumi.Input[bool]] = None,
@@ -1180,14 +1155,13 @@ class SecretBackendRole(pulumi.CustomResource):
             allowed_domains: Optional[pulumi.Input[str]] = None,
             allowed_domains_template: Optional[pulumi.Input[bool]] = None,
             allowed_extensions: Optional[pulumi.Input[str]] = None,
-            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]]] = None,
-            allowed_user_key_lengths: Optional[pulumi.Input[Mapping[str, pulumi.Input[int]]]] = None,
+            allowed_user_key_configs: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]]] = None,
             allowed_users: Optional[pulumi.Input[str]] = None,
             allowed_users_template: Optional[pulumi.Input[bool]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             cidr_list: Optional[pulumi.Input[str]] = None,
-            default_critical_options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
-            default_extensions: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            default_critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+            default_extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             default_user: Optional[pulumi.Input[str]] = None,
             default_user_template: Optional[pulumi.Input[bool]] = None,
             key_id_format: Optional[pulumi.Input[str]] = None,
@@ -1215,18 +1189,15 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[bool] allowed_domains_template: Specifies if `allowed_domains` can be declared using
                identity template policies. Non-templated domains are also permitted.
         :param pulumi.Input[str] allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed.
-        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['SecretBackendRoleAllowedUserKeyConfigArgs']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
+        :param pulumi.Input[Sequence[pulumi.Input[Union['SecretBackendRoleAllowedUserKeyConfigArgs', 'SecretBackendRoleAllowedUserKeyConfigArgsDict']]]] allowed_user_key_configs: Set of configuration blocks to define allowed  
                user key configuration, like key type and their lengths. Can be specified multiple times.
                *See Configuration-Options for more info*
-        :param pulumi.Input[Mapping[str, pulumi.Input[int]]] allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which 
-               are allowed to be signed by the CA type.
-               *Deprecated: use* allowed_user_key_config *instead*
         :param pulumi.Input[str] allowed_users: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
         :param pulumi.Input[bool] allowed_users_template: Specifies if `allowed_users` can be declared using identity template policies. Non-templated users are also permitted.
         :param pulumi.Input[str] backend: The path where the SSH secret backend is mounted.
         :param pulumi.Input[str] cidr_list: The comma-separated string of CIDR blocks for which this role is applicable.
-        :param pulumi.Input[Mapping[str, Any]] default_critical_options: Specifies a map of critical options that certificates have when signed.
-        :param pulumi.Input[Mapping[str, Any]] default_extensions: Specifies a map of extensions that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_critical_options: Specifies a map of critical options that certificates have when signed.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] default_extensions: Specifies a map of extensions that certificates have when signed.
         :param pulumi.Input[str] default_user: Specifies the default username for which a credential will be generated.
         :param pulumi.Input[bool] default_user_template: If set, `default_users` can be specified using identity template values. A non-templated user is also permitted.
         :param pulumi.Input[str] key_id_format: Specifies a custom format for the key id of a signed certificate.
@@ -1235,7 +1206,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] name: Specifies the name of the role to create.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] not_before_duration: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
         :param pulumi.Input[str] ttl: Specifies the Time To Live value.
@@ -1246,6 +1217,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         __props__.__dict__["algorithm_signer"] = algorithm_signer
         __props__.__dict__["allow_bare_domains"] = allow_bare_domains
+        __props__.__dict__["allow_empty_principals"] = allow_empty_principals
         __props__.__dict__["allow_host_certificates"] = allow_host_certificates
         __props__.__dict__["allow_subdomains"] = allow_subdomains
         __props__.__dict__["allow_user_certificates"] = allow_user_certificates
@@ -1255,7 +1227,6 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["allowed_domains_template"] = allowed_domains_template
         __props__.__dict__["allowed_extensions"] = allowed_extensions
         __props__.__dict__["allowed_user_key_configs"] = allowed_user_key_configs
-        __props__.__dict__["allowed_user_key_lengths"] = allowed_user_key_lengths
         __props__.__dict__["allowed_users"] = allowed_users
         __props__.__dict__["allowed_users_template"] = allowed_users_template
         __props__.__dict__["backend"] = backend
@@ -1289,6 +1260,11 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allow_bare_domains")
 
+    @property
+    @pulumi.getter(name="allowEmptyPrincipals")
+    def allow_empty_principals(self) -> pulumi.Output[Optional[bool]]:
+        return pulumi.get(self, "allow_empty_principals")
+
     @property
     @pulumi.getter(name="allowHostCertificates")
     def allow_host_certificates(self) -> pulumi.Output[Optional[bool]]:
@@ -1364,19 +1340,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "allowed_user_key_configs")
 
-    @property
-    @pulumi.getter(name="allowedUserKeyLengths")
-    def allowed_user_key_lengths(self) -> pulumi.Output[Optional[Mapping[str, int]]]:
-        """
-        Specifies a map of ssh key types and their expected sizes which 
-        are allowed to be signed by the CA type.
-        *Deprecated: use* allowed_user_key_config *instead*
-        """
-        warnings.warn("""Set in allowed_user_key_config""", DeprecationWarning)
-        pulumi.log.warn("""allowed_user_key_lengths is deprecated: Set in allowed_user_key_config""")
-
-        return pulumi.get(self, "allowed_user_key_lengths")
-
     @property
     @pulumi.getter(name="allowedUsers")
     def allowed_users(self) -> pulumi.Output[Optional[str]]:
@@ -1411,7 +1374,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="defaultCriticalOptions")
-    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_critical_options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of critical options that certificates have when signed.
         """
@@ -1419,7 +1382,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="defaultExtensions")
-    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def default_extensions(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies a map of extensions that certificates have when signed.
         """
@@ -1479,7 +1442,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")