pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736850018.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from . import _utilities
|
11
16
|
|
12
17
|
__all__ = ['CertAuthBackendRoleArgs', 'CertAuthBackendRole']
|
@@ -19,7 +24,6 @@ class CertAuthBackendRoleArgs:
|
|
19
24
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
20
25
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
21
26
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
22
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
23
27
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
24
28
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
25
29
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -49,14 +53,13 @@ class CertAuthBackendRoleArgs:
|
|
49
53
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
50
54
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
51
55
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
52
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
53
56
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
54
57
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
55
58
|
:param pulumi.Input[str] display_name: The name to display on tokens issued under this role.
|
56
59
|
:param pulumi.Input[str] name: Name of the role
|
57
60
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
58
61
|
The value should not contain leading or trailing forward slashes.
|
59
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
62
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
60
63
|
*Available only for Vault Enterprise*.
|
61
64
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
62
65
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -77,34 +80,15 @@ class CertAuthBackendRoleArgs:
|
|
77
80
|
Requires Vault version 1.13+.
|
78
81
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
79
82
|
client certificates
|
80
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
81
|
-
|
82
|
-
|
83
|
-
:param pulumi.Input[
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
:param pulumi.Input[int]
|
88
|
-
|
89
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
90
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
91
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
92
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
93
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
94
|
-
token generated using this role should never expire. The token should be renewed within the
|
95
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
96
|
-
value of this field. Specified in seconds.
|
97
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
98
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
99
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
100
|
-
Its current value will be referenced at renewal time.
|
101
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
102
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
103
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
104
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
105
|
-
requests a different type at generation time.
|
106
|
-
|
107
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
83
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
84
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
85
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
86
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
87
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
88
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
89
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
90
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
91
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
108
92
|
"""
|
109
93
|
pulumi.set(__self__, "certificate", certificate)
|
110
94
|
if allowed_common_names is not None:
|
@@ -115,11 +99,6 @@ class CertAuthBackendRoleArgs:
|
|
115
99
|
pulumi.set(__self__, "allowed_email_sans", allowed_email_sans)
|
116
100
|
if allowed_names is not None:
|
117
101
|
pulumi.set(__self__, "allowed_names", allowed_names)
|
118
|
-
if allowed_organization_units is not None:
|
119
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
120
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
121
|
-
if allowed_organization_units is not None:
|
122
|
-
pulumi.set(__self__, "allowed_organization_units", allowed_organization_units)
|
123
102
|
if allowed_organizational_units is not None:
|
124
103
|
pulumi.set(__self__, "allowed_organizational_units", allowed_organizational_units)
|
125
104
|
if allowed_uri_sans is not None:
|
@@ -223,24 +202,11 @@ class CertAuthBackendRoleArgs:
|
|
223
202
|
def allowed_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
224
203
|
pulumi.set(self, "allowed_names", value)
|
225
204
|
|
226
|
-
@property
|
227
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
228
|
-
def allowed_organization_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
229
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
230
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
231
|
-
|
232
|
-
return pulumi.get(self, "allowed_organization_units")
|
233
|
-
|
234
|
-
@allowed_organization_units.setter
|
235
|
-
def allowed_organization_units(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
236
|
-
pulumi.set(self, "allowed_organization_units", value)
|
237
|
-
|
238
205
|
@property
|
239
206
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
240
207
|
def allowed_organizational_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
241
208
|
"""
|
242
209
|
Allowed organization units for authenticated client certificates.
|
243
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
244
210
|
"""
|
245
211
|
return pulumi.get(self, "allowed_organizational_units")
|
246
212
|
|
@@ -302,7 +268,7 @@ class CertAuthBackendRoleArgs:
|
|
302
268
|
"""
|
303
269
|
The namespace to provision the resource in.
|
304
270
|
The value should not contain leading or trailing forward slashes.
|
305
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
271
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
306
272
|
*Available only for Vault Enterprise*.
|
307
273
|
"""
|
308
274
|
return pulumi.get(self, "namespace")
|
@@ -400,9 +366,7 @@ class CertAuthBackendRoleArgs:
|
|
400
366
|
@pulumi.getter(name="tokenBoundCidrs")
|
401
367
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
402
368
|
"""
|
403
|
-
|
404
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
405
|
-
as well.
|
369
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
406
370
|
"""
|
407
371
|
return pulumi.get(self, "token_bound_cidrs")
|
408
372
|
|
@@ -414,10 +378,7 @@ class CertAuthBackendRoleArgs:
|
|
414
378
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
415
379
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
416
380
|
"""
|
417
|
-
|
418
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
419
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
420
|
-
`token_max_ttl` would otherwise allow a renewal.
|
381
|
+
Generated Token's Explicit Maximum TTL in seconds
|
421
382
|
"""
|
422
383
|
return pulumi.get(self, "token_explicit_max_ttl")
|
423
384
|
|
@@ -429,8 +390,7 @@ class CertAuthBackendRoleArgs:
|
|
429
390
|
@pulumi.getter(name="tokenMaxTtl")
|
430
391
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
431
392
|
"""
|
432
|
-
The maximum lifetime
|
433
|
-
Its current value will be referenced at renewal time.
|
393
|
+
The maximum lifetime of the generated token
|
434
394
|
"""
|
435
395
|
return pulumi.get(self, "token_max_ttl")
|
436
396
|
|
@@ -442,8 +402,7 @@ class CertAuthBackendRoleArgs:
|
|
442
402
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
443
403
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
444
404
|
"""
|
445
|
-
If
|
446
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
405
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
447
406
|
"""
|
448
407
|
return pulumi.get(self, "token_no_default_policy")
|
449
408
|
|
@@ -455,8 +414,7 @@ class CertAuthBackendRoleArgs:
|
|
455
414
|
@pulumi.getter(name="tokenNumUses")
|
456
415
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
457
416
|
"""
|
458
|
-
The
|
459
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
417
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
460
418
|
"""
|
461
419
|
return pulumi.get(self, "token_num_uses")
|
462
420
|
|
@@ -468,10 +426,7 @@ class CertAuthBackendRoleArgs:
|
|
468
426
|
@pulumi.getter(name="tokenPeriod")
|
469
427
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
470
428
|
"""
|
471
|
-
|
472
|
-
token generated using this role should never expire. The token should be renewed within the
|
473
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
474
|
-
value of this field. Specified in seconds.
|
429
|
+
Generated Token's Period
|
475
430
|
"""
|
476
431
|
return pulumi.get(self, "token_period")
|
477
432
|
|
@@ -483,8 +438,7 @@ class CertAuthBackendRoleArgs:
|
|
483
438
|
@pulumi.getter(name="tokenPolicies")
|
484
439
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
485
440
|
"""
|
486
|
-
|
487
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
441
|
+
Generated Token's Policies
|
488
442
|
"""
|
489
443
|
return pulumi.get(self, "token_policies")
|
490
444
|
|
@@ -496,8 +450,7 @@ class CertAuthBackendRoleArgs:
|
|
496
450
|
@pulumi.getter(name="tokenTtl")
|
497
451
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
498
452
|
"""
|
499
|
-
The
|
500
|
-
Its current value will be referenced at renewal time.
|
453
|
+
The initial ttl of the token to generate in seconds
|
501
454
|
"""
|
502
455
|
return pulumi.get(self, "token_ttl")
|
503
456
|
|
@@ -509,13 +462,7 @@ class CertAuthBackendRoleArgs:
|
|
509
462
|
@pulumi.getter(name="tokenType")
|
510
463
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
511
464
|
"""
|
512
|
-
The type of token
|
513
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
514
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
515
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
516
|
-
requests a different type at generation time.
|
517
|
-
|
518
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
465
|
+
The type of token to generate, service or batch
|
519
466
|
"""
|
520
467
|
return pulumi.get(self, "token_type")
|
521
468
|
|
@@ -531,7 +478,6 @@ class _CertAuthBackendRoleState:
|
|
531
478
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
532
479
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
533
480
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
534
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
535
481
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
536
482
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
537
483
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -561,7 +507,6 @@ class _CertAuthBackendRoleState:
|
|
561
507
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
562
508
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
563
509
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
564
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
565
510
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
566
511
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
567
512
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -569,7 +514,7 @@ class _CertAuthBackendRoleState:
|
|
569
514
|
:param pulumi.Input[str] name: Name of the role
|
570
515
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
571
516
|
The value should not contain leading or trailing forward slashes.
|
572
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
517
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
573
518
|
*Available only for Vault Enterprise*.
|
574
519
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
575
520
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -590,34 +535,15 @@ class _CertAuthBackendRoleState:
|
|
590
535
|
Requires Vault version 1.13+.
|
591
536
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
592
537
|
client certificates
|
593
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
594
|
-
|
595
|
-
|
596
|
-
:param pulumi.Input[
|
597
|
-
|
598
|
-
|
599
|
-
|
600
|
-
:param pulumi.Input[int]
|
601
|
-
|
602
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
603
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
604
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
605
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
606
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
607
|
-
token generated using this role should never expire. The token should be renewed within the
|
608
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
609
|
-
value of this field. Specified in seconds.
|
610
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
611
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
612
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
613
|
-
Its current value will be referenced at renewal time.
|
614
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
615
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
616
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
617
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
618
|
-
requests a different type at generation time.
|
619
|
-
|
620
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
538
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
539
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
540
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
541
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
542
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
543
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
544
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
545
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
546
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
621
547
|
"""
|
622
548
|
if allowed_common_names is not None:
|
623
549
|
pulumi.set(__self__, "allowed_common_names", allowed_common_names)
|
@@ -627,11 +553,6 @@ class _CertAuthBackendRoleState:
|
|
627
553
|
pulumi.set(__self__, "allowed_email_sans", allowed_email_sans)
|
628
554
|
if allowed_names is not None:
|
629
555
|
pulumi.set(__self__, "allowed_names", allowed_names)
|
630
|
-
if allowed_organization_units is not None:
|
631
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
632
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
633
|
-
if allowed_organization_units is not None:
|
634
|
-
pulumi.set(__self__, "allowed_organization_units", allowed_organization_units)
|
635
556
|
if allowed_organizational_units is not None:
|
636
557
|
pulumi.set(__self__, "allowed_organizational_units", allowed_organizational_units)
|
637
558
|
if allowed_uri_sans is not None:
|
@@ -725,24 +646,11 @@ class _CertAuthBackendRoleState:
|
|
725
646
|
def allowed_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
726
647
|
pulumi.set(self, "allowed_names", value)
|
727
648
|
|
728
|
-
@property
|
729
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
730
|
-
def allowed_organization_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
731
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
732
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
733
|
-
|
734
|
-
return pulumi.get(self, "allowed_organization_units")
|
735
|
-
|
736
|
-
@allowed_organization_units.setter
|
737
|
-
def allowed_organization_units(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
738
|
-
pulumi.set(self, "allowed_organization_units", value)
|
739
|
-
|
740
649
|
@property
|
741
650
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
742
651
|
def allowed_organizational_units(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
743
652
|
"""
|
744
653
|
Allowed organization units for authenticated client certificates.
|
745
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
746
654
|
"""
|
747
655
|
return pulumi.get(self, "allowed_organizational_units")
|
748
656
|
|
@@ -816,7 +724,7 @@ class _CertAuthBackendRoleState:
|
|
816
724
|
"""
|
817
725
|
The namespace to provision the resource in.
|
818
726
|
The value should not contain leading or trailing forward slashes.
|
819
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
727
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
820
728
|
*Available only for Vault Enterprise*.
|
821
729
|
"""
|
822
730
|
return pulumi.get(self, "namespace")
|
@@ -914,9 +822,7 @@ class _CertAuthBackendRoleState:
|
|
914
822
|
@pulumi.getter(name="tokenBoundCidrs")
|
915
823
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
916
824
|
"""
|
917
|
-
|
918
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
919
|
-
as well.
|
825
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
920
826
|
"""
|
921
827
|
return pulumi.get(self, "token_bound_cidrs")
|
922
828
|
|
@@ -928,10 +834,7 @@ class _CertAuthBackendRoleState:
|
|
928
834
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
929
835
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
930
836
|
"""
|
931
|
-
|
932
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
933
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
934
|
-
`token_max_ttl` would otherwise allow a renewal.
|
837
|
+
Generated Token's Explicit Maximum TTL in seconds
|
935
838
|
"""
|
936
839
|
return pulumi.get(self, "token_explicit_max_ttl")
|
937
840
|
|
@@ -943,8 +846,7 @@ class _CertAuthBackendRoleState:
|
|
943
846
|
@pulumi.getter(name="tokenMaxTtl")
|
944
847
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
945
848
|
"""
|
946
|
-
The maximum lifetime
|
947
|
-
Its current value will be referenced at renewal time.
|
849
|
+
The maximum lifetime of the generated token
|
948
850
|
"""
|
949
851
|
return pulumi.get(self, "token_max_ttl")
|
950
852
|
|
@@ -956,8 +858,7 @@ class _CertAuthBackendRoleState:
|
|
956
858
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
957
859
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
958
860
|
"""
|
959
|
-
If
|
960
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
861
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
961
862
|
"""
|
962
863
|
return pulumi.get(self, "token_no_default_policy")
|
963
864
|
|
@@ -969,8 +870,7 @@ class _CertAuthBackendRoleState:
|
|
969
870
|
@pulumi.getter(name="tokenNumUses")
|
970
871
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
971
872
|
"""
|
972
|
-
The
|
973
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
873
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
974
874
|
"""
|
975
875
|
return pulumi.get(self, "token_num_uses")
|
976
876
|
|
@@ -982,10 +882,7 @@ class _CertAuthBackendRoleState:
|
|
982
882
|
@pulumi.getter(name="tokenPeriod")
|
983
883
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
984
884
|
"""
|
985
|
-
|
986
|
-
token generated using this role should never expire. The token should be renewed within the
|
987
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
988
|
-
value of this field. Specified in seconds.
|
885
|
+
Generated Token's Period
|
989
886
|
"""
|
990
887
|
return pulumi.get(self, "token_period")
|
991
888
|
|
@@ -997,8 +894,7 @@ class _CertAuthBackendRoleState:
|
|
997
894
|
@pulumi.getter(name="tokenPolicies")
|
998
895
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
999
896
|
"""
|
1000
|
-
|
1001
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
897
|
+
Generated Token's Policies
|
1002
898
|
"""
|
1003
899
|
return pulumi.get(self, "token_policies")
|
1004
900
|
|
@@ -1010,8 +906,7 @@ class _CertAuthBackendRoleState:
|
|
1010
906
|
@pulumi.getter(name="tokenTtl")
|
1011
907
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
1012
908
|
"""
|
1013
|
-
The
|
1014
|
-
Its current value will be referenced at renewal time.
|
909
|
+
The initial ttl of the token to generate in seconds
|
1015
910
|
"""
|
1016
911
|
return pulumi.get(self, "token_ttl")
|
1017
912
|
|
@@ -1023,13 +918,7 @@ class _CertAuthBackendRoleState:
|
|
1023
918
|
@pulumi.getter(name="tokenType")
|
1024
919
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
1025
920
|
"""
|
1026
|
-
The type of token
|
1027
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1028
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1029
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1030
|
-
requests a different type at generation time.
|
1031
|
-
|
1032
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
921
|
+
The type of token to generate, service or batch
|
1033
922
|
"""
|
1034
923
|
return pulumi.get(self, "token_type")
|
1035
924
|
|
@@ -1047,7 +936,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1047
936
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1048
937
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1049
938
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1050
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1051
939
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1052
940
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1053
941
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1076,17 +964,18 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1076
964
|
|
1077
965
|
## Example Usage
|
1078
966
|
|
1079
|
-
<!--Start PulumiCodeChooser -->
|
1080
967
|
```python
|
1081
968
|
import pulumi
|
969
|
+
import pulumi_std as std
|
1082
970
|
import pulumi_vault as vault
|
1083
971
|
|
1084
|
-
|
972
|
+
cert = vault.AuthBackend("cert",
|
1085
973
|
path="cert",
|
1086
974
|
type="cert")
|
1087
|
-
cert_cert_auth_backend_role = vault.CertAuthBackendRole("
|
1088
|
-
|
1089
|
-
|
975
|
+
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
|
976
|
+
name="foo",
|
977
|
+
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
|
978
|
+
backend=cert.path,
|
1090
979
|
allowed_names=[
|
1091
980
|
"foo.example.org",
|
1092
981
|
"baz.example.org",
|
@@ -1095,7 +984,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1095
984
|
token_max_ttl=600,
|
1096
985
|
token_policies=["foo"])
|
1097
986
|
```
|
1098
|
-
<!--End PulumiCodeChooser -->
|
1099
987
|
|
1100
988
|
:param str resource_name: The name of the resource.
|
1101
989
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
@@ -1104,7 +992,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1104
992
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
1105
993
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
1106
994
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
1107
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1108
995
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
1109
996
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
1110
997
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -1112,7 +999,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1112
999
|
:param pulumi.Input[str] name: Name of the role
|
1113
1000
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1114
1001
|
The value should not contain leading or trailing forward slashes.
|
1115
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1002
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1116
1003
|
*Available only for Vault Enterprise*.
|
1117
1004
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
1118
1005
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -1133,34 +1020,15 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1133
1020
|
Requires Vault version 1.13+.
|
1134
1021
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
1135
1022
|
client certificates
|
1136
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1137
|
-
|
1138
|
-
|
1139
|
-
:param pulumi.Input[
|
1140
|
-
|
1141
|
-
|
1142
|
-
|
1143
|
-
:param pulumi.Input[int]
|
1144
|
-
|
1145
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1146
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1147
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
1148
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1149
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1150
|
-
token generated using this role should never expire. The token should be renewed within the
|
1151
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1152
|
-
value of this field. Specified in seconds.
|
1153
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1154
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1155
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1156
|
-
Its current value will be referenced at renewal time.
|
1157
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1158
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1159
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1160
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1161
|
-
requests a different type at generation time.
|
1162
|
-
|
1163
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1023
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1024
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1025
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1026
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1027
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1028
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1029
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1030
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1031
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1164
1032
|
"""
|
1165
1033
|
...
|
1166
1034
|
@overload
|
@@ -1173,17 +1041,18 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1173
1041
|
|
1174
1042
|
## Example Usage
|
1175
1043
|
|
1176
|
-
<!--Start PulumiCodeChooser -->
|
1177
1044
|
```python
|
1178
1045
|
import pulumi
|
1046
|
+
import pulumi_std as std
|
1179
1047
|
import pulumi_vault as vault
|
1180
1048
|
|
1181
|
-
|
1049
|
+
cert = vault.AuthBackend("cert",
|
1182
1050
|
path="cert",
|
1183
1051
|
type="cert")
|
1184
|
-
cert_cert_auth_backend_role = vault.CertAuthBackendRole("
|
1185
|
-
|
1186
|
-
|
1052
|
+
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
|
1053
|
+
name="foo",
|
1054
|
+
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
|
1055
|
+
backend=cert.path,
|
1187
1056
|
allowed_names=[
|
1188
1057
|
"foo.example.org",
|
1189
1058
|
"baz.example.org",
|
@@ -1192,7 +1061,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1192
1061
|
token_max_ttl=600,
|
1193
1062
|
token_policies=["foo"])
|
1194
1063
|
```
|
1195
|
-
<!--End PulumiCodeChooser -->
|
1196
1064
|
|
1197
1065
|
:param str resource_name: The name of the resource.
|
1198
1066
|
:param CertAuthBackendRoleArgs args: The arguments to use to populate this resource's properties.
|
@@ -1213,7 +1081,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1213
1081
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1214
1082
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1215
1083
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1216
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1217
1084
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1218
1085
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1219
1086
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1249,7 +1116,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1249
1116
|
__props__.__dict__["allowed_dns_sans"] = allowed_dns_sans
|
1250
1117
|
__props__.__dict__["allowed_email_sans"] = allowed_email_sans
|
1251
1118
|
__props__.__dict__["allowed_names"] = allowed_names
|
1252
|
-
__props__.__dict__["allowed_organization_units"] = allowed_organization_units
|
1253
1119
|
__props__.__dict__["allowed_organizational_units"] = allowed_organizational_units
|
1254
1120
|
__props__.__dict__["allowed_uri_sans"] = allowed_uri_sans
|
1255
1121
|
__props__.__dict__["backend"] = backend
|
@@ -1288,7 +1154,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1288
1154
|
allowed_dns_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1289
1155
|
allowed_email_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1290
1156
|
allowed_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1291
|
-
allowed_organization_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1292
1157
|
allowed_organizational_units: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1293
1158
|
allowed_uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1294
1159
|
backend: Optional[pulumi.Input[str]] = None,
|
@@ -1323,7 +1188,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1323
1188
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_email_sans: Allowed emails for authenticated client certificates
|
1324
1189
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_names: DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
|
1325
1190
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_organizational_units: Allowed organization units for authenticated client certificates.
|
1326
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1327
1191
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_uri_sans: Allowed URIs for authenticated client certificates
|
1328
1192
|
:param pulumi.Input[str] backend: Path to the mounted Cert auth backend
|
1329
1193
|
:param pulumi.Input[str] certificate: CA certificate used to validate client certificates
|
@@ -1331,7 +1195,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1331
1195
|
:param pulumi.Input[str] name: Name of the role
|
1332
1196
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1333
1197
|
The value should not contain leading or trailing forward slashes.
|
1334
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1198
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1335
1199
|
*Available only for Vault Enterprise*.
|
1336
1200
|
:param pulumi.Input[str] ocsp_ca_certificates: Any additional CA certificates
|
1337
1201
|
needed to verify OCSP responses. Provided as base64 encoded PEM data.
|
@@ -1352,34 +1216,15 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1352
1216
|
Requires Vault version 1.13+.
|
1353
1217
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] required_extensions: TLS extensions required on
|
1354
1218
|
client certificates
|
1355
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1356
|
-
|
1357
|
-
|
1358
|
-
:param pulumi.Input[
|
1359
|
-
|
1360
|
-
|
1361
|
-
|
1362
|
-
:param pulumi.Input[int]
|
1363
|
-
|
1364
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1365
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1366
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/auth/cert#token_num_uses)
|
1367
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1368
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1369
|
-
token generated using this role should never expire. The token should be renewed within the
|
1370
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1371
|
-
value of this field. Specified in seconds.
|
1372
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1373
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1374
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1375
|
-
Its current value will be referenced at renewal time.
|
1376
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1377
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1378
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1379
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1380
|
-
requests a different type at generation time.
|
1381
|
-
|
1382
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1219
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1220
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1221
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1222
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1223
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1224
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1225
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1226
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1227
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1383
1228
|
"""
|
1384
1229
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
1385
1230
|
|
@@ -1389,7 +1234,6 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1389
1234
|
__props__.__dict__["allowed_dns_sans"] = allowed_dns_sans
|
1390
1235
|
__props__.__dict__["allowed_email_sans"] = allowed_email_sans
|
1391
1236
|
__props__.__dict__["allowed_names"] = allowed_names
|
1392
|
-
__props__.__dict__["allowed_organization_units"] = allowed_organization_units
|
1393
1237
|
__props__.__dict__["allowed_organizational_units"] = allowed_organizational_units
|
1394
1238
|
__props__.__dict__["allowed_uri_sans"] = allowed_uri_sans
|
1395
1239
|
__props__.__dict__["backend"] = backend
|
@@ -1446,20 +1290,11 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1446
1290
|
"""
|
1447
1291
|
return pulumi.get(self, "allowed_names")
|
1448
1292
|
|
1449
|
-
@property
|
1450
|
-
@pulumi.getter(name="allowedOrganizationUnits")
|
1451
|
-
def allowed_organization_units(self) -> pulumi.Output[Sequence[str]]:
|
1452
|
-
warnings.warn("""Use allowed_organizational_units""", DeprecationWarning)
|
1453
|
-
pulumi.log.warn("""allowed_organization_units is deprecated: Use allowed_organizational_units""")
|
1454
|
-
|
1455
|
-
return pulumi.get(self, "allowed_organization_units")
|
1456
|
-
|
1457
1293
|
@property
|
1458
1294
|
@pulumi.getter(name="allowedOrganizationalUnits")
|
1459
1295
|
def allowed_organizational_units(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1460
1296
|
"""
|
1461
1297
|
Allowed organization units for authenticated client certificates.
|
1462
|
-
*In previous provider releases this field was incorrectly named `allowed_organization_units`, please update accordingly*
|
1463
1298
|
"""
|
1464
1299
|
return pulumi.get(self, "allowed_organizational_units")
|
1465
1300
|
|
@@ -1509,7 +1344,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1509
1344
|
"""
|
1510
1345
|
The namespace to provision the resource in.
|
1511
1346
|
The value should not contain leading or trailing forward slashes.
|
1512
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1347
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1513
1348
|
*Available only for Vault Enterprise*.
|
1514
1349
|
"""
|
1515
1350
|
return pulumi.get(self, "namespace")
|
@@ -1579,9 +1414,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1579
1414
|
@pulumi.getter(name="tokenBoundCidrs")
|
1580
1415
|
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1581
1416
|
"""
|
1582
|
-
|
1583
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
1584
|
-
as well.
|
1417
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
1585
1418
|
"""
|
1586
1419
|
return pulumi.get(self, "token_bound_cidrs")
|
1587
1420
|
|
@@ -1589,10 +1422,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1589
1422
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
1590
1423
|
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1591
1424
|
"""
|
1592
|
-
|
1593
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
1594
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1595
|
-
`token_max_ttl` would otherwise allow a renewal.
|
1425
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1596
1426
|
"""
|
1597
1427
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1598
1428
|
|
@@ -1600,8 +1430,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1600
1430
|
@pulumi.getter(name="tokenMaxTtl")
|
1601
1431
|
def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1602
1432
|
"""
|
1603
|
-
The maximum lifetime
|
1604
|
-
Its current value will be referenced at renewal time.
|
1433
|
+
The maximum lifetime of the generated token
|
1605
1434
|
"""
|
1606
1435
|
return pulumi.get(self, "token_max_ttl")
|
1607
1436
|
|
@@ -1609,8 +1438,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1609
1438
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1610
1439
|
def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
|
1611
1440
|
"""
|
1612
|
-
If
|
1613
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1441
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1614
1442
|
"""
|
1615
1443
|
return pulumi.get(self, "token_no_default_policy")
|
1616
1444
|
|
@@ -1618,8 +1446,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1618
1446
|
@pulumi.getter(name="tokenNumUses")
|
1619
1447
|
def token_num_uses(self) -> pulumi.Output[Optional[int]]:
|
1620
1448
|
"""
|
1621
|
-
The
|
1622
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1449
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1623
1450
|
"""
|
1624
1451
|
return pulumi.get(self, "token_num_uses")
|
1625
1452
|
|
@@ -1627,10 +1454,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1627
1454
|
@pulumi.getter(name="tokenPeriod")
|
1628
1455
|
def token_period(self) -> pulumi.Output[Optional[int]]:
|
1629
1456
|
"""
|
1630
|
-
|
1631
|
-
token generated using this role should never expire. The token should be renewed within the
|
1632
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1633
|
-
value of this field. Specified in seconds.
|
1457
|
+
Generated Token's Period
|
1634
1458
|
"""
|
1635
1459
|
return pulumi.get(self, "token_period")
|
1636
1460
|
|
@@ -1638,8 +1462,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1638
1462
|
@pulumi.getter(name="tokenPolicies")
|
1639
1463
|
def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1640
1464
|
"""
|
1641
|
-
|
1642
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1465
|
+
Generated Token's Policies
|
1643
1466
|
"""
|
1644
1467
|
return pulumi.get(self, "token_policies")
|
1645
1468
|
|
@@ -1647,8 +1470,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1647
1470
|
@pulumi.getter(name="tokenTtl")
|
1648
1471
|
def token_ttl(self) -> pulumi.Output[Optional[int]]:
|
1649
1472
|
"""
|
1650
|
-
The
|
1651
|
-
Its current value will be referenced at renewal time.
|
1473
|
+
The initial ttl of the token to generate in seconds
|
1652
1474
|
"""
|
1653
1475
|
return pulumi.get(self, "token_ttl")
|
1654
1476
|
|
@@ -1656,13 +1478,7 @@ class CertAuthBackendRole(pulumi.CustomResource):
|
|
1656
1478
|
@pulumi.getter(name="tokenType")
|
1657
1479
|
def token_type(self) -> pulumi.Output[Optional[str]]:
|
1658
1480
|
"""
|
1659
|
-
The type of token
|
1660
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1661
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1662
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1663
|
-
requests a different type at generation time.
|
1664
|
-
|
1665
|
-
For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert).
|
1481
|
+
The type of token to generate, service or batch
|
1666
1482
|
"""
|
1667
1483
|
return pulumi.get(self, "token_type")
|
1668
1484
|
|