pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

pulumi_vault/database/secret_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
@@ -17,7 +22,7 @@ class SecretBackendRoleArgs:
                  backend: pulumi.Input[str],
                  creation_statements: pulumi.Input[Sequence[pulumi.Input[str]]],
                  db_name: pulumi.Input[str],
-                 credential_config: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  default_ttl: Optional[pulumi.Input[int]] = None,
                  max_ttl: Optional[pulumi.Input[int]] = None,
@@ -33,7 +38,7 @@ class SecretBackendRoleArgs:
                creating a user.
         :param pulumi.Input[str] db_name: The unique name of the database connection to use for
                the role.
-        :param pulumi.Input[Mapping[str, Any]] credential_config: Specifies the configuration
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
                for the given `credential_type`.
                
                The following options are available for each `credential_type` value:
@@ -118,7 +123,7 @@ class SecretBackendRoleArgs:
 
     @property
     @pulumi.getter(name="credentialConfig")
-    def credential_config(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def credential_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies the configuration
         for the given `credential_type`.
@@ -128,7 +133,7 @@ class SecretBackendRoleArgs:
         return pulumi.get(self, "credential_config")
 
     @credential_config.setter
-    def credential_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def credential_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "credential_config", value)
 
     @property
@@ -243,7 +248,7 @@ class _SecretBackendRoleState:
     def __init__(__self__, *,
                  backend: Optional[pulumi.Input[str]] = None,
                  creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 credential_config: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  db_name: Optional[pulumi.Input[str]] = None,
                  default_ttl: Optional[pulumi.Input[int]] = None,
@@ -258,7 +263,7 @@ class _SecretBackendRoleState:
         :param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
                creating a user.
-        :param pulumi.Input[Mapping[str, Any]] credential_config: Specifies the configuration
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
                for the given `credential_type`.
                
                The following options are available for each `credential_type` value:
@@ -335,7 +340,7 @@ class _SecretBackendRoleState:
 
     @property
     @pulumi.getter(name="credentialConfig")
-    def credential_config(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def credential_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies the configuration
         for the given `credential_type`.
@@ -345,7 +350,7 @@ class _SecretBackendRoleState:
         return pulumi.get(self, "credential_config")
 
     @credential_config.setter
-    def credential_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def credential_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "credential_config", value)
 
     @property
@@ -475,7 +480,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 credential_config: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  db_name: Optional[pulumi.Input[str]] = None,
                  default_ttl: Optional[pulumi.Input[int]] = None,
@@ -489,7 +494,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -499,19 +503,20 @@ class SecretBackendRole(pulumi.CustomResource):
             type="database")
         postgres = vault.database.SecretBackendConnection("postgres",
             backend=db.path,
+            name="postgres",
             allowed_roles=[
                 "dev",
                 "prod",
             ],
-            postgresql=vault.database.SecretBackendConnectionPostgresqlArgs(
-                connection_url="postgres://username:password@host:port/database",
-            ))
+            postgresql={
+                "connection_url": "postgres://username:password@host:port/database",
+            })
         role = vault.database.SecretBackendRole("role",
             backend=db.path,
+            name="dev",
             db_name=postgres.name,
             creation_statements=["CREATE ROLE \\"{{name}}\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -526,7 +531,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
                creating a user.
-        :param pulumi.Input[Mapping[str, Any]] credential_config: Specifies the configuration
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
                for the given `credential_type`.
                
                The following options are available for each `credential_type` value:
@@ -560,7 +565,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -570,19 +574,20 @@ class SecretBackendRole(pulumi.CustomResource):
             type="database")
         postgres = vault.database.SecretBackendConnection("postgres",
             backend=db.path,
+            name="postgres",
             allowed_roles=[
                 "dev",
                 "prod",
             ],
-            postgresql=vault.database.SecretBackendConnectionPostgresqlArgs(
-                connection_url="postgres://username:password@host:port/database",
-            ))
+            postgresql={
+                "connection_url": "postgres://username:password@host:port/database",
+            })
         role = vault.database.SecretBackendRole("role",
             backend=db.path,
+            name="dev",
             db_name=postgres.name,
             creation_statements=["CREATE ROLE \\"{{name}}\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -609,7 +614,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 credential_config: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  db_name: Optional[pulumi.Input[str]] = None,
                  default_ttl: Optional[pulumi.Input[int]] = None,
@@ -658,7 +663,7 @@ class SecretBackendRole(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             backend: Optional[pulumi.Input[str]] = None,
             creation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            credential_config: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            credential_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             credential_type: Optional[pulumi.Input[str]] = None,
             db_name: Optional[pulumi.Input[str]] = None,
             default_ttl: Optional[pulumi.Input[int]] = None,
@@ -678,7 +683,7 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] creation_statements: The database statements to execute when
                creating a user.
-        :param pulumi.Input[Mapping[str, Any]] credential_config: Specifies the configuration
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] credential_config: Specifies the configuration
                for the given `credential_type`.
                
                The following options are available for each `credential_type` value:
@@ -740,7 +745,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="credentialConfig")
-    def credential_config(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def credential_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies the configuration
         for the given `credential_type`.

pulumi_vault/database/secret_backend_static_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendStaticRoleArgs', 'SecretBackendStaticRole']
@@ -22,7 +27,8 @@ class SecretBackendStaticRoleArgs:
                  rotation_period: Optional[pulumi.Input[int]] = None,
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 rotation_window: Optional[pulumi.Input[int]] = None):
+                 rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a SecretBackendStaticRole resource.
         :param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
@@ -43,6 +49,9 @@ class SecretBackendStaticRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         """
         pulumi.set(__self__, "backend", backend)
         pulumi.set(__self__, "db_name", db_name)
@@ -59,6 +68,8 @@ class SecretBackendStaticRoleArgs:
             pulumi.set(__self__, "rotation_statements", rotation_statements)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed_password is not None:
+            pulumi.set(__self__, "self_managed_password", self_managed_password)
 
     @property
     @pulumi.getter
@@ -177,6 +188,20 @@ class SecretBackendStaticRoleArgs:
     def rotation_window(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> Optional[pulumi.Input[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
+    @self_managed_password.setter
+    def self_managed_password(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "self_managed_password", value)
+
 
 @pulumi.input_type
 class _SecretBackendStaticRoleState:
@@ -189,6 +214,7 @@ class _SecretBackendStaticRoleState:
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None):
         """
         Input properties used for looking up and filtering SecretBackendStaticRole resources.
@@ -209,6 +235,9 @@ class _SecretBackendStaticRoleState:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         if backend is not None:
@@ -227,6 +256,8 @@ class _SecretBackendStaticRoleState:
             pulumi.set(__self__, "rotation_statements", rotation_statements)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed_password is not None:
+            pulumi.set(__self__, "self_managed_password", self_managed_password)
         if username is not None:
             pulumi.set(__self__, "username", username)
 
@@ -335,6 +366,20 @@ class _SecretBackendStaticRoleState:
     def rotation_window(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> Optional[pulumi.Input[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
+    @self_managed_password.setter
+    def self_managed_password(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "self_managed_password", value)
+
     @property
     @pulumi.getter
     def username(self) -> Optional[pulumi.Input[str]]:
@@ -361,6 +406,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         """
@@ -370,7 +416,6 @@ class SecretBackendStaticRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -380,27 +425,29 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             type="database")
         postgres = vault.database.SecretBackendConnection("postgres",
             backend=db.path,
+            name="postgres",
             allowed_roles=["*"],
-            postgresql=vault.database.SecretBackendConnectionPostgresqlArgs(
-                connection_url="postgres://username:password@host:port/database",
-            ))
+            postgresql={
+                "connection_url": "postgres://username:password@host:port/database",
+            })
         # configure a static role with period-based rotations
-        period_role = vault.database.SecretBackendStaticRole("periodRole",
+        period_role = vault.database.SecretBackendStaticRole("period_role",
             backend=db.path,
+            name="my-period-role",
             db_name=postgres.name,
             username="example",
             rotation_period=3600,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         # configure a static role with schedule-based rotations
-        schedule_role = vault.database.SecretBackendStaticRole("scheduleRole",
+        schedule_role = vault.database.SecretBackendStaticRole("schedule_role",
             backend=db.path,
+            name="my-schedule-role",
             db_name=postgres.name,
             username="example",
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -429,6 +476,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         ...
@@ -444,7 +494,6 @@ class SecretBackendStaticRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -454,27 +503,29 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             type="database")
         postgres = vault.database.SecretBackendConnection("postgres",
             backend=db.path,
+            name="postgres",
             allowed_roles=["*"],
-            postgresql=vault.database.SecretBackendConnectionPostgresqlArgs(
-                connection_url="postgres://username:password@host:port/database",
-            ))
+            postgresql={
+                "connection_url": "postgres://username:password@host:port/database",
+            })
         # configure a static role with period-based rotations
-        period_role = vault.database.SecretBackendStaticRole("periodRole",
+        period_role = vault.database.SecretBackendStaticRole("period_role",
             backend=db.path,
+            name="my-period-role",
             db_name=postgres.name,
             username="example",
             rotation_period=3600,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         # configure a static role with schedule-based rotations
-        schedule_role = vault.database.SecretBackendStaticRole("scheduleRole",
+        schedule_role = vault.database.SecretBackendStaticRole("schedule_role",
             backend=db.path,
+            name="my-schedule-role",
             db_name=postgres.name,
             username="example",
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -507,6 +558,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -529,9 +581,12 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             __props__.__dict__["rotation_schedule"] = rotation_schedule
             __props__.__dict__["rotation_statements"] = rotation_statements
             __props__.__dict__["rotation_window"] = rotation_window
+            __props__.__dict__["self_managed_password"] = None if self_managed_password is None else pulumi.Output.secret(self_managed_password)
             if username is None and not opts.urn:
                 raise TypeError("Missing required property 'username'")
             __props__.__dict__["username"] = username
+        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"])
+        opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(SecretBackendStaticRole, __self__).__init__(
             'vault:database/secretBackendStaticRole:SecretBackendStaticRole',
             resource_name,
@@ -550,6 +605,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule: Optional[pulumi.Input[str]] = None,
             rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             rotation_window: Optional[pulumi.Input[int]] = None,
+            self_managed_password: Optional[pulumi.Input[str]] = None,
             username: Optional[pulumi.Input[str]] = None) -> 'SecretBackendStaticRole':
         """
         Get an existing SecretBackendStaticRole resource's state with the given name, id, and optional extra
@@ -575,6 +631,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -589,6 +648,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         __props__.__dict__["rotation_schedule"] = rotation_schedule
         __props__.__dict__["rotation_statements"] = rotation_statements
         __props__.__dict__["rotation_window"] = rotation_window
+        __props__.__dict__["self_managed_password"] = self_managed_password
         __props__.__dict__["username"] = username
         return SecretBackendStaticRole(resource_name, opts=opts, __props__=__props__)
 
@@ -665,6 +725,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "rotation_window")
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> pulumi.Output[Optional[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
     @property
     @pulumi.getter
     def username(self) -> pulumi.Output[str]: