pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

pulumi_vault/ldap/secret_backend.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -17,6 +22,7 @@ class SecretBackendArgs:
                  binddn: pulumi.Input[str],
                  bindpass: pulumi.Input[str],
                  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  certificate: Optional[pulumi.Input[str]] = None,
@@ -24,20 +30,25 @@ class SecretBackendArgs:
                  client_tls_key: Optional[pulumi.Input[str]] = None,
                  connection_timeout: Optional[pulumi.Input[int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
                  external_entropy_access: Optional[pulumi.Input[bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
                  insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 length: Optional[pulumi.Input[int]] = None,
+                 listing_visibility: Optional[pulumi.Input[str]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  password_policy: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
+                 plugin_version: Optional[pulumi.Input[str]] = None,
                  request_timeout: Optional[pulumi.Input[int]] = None,
                  schema: Optional[pulumi.Input[str]] = None,
                  seal_wrap: Optional[pulumi.Input[bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
                  starttls: Optional[pulumi.Input[bool]] = None,
                  upndomain: Optional[pulumi.Input[str]] = None,
                  url: Optional[pulumi.Input[str]] = None,
@@ -48,6 +59,7 @@ class SecretBackendArgs:
         :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
         :param pulumi.Input[str] bindpass: Password to use along with binddn when performing user search.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         :param pulumi.Input[str] certificate: CA certificate to use when verifying LDAP server certificate, must be
@@ -57,28 +69,33 @@ class SecretBackendArgs:
         :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
         :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
         :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
         :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[int] length: **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-               *Mutually exclusive with `password_policy` on vault-1.11+*
+        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
         :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
         :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
+        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
         :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+               Defaults to false. Requires Vault 1.16 or above.
         :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
         :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
         :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
@@ -90,6 +107,8 @@ class SecretBackendArgs:
         pulumi.set(__self__, "bindpass", bindpass)
         if allowed_managed_keys is not None:
             pulumi.set(__self__, "allowed_managed_keys", allowed_managed_keys)
+        if allowed_response_headers is not None:
+            pulumi.set(__self__, "allowed_response_headers", allowed_response_headers)
         if audit_non_hmac_request_keys is not None:
             pulumi.set(__self__, "audit_non_hmac_request_keys", audit_non_hmac_request_keys)
         if audit_non_hmac_response_keys is not None:
@@ -104,19 +123,20 @@ class SecretBackendArgs:
             pulumi.set(__self__, "connection_timeout", connection_timeout)
         if default_lease_ttl_seconds is not None:
             pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
+        if delegated_auth_accessors is not None:
+            pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
         if description is not None:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if external_entropy_access is not None:
             pulumi.set(__self__, "external_entropy_access", external_entropy_access)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
         if insecure_tls is not None:
             pulumi.set(__self__, "insecure_tls", insecure_tls)
-        if length is not None:
-            warnings.warn("""Length is deprecated and password_policy should be used with Vault >= 1.5.""", DeprecationWarning)
-            pulumi.log.warn("""length is deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.""")
-        if length is not None:
-            pulumi.set(__self__, "length", length)
+        if listing_visibility is not None:
+            pulumi.set(__self__, "listing_visibility", listing_visibility)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if max_lease_ttl_seconds is not None:
@@ -125,16 +145,22 @@ class SecretBackendArgs:
             pulumi.set(__self__, "namespace", namespace)
         if options is not None:
             pulumi.set(__self__, "options", options)
+        if passthrough_request_headers is not None:
+            pulumi.set(__self__, "passthrough_request_headers", passthrough_request_headers)
         if password_policy is not None:
             pulumi.set(__self__, "password_policy", password_policy)
         if path is not None:
             pulumi.set(__self__, "path", path)
+        if plugin_version is not None:
+            pulumi.set(__self__, "plugin_version", plugin_version)
         if request_timeout is not None:
             pulumi.set(__self__, "request_timeout", request_timeout)
         if schema is not None:
             pulumi.set(__self__, "schema", schema)
         if seal_wrap is not None:
             pulumi.set(__self__, "seal_wrap", seal_wrap)
+        if skip_static_role_import_rotation is not None:
+            pulumi.set(__self__, "skip_static_role_import_rotation", skip_static_role_import_rotation)
         if starttls is not None:
             pulumi.set(__self__, "starttls", starttls)
         if upndomain is not None:
@@ -182,6 +208,18 @@ class SecretBackendArgs:
     def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "allowed_managed_keys", value)
 
+    @property
+    @pulumi.getter(name="allowedResponseHeaders")
+    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "allowed_response_headers")
+
+    @allowed_response_headers.setter
+    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_response_headers", value)
+
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
     def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -268,6 +306,18 @@ class SecretBackendArgs:
     def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "default_lease_ttl_seconds", value)
 
+    @property
+    @pulumi.getter(name="delegatedAuthAccessors")
+    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "delegated_auth_accessors")
+
+    @delegated_auth_accessors.setter
+    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "delegated_auth_accessors", value)
+
     @property
     @pulumi.getter
     def description(self) -> Optional[pulumi.Input[str]]:
@@ -304,6 +354,18 @@ class SecretBackendArgs:
     def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "external_entropy_access", value)
 
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin workload identity tokens
+        """
+        return pulumi.get(self, "identity_token_key")
+
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+
     @property
     @pulumi.getter(name="insecureTls")
     def insecure_tls(self) -> Optional[pulumi.Input[bool]]:
@@ -318,20 +380,16 @@ class SecretBackendArgs:
         pulumi.set(self, "insecure_tls", value)
 
     @property
-    @pulumi.getter
-    def length(self) -> Optional[pulumi.Input[int]]:
+    @pulumi.getter(name="listingVisibility")
+    def listing_visibility(self) -> Optional[pulumi.Input[str]]:
         """
-        **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-        *Mutually exclusive with `password_policy` on vault-1.11+*
+        Specifies whether to show this mount in the UI-specific listing endpoint
         """
-        warnings.warn("""Length is deprecated and password_policy should be used with Vault >= 1.5.""", DeprecationWarning)
-        pulumi.log.warn("""length is deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.""")
+        return pulumi.get(self, "listing_visibility")
 
-        return pulumi.get(self, "length")
-
-    @length.setter
-    def length(self, value: Optional[pulumi.Input[int]]):
-        pulumi.set(self, "length", value)
+    @listing_visibility.setter
+    def listing_visibility(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "listing_visibility", value)
 
     @property
     @pulumi.getter
@@ -364,7 +422,7 @@ class SecretBackendArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -375,16 +433,28 @@ class SecretBackendArgs:
 
     @property
     @pulumi.getter
-    def options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
         return pulumi.get(self, "options")
 
     @options.setter
-    def options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "options", value)
 
+    @property
+    @pulumi.getter(name="passthroughRequestHeaders")
+    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "passthrough_request_headers")
+
+    @passthrough_request_headers.setter
+    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "passthrough_request_headers", value)
+
     @property
     @pulumi.getter(name="passwordPolicy")
     def password_policy(self) -> Optional[pulumi.Input[str]]:
@@ -410,6 +480,18 @@ class SecretBackendArgs:
     def path(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "path", value)
 
+    @property
+    @pulumi.getter(name="pluginVersion")
+    def plugin_version(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        """
+        return pulumi.get(self, "plugin_version")
+
+    @plugin_version.setter
+    def plugin_version(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "plugin_version", value)
+
     @property
     @pulumi.getter(name="requestTimeout")
     def request_timeout(self) -> Optional[pulumi.Input[int]]:
@@ -447,6 +529,19 @@ class SecretBackendArgs:
     def seal_wrap(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "seal_wrap", value)
 
+    @property
+    @pulumi.getter(name="skipStaticRoleImportRotation")
+    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If set to true, static roles will not be rotated during import.
+        Defaults to false. Requires Vault 1.16 or above.
+        """
+        return pulumi.get(self, "skip_static_role_import_rotation")
+
+    @skip_static_role_import_rotation.setter
+    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "skip_static_role_import_rotation", value)
+
     @property
     @pulumi.getter
     def starttls(self) -> Optional[pulumi.Input[bool]]:
@@ -514,6 +609,7 @@ class _SecretBackendState:
     def __init__(__self__, *,
                  accessor: Optional[pulumi.Input[str]] = None,
                  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  binddn: Optional[pulumi.Input[str]] = None,
@@ -523,20 +619,25 @@ class _SecretBackendState:
                  client_tls_key: Optional[pulumi.Input[str]] = None,
                  connection_timeout: Optional[pulumi.Input[int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
                  external_entropy_access: Optional[pulumi.Input[bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
                  insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 length: Optional[pulumi.Input[int]] = None,
+                 listing_visibility: Optional[pulumi.Input[str]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  password_policy: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
+                 plugin_version: Optional[pulumi.Input[str]] = None,
                  request_timeout: Optional[pulumi.Input[int]] = None,
                  schema: Optional[pulumi.Input[str]] = None,
                  seal_wrap: Optional[pulumi.Input[bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
                  starttls: Optional[pulumi.Input[bool]] = None,
                  upndomain: Optional[pulumi.Input[str]] = None,
                  url: Optional[pulumi.Input[str]] = None,
@@ -546,6 +647,7 @@ class _SecretBackendState:
         Input properties used for looking up and filtering SecretBackend resources.
         :param pulumi.Input[str] accessor: Accessor of the mount
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
@@ -557,28 +659,33 @@ class _SecretBackendState:
         :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
         :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
         :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
         :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[int] length: **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-               *Mutually exclusive with `password_policy` on vault-1.11+*
+        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
         :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
         :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
+        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
         :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+               Defaults to false. Requires Vault 1.16 or above.
         :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
         :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
         :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
@@ -590,6 +697,8 @@ class _SecretBackendState:
             pulumi.set(__self__, "accessor", accessor)
         if allowed_managed_keys is not None:
             pulumi.set(__self__, "allowed_managed_keys", allowed_managed_keys)
+        if allowed_response_headers is not None:
+            pulumi.set(__self__, "allowed_response_headers", allowed_response_headers)
         if audit_non_hmac_request_keys is not None:
             pulumi.set(__self__, "audit_non_hmac_request_keys", audit_non_hmac_request_keys)
         if audit_non_hmac_response_keys is not None:
@@ -608,19 +717,20 @@ class _SecretBackendState:
             pulumi.set(__self__, "connection_timeout", connection_timeout)
         if default_lease_ttl_seconds is not None:
             pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
+        if delegated_auth_accessors is not None:
+            pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
         if description is not None:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if external_entropy_access is not None:
             pulumi.set(__self__, "external_entropy_access", external_entropy_access)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
         if insecure_tls is not None:
             pulumi.set(__self__, "insecure_tls", insecure_tls)
-        if length is not None:
-            warnings.warn("""Length is deprecated and password_policy should be used with Vault >= 1.5.""", DeprecationWarning)
-            pulumi.log.warn("""length is deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.""")
-        if length is not None:
-            pulumi.set(__self__, "length", length)
+        if listing_visibility is not None:
+            pulumi.set(__self__, "listing_visibility", listing_visibility)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if max_lease_ttl_seconds is not None:
@@ -629,16 +739,22 @@ class _SecretBackendState:
             pulumi.set(__self__, "namespace", namespace)
         if options is not None:
             pulumi.set(__self__, "options", options)
+        if passthrough_request_headers is not None:
+            pulumi.set(__self__, "passthrough_request_headers", passthrough_request_headers)
         if password_policy is not None:
             pulumi.set(__self__, "password_policy", password_policy)
         if path is not None:
             pulumi.set(__self__, "path", path)
+        if plugin_version is not None:
+            pulumi.set(__self__, "plugin_version", plugin_version)
         if request_timeout is not None:
             pulumi.set(__self__, "request_timeout", request_timeout)
         if schema is not None:
             pulumi.set(__self__, "schema", schema)
         if seal_wrap is not None:
             pulumi.set(__self__, "seal_wrap", seal_wrap)
+        if skip_static_role_import_rotation is not None:
+            pulumi.set(__self__, "skip_static_role_import_rotation", skip_static_role_import_rotation)
         if starttls is not None:
             pulumi.set(__self__, "starttls", starttls)
         if upndomain is not None:
@@ -674,6 +790,18 @@ class _SecretBackendState:
     def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "allowed_managed_keys", value)
 
+    @property
+    @pulumi.getter(name="allowedResponseHeaders")
+    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "allowed_response_headers")
+
+    @allowed_response_headers.setter
+    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_response_headers", value)
+
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
     def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -784,6 +912,18 @@ class _SecretBackendState:
     def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "default_lease_ttl_seconds", value)
 
+    @property
+    @pulumi.getter(name="delegatedAuthAccessors")
+    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "delegated_auth_accessors")
+
+    @delegated_auth_accessors.setter
+    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "delegated_auth_accessors", value)
+
     @property
     @pulumi.getter
     def description(self) -> Optional[pulumi.Input[str]]:
@@ -820,6 +960,18 @@ class _SecretBackendState:
     def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "external_entropy_access", value)
 
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin workload identity tokens
+        """
+        return pulumi.get(self, "identity_token_key")
+
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+
     @property
     @pulumi.getter(name="insecureTls")
     def insecure_tls(self) -> Optional[pulumi.Input[bool]]:
@@ -834,20 +986,16 @@ class _SecretBackendState:
         pulumi.set(self, "insecure_tls", value)
 
     @property
-    @pulumi.getter
-    def length(self) -> Optional[pulumi.Input[int]]:
+    @pulumi.getter(name="listingVisibility")
+    def listing_visibility(self) -> Optional[pulumi.Input[str]]:
         """
-        **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-        *Mutually exclusive with `password_policy` on vault-1.11+*
+        Specifies whether to show this mount in the UI-specific listing endpoint
         """
-        warnings.warn("""Length is deprecated and password_policy should be used with Vault >= 1.5.""", DeprecationWarning)
-        pulumi.log.warn("""length is deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.""")
-
-        return pulumi.get(self, "length")
+        return pulumi.get(self, "listing_visibility")
 
-    @length.setter
-    def length(self, value: Optional[pulumi.Input[int]]):
-        pulumi.set(self, "length", value)
+    @listing_visibility.setter
+    def listing_visibility(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "listing_visibility", value)
 
     @property
     @pulumi.getter
@@ -880,7 +1028,7 @@ class _SecretBackendState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -891,16 +1039,28 @@ class _SecretBackendState:
 
     @property
     @pulumi.getter
-    def options(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
         return pulumi.get(self, "options")
 
     @options.setter
-    def options(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "options", value)
 
+    @property
+    @pulumi.getter(name="passthroughRequestHeaders")
+    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "passthrough_request_headers")
+
+    @passthrough_request_headers.setter
+    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "passthrough_request_headers", value)
+
     @property
     @pulumi.getter(name="passwordPolicy")
     def password_policy(self) -> Optional[pulumi.Input[str]]:
@@ -926,6 +1086,18 @@ class _SecretBackendState:
     def path(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "path", value)
 
+    @property
+    @pulumi.getter(name="pluginVersion")
+    def plugin_version(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        """
+        return pulumi.get(self, "plugin_version")
+
+    @plugin_version.setter
+    def plugin_version(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "plugin_version", value)
+
     @property
     @pulumi.getter(name="requestTimeout")
     def request_timeout(self) -> Optional[pulumi.Input[int]]:
@@ -963,6 +1135,19 @@ class _SecretBackendState:
     def seal_wrap(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "seal_wrap", value)
 
+    @property
+    @pulumi.getter(name="skipStaticRoleImportRotation")
+    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[bool]]:
+        """
+        If set to true, static roles will not be rotated during import.
+        Defaults to false. Requires Vault 1.16 or above.
+        """
+        return pulumi.get(self, "skip_static_role_import_rotation")
+
+    @skip_static_role_import_rotation.setter
+    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "skip_static_role_import_rotation", value)
+
     @property
     @pulumi.getter
     def starttls(self) -> Optional[pulumi.Input[bool]]:
@@ -1031,6 +1216,7 @@ class SecretBackend(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  binddn: Optional[pulumi.Input[str]] = None,
@@ -1040,20 +1226,25 @@ class SecretBackend(pulumi.CustomResource):
                  client_tls_key: Optional[pulumi.Input[str]] = None,
                  connection_timeout: Optional[pulumi.Input[int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
                  external_entropy_access: Optional[pulumi.Input[bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
                  insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 length: Optional[pulumi.Input[int]] = None,
+                 listing_visibility: Optional[pulumi.Input[str]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  password_policy: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
+                 plugin_version: Optional[pulumi.Input[str]] = None,
                  request_timeout: Optional[pulumi.Input[int]] = None,
                  schema: Optional[pulumi.Input[str]] = None,
                  seal_wrap: Optional[pulumi.Input[bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
                  starttls: Optional[pulumi.Input[bool]] = None,
                  upndomain: Optional[pulumi.Input[str]] = None,
                  url: Optional[pulumi.Input[str]] = None,
@@ -1063,20 +1254,18 @@ class SecretBackend(pulumi.CustomResource):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         config = vault.ldap.SecretBackend("config",
+            path="my-custom-ldap",
             binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
             bindpass="SuperSecretPassw0rd",
-            insecure_tls=True,
-            path="my-custom-ldap",
             url="ldaps://localhost",
+            insecure_tls=True,
             userdn="CN=Users,DC=corp,DC=example,DC=net")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1089,6 +1278,7 @@ class SecretBackend(pulumi.CustomResource):
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
@@ -1100,28 +1290,33 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
         :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
         :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
         :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[int] length: **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-               *Mutually exclusive with `password_policy` on vault-1.11+*
+        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
         :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
         :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
+        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
         :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+               Defaults to false. Requires Vault 1.16 or above.
         :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
         :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
         :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
@@ -1138,20 +1333,18 @@ class SecretBackend(pulumi.CustomResource):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         config = vault.ldap.SecretBackend("config",
+            path="my-custom-ldap",
             binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
             bindpass="SuperSecretPassw0rd",
-            insecure_tls=True,
-            path="my-custom-ldap",
             url="ldaps://localhost",
+            insecure_tls=True,
             userdn="CN=Users,DC=corp,DC=example,DC=net")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1177,6 +1370,7 @@ class SecretBackend(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  binddn: Optional[pulumi.Input[str]] = None,
@@ -1186,20 +1380,25 @@ class SecretBackend(pulumi.CustomResource):
                  client_tls_key: Optional[pulumi.Input[str]] = None,
                  connection_timeout: Optional[pulumi.Input[int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
                  external_entropy_access: Optional[pulumi.Input[bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
                  insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 length: Optional[pulumi.Input[int]] = None,
+                 listing_visibility: Optional[pulumi.Input[str]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  password_policy: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
+                 plugin_version: Optional[pulumi.Input[str]] = None,
                  request_timeout: Optional[pulumi.Input[int]] = None,
                  schema: Optional[pulumi.Input[str]] = None,
                  seal_wrap: Optional[pulumi.Input[bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
                  starttls: Optional[pulumi.Input[bool]] = None,
                  upndomain: Optional[pulumi.Input[str]] = None,
                  url: Optional[pulumi.Input[str]] = None,
@@ -1215,6 +1414,7 @@ class SecretBackend(pulumi.CustomResource):
             __props__ = SecretBackendArgs.__new__(SecretBackendArgs)
 
             __props__.__dict__["allowed_managed_keys"] = allowed_managed_keys
+            __props__.__dict__["allowed_response_headers"] = allowed_response_headers
             __props__.__dict__["audit_non_hmac_request_keys"] = audit_non_hmac_request_keys
             __props__.__dict__["audit_non_hmac_response_keys"] = audit_non_hmac_response_keys
             if binddn is None and not opts.urn:
@@ -1228,20 +1428,25 @@ class SecretBackend(pulumi.CustomResource):
             __props__.__dict__["client_tls_key"] = None if client_tls_key is None else pulumi.Output.secret(client_tls_key)
             __props__.__dict__["connection_timeout"] = connection_timeout
             __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
+            __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_remount"] = disable_remount
             __props__.__dict__["external_entropy_access"] = external_entropy_access
+            __props__.__dict__["identity_token_key"] = identity_token_key
             __props__.__dict__["insecure_tls"] = insecure_tls
-            __props__.__dict__["length"] = length
+            __props__.__dict__["listing_visibility"] = listing_visibility
             __props__.__dict__["local"] = local
             __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["options"] = options
+            __props__.__dict__["passthrough_request_headers"] = passthrough_request_headers
             __props__.__dict__["password_policy"] = password_policy
             __props__.__dict__["path"] = path
+            __props__.__dict__["plugin_version"] = plugin_version
             __props__.__dict__["request_timeout"] = request_timeout
             __props__.__dict__["schema"] = schema
             __props__.__dict__["seal_wrap"] = seal_wrap
+            __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
             __props__.__dict__["starttls"] = starttls
             __props__.__dict__["upndomain"] = upndomain
             __props__.__dict__["url"] = url
@@ -1262,6 +1467,7 @@ class SecretBackend(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             accessor: Optional[pulumi.Input[str]] = None,
             allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             binddn: Optional[pulumi.Input[str]] = None,
@@ -1271,20 +1477,25 @@ class SecretBackend(pulumi.CustomResource):
             client_tls_key: Optional[pulumi.Input[str]] = None,
             connection_timeout: Optional[pulumi.Input[int]] = None,
             default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
+            delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             description: Optional[pulumi.Input[str]] = None,
             disable_remount: Optional[pulumi.Input[bool]] = None,
             external_entropy_access: Optional[pulumi.Input[bool]] = None,
+            identity_token_key: Optional[pulumi.Input[str]] = None,
             insecure_tls: Optional[pulumi.Input[bool]] = None,
-            length: Optional[pulumi.Input[int]] = None,
+            listing_visibility: Optional[pulumi.Input[str]] = None,
             local: Optional[pulumi.Input[bool]] = None,
             max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
-            options: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
+            passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             password_policy: Optional[pulumi.Input[str]] = None,
             path: Optional[pulumi.Input[str]] = None,
+            plugin_version: Optional[pulumi.Input[str]] = None,
             request_timeout: Optional[pulumi.Input[int]] = None,
             schema: Optional[pulumi.Input[str]] = None,
             seal_wrap: Optional[pulumi.Input[bool]] = None,
+            skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
             starttls: Optional[pulumi.Input[bool]] = None,
             upndomain: Optional[pulumi.Input[str]] = None,
             url: Optional[pulumi.Input[str]] = None,
@@ -1299,6 +1510,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] accessor: Accessor of the mount
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
@@ -1310,28 +1522,33 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
         :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
         :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
         :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[int] length: **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-               *Mutually exclusive with `password_policy` on vault-1.11+*
+        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
         :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
         :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, Any]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
         :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
+        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
         :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+               Defaults to false. Requires Vault 1.16 or above.
         :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
         :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
         :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
@@ -1345,6 +1562,7 @@ class SecretBackend(pulumi.CustomResource):
 
         __props__.__dict__["accessor"] = accessor
         __props__.__dict__["allowed_managed_keys"] = allowed_managed_keys
+        __props__.__dict__["allowed_response_headers"] = allowed_response_headers
         __props__.__dict__["audit_non_hmac_request_keys"] = audit_non_hmac_request_keys
         __props__.__dict__["audit_non_hmac_response_keys"] = audit_non_hmac_response_keys
         __props__.__dict__["binddn"] = binddn
@@ -1354,20 +1572,25 @@ class SecretBackend(pulumi.CustomResource):
         __props__.__dict__["client_tls_key"] = client_tls_key
         __props__.__dict__["connection_timeout"] = connection_timeout
         __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
+        __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_remount"] = disable_remount
         __props__.__dict__["external_entropy_access"] = external_entropy_access
+        __props__.__dict__["identity_token_key"] = identity_token_key
         __props__.__dict__["insecure_tls"] = insecure_tls
-        __props__.__dict__["length"] = length
+        __props__.__dict__["listing_visibility"] = listing_visibility
         __props__.__dict__["local"] = local
         __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["options"] = options
+        __props__.__dict__["passthrough_request_headers"] = passthrough_request_headers
         __props__.__dict__["password_policy"] = password_policy
         __props__.__dict__["path"] = path
+        __props__.__dict__["plugin_version"] = plugin_version
         __props__.__dict__["request_timeout"] = request_timeout
         __props__.__dict__["schema"] = schema
         __props__.__dict__["seal_wrap"] = seal_wrap
+        __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
         __props__.__dict__["starttls"] = starttls
         __props__.__dict__["upndomain"] = upndomain
         __props__.__dict__["url"] = url
@@ -1391,6 +1614,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "allowed_managed_keys")
 
+    @property
+    @pulumi.getter(name="allowedResponseHeaders")
+    def allowed_response_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "allowed_response_headers")
+
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
     def audit_non_hmac_request_keys(self) -> pulumi.Output[Sequence[str]]:
@@ -1465,6 +1696,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "default_lease_ttl_seconds")
 
+    @property
+    @pulumi.getter(name="delegatedAuthAccessors")
+    def delegated_auth_accessors(self) -> pulumi.Output[Optional[Sequence[str]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "delegated_auth_accessors")
+
     @property
     @pulumi.getter
     def description(self) -> pulumi.Output[Optional[str]]:
@@ -1489,6 +1728,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "external_entropy_access")
 
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> pulumi.Output[Optional[str]]:
+        """
+        The key to use for signing plugin workload identity tokens
+        """
+        return pulumi.get(self, "identity_token_key")
+
     @property
     @pulumi.getter(name="insecureTls")
     def insecure_tls(self) -> pulumi.Output[Optional[bool]]:
@@ -1499,16 +1746,12 @@ class SecretBackend(pulumi.CustomResource):
         return pulumi.get(self, "insecure_tls")
 
     @property
-    @pulumi.getter
-    def length(self) -> pulumi.Output[int]:
+    @pulumi.getter(name="listingVisibility")
+    def listing_visibility(self) -> pulumi.Output[Optional[str]]:
         """
-        **Deprecated** use `password_policy`. The desired length of passwords that Vault generates.
-        *Mutually exclusive with `password_policy` on vault-1.11+*
+        Specifies whether to show this mount in the UI-specific listing endpoint
         """
-        warnings.warn("""Length is deprecated and password_policy should be used with Vault >= 1.5.""", DeprecationWarning)
-        pulumi.log.warn("""length is deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.""")
-
-        return pulumi.get(self, "length")
+        return pulumi.get(self, "listing_visibility")
 
     @property
     @pulumi.getter
@@ -1533,19 +1776,27 @@ class SecretBackend(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
 
     @property
     @pulumi.getter
-    def options(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
         return pulumi.get(self, "options")
 
+    @property
+    @pulumi.getter(name="passthroughRequestHeaders")
+    def passthrough_request_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+        """
+        List of headers to allow and pass from the request to the plugin
+        """
+        return pulumi.get(self, "passthrough_request_headers")
+
     @property
     @pulumi.getter(name="passwordPolicy")
     def password_policy(self) -> pulumi.Output[Optional[str]]:
@@ -1563,6 +1814,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "path")
 
+    @property
+    @pulumi.getter(name="pluginVersion")
+    def plugin_version(self) -> pulumi.Output[Optional[str]]:
+        """
+        Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        """
+        return pulumi.get(self, "plugin_version")
+
     @property
     @pulumi.getter(name="requestTimeout")
     def request_timeout(self) -> pulumi.Output[int]:
@@ -1588,6 +1847,15 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "seal_wrap")
 
+    @property
+    @pulumi.getter(name="skipStaticRoleImportRotation")
+    def skip_static_role_import_rotation(self) -> pulumi.Output[Optional[bool]]:
+        """
+        If set to true, static roles will not be rotated during import.
+        Defaults to false. Requires Vault 1.16 or above.
+        """
+        return pulumi.get(self, "skip_static_role_import_rotation")
+
     @property
     @pulumi.getter
     def starttls(self) -> pulumi.Output[bool]: