pulumi-vault 5.21.0a1711033014__py3-none-any.whl → 6.0.0__py3-none-any.whl

pulumi_vault/secrets/sync_aws_destination.py

@@ -16,9 +16,11 @@ class SyncAwsDestinationArgs:
     def __init__(__self__, *,
                  access_key_id: Optional[pulumi.Input[str]] = None,
                  custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None):
         """
@@ -27,13 +29,23 @@ class SyncAwsDestinationArgs:
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
         :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -44,12 +56,16 @@ class SyncAwsDestinationArgs:
             pulumi.set(__self__, "access_key_id", access_key_id)
         if custom_tags is not None:
             pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
         if name is not None:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if region is not None:
             pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
         if secret_access_key is not None:
             pulumi.set(__self__, "secret_access_key", secret_access_key)
         if secret_name_template is not None:
@@ -81,6 +97,22 @@ class SyncAwsDestinationArgs:
     def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
         pulumi.set(self, "custom_tags", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
     @property
     @pulumi.getter
     def name(self) -> Optional[pulumi.Input[str]]:
@@ -99,7 +131,7 @@ class SyncAwsDestinationArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -121,6 +153,22 @@ class SyncAwsDestinationArgs:
     def region(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "region", value)
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "role_arn", value)
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -154,9 +202,11 @@ class _SyncAwsDestinationState:
     def __init__(__self__, *,
                  access_key_id: Optional[pulumi.Input[str]] = None,
                  custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  type: Optional[pulumi.Input[str]] = None):
@@ -166,13 +216,23 @@ class _SyncAwsDestinationState:
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
         :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -184,12 +244,16 @@ class _SyncAwsDestinationState:
             pulumi.set(__self__, "access_key_id", access_key_id)
         if custom_tags is not None:
             pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
         if name is not None:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if region is not None:
             pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
         if secret_access_key is not None:
             pulumi.set(__self__, "secret_access_key", secret_access_key)
         if secret_name_template is not None:
@@ -223,6 +287,22 @@ class _SyncAwsDestinationState:
     def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
         pulumi.set(self, "custom_tags", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
     @property
     @pulumi.getter
     def name(self) -> Optional[pulumi.Input[str]]:
@@ -241,7 +321,7 @@ class _SyncAwsDestinationState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -263,6 +343,22 @@ class _SyncAwsDestinationState:
     def region(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "region", value)
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "role_arn", value)
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> Optional[pulumi.Input[str]]:
@@ -310,9 +406,11 @@ class SyncAwsDestination(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  access_key_id: Optional[pulumi.Input[str]] = None,
                  custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  __props__=None):
@@ -328,6 +426,8 @@ class SyncAwsDestination(pulumi.CustomResource):
             access_key_id=var["access_key_id"],
             secret_access_key=var["secret_access_key"],
             region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
             secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
             custom_tags={
                 "foo": "bar",
@@ -349,13 +449,23 @@ class SyncAwsDestination(pulumi.CustomResource):
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
         :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -380,6 +490,8 @@ class SyncAwsDestination(pulumi.CustomResource):
             access_key_id=var["access_key_id"],
             secret_access_key=var["secret_access_key"],
             region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
             secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
             custom_tags={
                 "foo": "bar",
@@ -412,9 +524,11 @@ class SyncAwsDestination(pulumi.CustomResource):
                  opts: Optional[pulumi.ResourceOptions] = None,
                  access_key_id: Optional[pulumi.Input[str]] = None,
                  custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  region: Optional[pulumi.Input[str]] = None,
+                 role_arn: Optional[pulumi.Input[str]] = None,
                  secret_access_key: Optional[pulumi.Input[str]] = None,
                  secret_name_template: Optional[pulumi.Input[str]] = None,
                  __props__=None):
@@ -428,9 +542,11 @@ class SyncAwsDestination(pulumi.CustomResource):
 
             __props__.__dict__["access_key_id"] = access_key_id
             __props__.__dict__["custom_tags"] = custom_tags
+            __props__.__dict__["external_id"] = external_id
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["region"] = region
+            __props__.__dict__["role_arn"] = role_arn
             __props__.__dict__["secret_access_key"] = None if secret_access_key is None else pulumi.Output.secret(secret_access_key)
             __props__.__dict__["secret_name_template"] = secret_name_template
             __props__.__dict__["type"] = None
@@ -448,9 +564,11 @@ class SyncAwsDestination(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             access_key_id: Optional[pulumi.Input[str]] = None,
             custom_tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            external_id: Optional[pulumi.Input[str]] = None,
             name: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             region: Optional[pulumi.Input[str]] = None,
+            role_arn: Optional[pulumi.Input[str]] = None,
             secret_access_key: Optional[pulumi.Input[str]] = None,
             secret_name_template: Optional[pulumi.Input[str]] = None,
             type: Optional[pulumi.Input[str]] = None) -> 'SyncAwsDestination':
@@ -465,13 +583,23 @@ class SyncAwsDestination(pulumi.CustomResource):
                Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
                variable.
         :param pulumi.Input[Mapping[str, Any]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
         :param pulumi.Input[str] name: Unique name of the AWS destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] region: Region where to manage the secrets manager entries.
                Can be omitted and directly provided to Vault using the `AWS_REGION` environment
                variable.
+        :param pulumi.Input[str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role, 
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
         :param pulumi.Input[str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
                Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
                variable.
@@ -485,9 +613,11 @@ class SyncAwsDestination(pulumi.CustomResource):
 
         __props__.__dict__["access_key_id"] = access_key_id
         __props__.__dict__["custom_tags"] = custom_tags
+        __props__.__dict__["external_id"] = external_id
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["region"] = region
+        __props__.__dict__["role_arn"] = role_arn
         __props__.__dict__["secret_access_key"] = secret_access_key
         __props__.__dict__["secret_name_template"] = secret_name_template
         __props__.__dict__["type"] = type
@@ -511,6 +641,18 @@ class SyncAwsDestination(pulumi.CustomResource):
         """
         return pulumi.get(self, "custom_tags")
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> pulumi.Output[Optional[str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+
     @property
     @pulumi.getter
     def name(self) -> pulumi.Output[str]:
@@ -525,7 +667,7 @@ class SyncAwsDestination(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -539,6 +681,18 @@ class SyncAwsDestination(pulumi.CustomResource):
         """
         return pulumi.get(self, "region")
 
+    @property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> pulumi.Output[Optional[str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role, 
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+
     @property
     @pulumi.getter(name="secretAccessKey")
     def secret_access_key(self) -> pulumi.Output[Optional[str]]:

pulumi_vault/secrets/sync_azure_destination.py

@@ -39,7 +39,7 @@ class SyncAzureDestinationArgs:
         :param pulumi.Input[str] name: Unique name of the Azure destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] secret_name_template: Template describing how to generate external secret names.
                Supports a subset of the Go Template syntax.
         :param pulumi.Input[str] tenant_id: ID of the target Azure tenant.
@@ -149,7 +149,7 @@ class SyncAzureDestinationArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -214,7 +214,7 @@ class _SyncAzureDestinationState:
         :param pulumi.Input[str] name: Unique name of the Azure destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] secret_name_template: Template describing how to generate external secret names.
                Supports a subset of the Go Template syntax.
         :param pulumi.Input[str] tenant_id: ID of the target Azure tenant.
@@ -327,7 +327,7 @@ class _SyncAzureDestinationState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")
 
@@ -434,7 +434,7 @@ class SyncAzureDestination(pulumi.CustomResource):
         :param pulumi.Input[str] name: Unique name of the Azure destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] secret_name_template: Template describing how to generate external secret names.
                Supports a subset of the Go Template syntax.
         :param pulumi.Input[str] tenant_id: ID of the target Azure tenant.
@@ -561,7 +561,7 @@ class SyncAzureDestination(pulumi.CustomResource):
         :param pulumi.Input[str] name: Unique name of the Azure destination.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         :param pulumi.Input[str] secret_name_template: Template describing how to generate external secret names.
                Supports a subset of the Go Template syntax.
         :param pulumi.Input[str] tenant_id: ID of the target Azure tenant.
@@ -645,7 +645,7 @@ class SyncAzureDestination(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         """
         return pulumi.get(self, "namespace")