pulumi-vault 6.0.0__py3-none-any.whl → 6.1.0__py3-none-any.whl

pulumi_vault/__init__.py

@@ -12,6 +12,8 @@ from .cert_auth_backend_role import *
 from .egp_policy import *
 from .get_auth_backend import *
 from .get_auth_backends import *
+from .get_namespace import *
+from .get_namespaces import *
 from .get_nomad_access_token import *
 from .get_policy_document import *
 from .get_raft_autopilot_state import *

pulumi_vault/get_namespace.py

@@ -0,0 +1,225 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+from . import _utilities
+
+__all__ = [
+    'GetNamespaceResult',
+    'AwaitableGetNamespaceResult',
+    'get_namespace',
+    'get_namespace_output',
+]
+
+@pulumi.output_type
+class GetNamespaceResult:
+    """
+    A collection of values returned by getNamespace.
+    """
+    def __init__(__self__, custom_metadata=None, id=None, namespace=None, namespace_id=None, path=None, path_fq=None):
+        if custom_metadata and not isinstance(custom_metadata, dict):
+            raise TypeError("Expected argument 'custom_metadata' to be a dict")
+        pulumi.set(__self__, "custom_metadata", custom_metadata)
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if namespace and not isinstance(namespace, str):
+            raise TypeError("Expected argument 'namespace' to be a str")
+        pulumi.set(__self__, "namespace", namespace)
+        if namespace_id and not isinstance(namespace_id, str):
+            raise TypeError("Expected argument 'namespace_id' to be a str")
+        pulumi.set(__self__, "namespace_id", namespace_id)
+        if path and not isinstance(path, str):
+            raise TypeError("Expected argument 'path' to be a str")
+        pulumi.set(__self__, "path", path)
+        if path_fq and not isinstance(path_fq, str):
+            raise TypeError("Expected argument 'path_fq' to be a str")
+        pulumi.set(__self__, "path_fq", path_fq)
+
+    @property
+    @pulumi.getter(name="customMetadata")
+    def custom_metadata(self) -> Mapping[str, Any]:
+        """
+        (Optional) A map of strings containing arbitrary metadata for the namespace.
+        Only fetched if `path` is specified.
+        *Requires Vault 1.12+.*
+        """
+        return pulumi.get(self, "custom_metadata")
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter
+    def namespace(self) -> Optional[str]:
+        return pulumi.get(self, "namespace")
+
+    @property
+    @pulumi.getter(name="namespaceId")
+    def namespace_id(self) -> str:
+        """
+        Vault server's internal ID of the namespace.
+        Only fetched if `path` is specified.
+        """
+        return pulumi.get(self, "namespace_id")
+
+    @property
+    @pulumi.getter
+    def path(self) -> Optional[str]:
+        return pulumi.get(self, "path")
+
+    @property
+    @pulumi.getter(name="pathFq")
+    def path_fq(self) -> str:
+        """
+        The fully qualified path to the namespace. Useful when provisioning resources in a child `namespace`.
+        The path is relative to the provider's `namespace` argument.
+        """
+        return pulumi.get(self, "path_fq")
+
+
+class AwaitableGetNamespaceResult(GetNamespaceResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetNamespaceResult(
+            custom_metadata=self.custom_metadata,
+            id=self.id,
+            namespace=self.namespace,
+            namespace_id=self.namespace_id,
+            path=self.path,
+            path_fq=self.path_fq)
+
+
+def get_namespace(namespace: Optional[str] = None,
+                  path: Optional[str] = None,
+                  opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetNamespaceResult:
+    """
+    ## Example Usage
+
+    ### Current namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    current = vault.get_namespace()
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Single namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    ns1 = vault.get_namespace(path="ns1")
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Nested namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    child = vault.get_namespace(namespace="parent",
+        path="child")
+    full_path = child.id
+    # -> foo/parent/child/
+    path_fq = child.path_fq
+    ```
+    <!--End PulumiCodeChooser -->
+
+
+    :param str namespace: The namespace to provision the resource in.
+           The value should not contain leading or trailing forward slashes.
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+    :param str path: The path of the namespace. Must not have a trailing `/`.
+           If not specified or empty, path attributes are set for the current namespace
+           based on the `namespace` arguments of the provider and this data source.
+           Other path related attributes will be empty in this case.
+    """
+    __args__ = dict()
+    __args__['namespace'] = namespace
+    __args__['path'] = path
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('vault:index/getNamespace:getNamespace', __args__, opts=opts, typ=GetNamespaceResult).value
+
+    return AwaitableGetNamespaceResult(
+        custom_metadata=pulumi.get(__ret__, 'custom_metadata'),
+        id=pulumi.get(__ret__, 'id'),
+        namespace=pulumi.get(__ret__, 'namespace'),
+        namespace_id=pulumi.get(__ret__, 'namespace_id'),
+        path=pulumi.get(__ret__, 'path'),
+        path_fq=pulumi.get(__ret__, 'path_fq'))
+
+
+@_utilities.lift_output_func(get_namespace)
+def get_namespace_output(namespace: Optional[pulumi.Input[Optional[str]]] = None,
+                         path: Optional[pulumi.Input[Optional[str]]] = None,
+                         opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetNamespaceResult]:
+    """
+    ## Example Usage
+
+    ### Current namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    current = vault.get_namespace()
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Single namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    ns1 = vault.get_namespace(path="ns1")
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Nested namespace
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    child = vault.get_namespace(namespace="parent",
+        path="child")
+    full_path = child.id
+    # -> foo/parent/child/
+    path_fq = child.path_fq
+    ```
+    <!--End PulumiCodeChooser -->
+
+
+    :param str namespace: The namespace to provision the resource in.
+           The value should not contain leading or trailing forward slashes.
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+    :param str path: The path of the namespace. Must not have a trailing `/`.
+           If not specified or empty, path attributes are set for the current namespace
+           based on the `namespace` arguments of the provider and this data source.
+           Other path related attributes will be empty in this case.
+    """
+    ...

pulumi_vault/get_namespaces.py

@@ -0,0 +1,152 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+from . import _utilities
+
+__all__ = [
+    'GetNamespacesResult',
+    'AwaitableGetNamespacesResult',
+    'get_namespaces',
+    'get_namespaces_output',
+]
+
+@pulumi.output_type
+class GetNamespacesResult:
+    """
+    A collection of values returned by getNamespaces.
+    """
+    def __init__(__self__, id=None, namespace=None, paths=None):
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if namespace and not isinstance(namespace, str):
+            raise TypeError("Expected argument 'namespace' to be a str")
+        pulumi.set(__self__, "namespace", namespace)
+        if paths and not isinstance(paths, list):
+            raise TypeError("Expected argument 'paths' to be a list")
+        pulumi.set(__self__, "paths", paths)
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter
+    def namespace(self) -> Optional[str]:
+        return pulumi.get(self, "namespace")
+
+    @property
+    @pulumi.getter
+    def paths(self) -> Sequence[str]:
+        """
+        Set of the paths of direct child namespaces.
+        """
+        return pulumi.get(self, "paths")
+
+
+class AwaitableGetNamespacesResult(GetNamespacesResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetNamespacesResult(
+            id=self.id,
+            namespace=self.namespace,
+            paths=self.paths)
+
+
+def get_namespaces(namespace: Optional[str] = None,
+                   opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetNamespacesResult:
+    """
+    ## Example Usage
+
+    ### Child namespaces
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    children = vault.get_namespaces()
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Nested namespace
+
+    To fetch the details of nested namespaces:
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    children = vault.get_namespaces(namespace="parent")
+    child = [vault.get_namespace(namespace=children.namespace,
+        path=__key) for __key, __value in children.paths]
+    ```
+    <!--End PulumiCodeChooser -->
+
+
+    :param str namespace: The namespace to provision the resource in.
+           The value should not contain leading or trailing forward slashes.
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+    """
+    __args__ = dict()
+    __args__['namespace'] = namespace
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('vault:index/getNamespaces:getNamespaces', __args__, opts=opts, typ=GetNamespacesResult).value
+
+    return AwaitableGetNamespacesResult(
+        id=pulumi.get(__ret__, 'id'),
+        namespace=pulumi.get(__ret__, 'namespace'),
+        paths=pulumi.get(__ret__, 'paths'))
+
+
+@_utilities.lift_output_func(get_namespaces)
+def get_namespaces_output(namespace: Optional[pulumi.Input[Optional[str]]] = None,
+                          opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetNamespacesResult]:
+    """
+    ## Example Usage
+
+    ### Child namespaces
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    children = vault.get_namespaces()
+    ```
+    <!--End PulumiCodeChooser -->
+
+    ### Nested namespace
+
+    To fetch the details of nested namespaces:
+
+    <!--Start PulumiCodeChooser -->
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    children = vault.get_namespaces(namespace="parent")
+    child = [vault.get_namespace(namespace=children.namespace,
+        path=__key) for __key, __value in children.paths]
+    ```
+    <!--End PulumiCodeChooser -->
+
+
+    :param str namespace: The namespace to provision the resource in.
+           The value should not contain leading or trailing forward slashes.
+           The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+    """
+    ...

pulumi_vault/kubernetes/secret_backend_role.py

@@ -14,8 +14,9 @@ __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
 @pulumi.input_type
 class SecretBackendRoleArgs:
     def __init__(__self__, *,
-                 allowed_kubernetes_namespaces: pulumi.Input[Sequence[pulumi.Input[str]]],
                  backend: pulumi.Input[str],
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
+                 allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  extra_labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  generated_role_rules: Optional[pulumi.Input[str]] = None,
@@ -29,10 +30,15 @@ class SecretBackendRoleArgs:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         The set of arguments for constructing a SecretBackendRole resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
                Kubernetes objects.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_labels: Additional labels to apply to all generated Kubernetes 
@@ -62,8 +68,11 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
-        pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         pulumi.set(__self__, "backend", backend)
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
+        if allowed_kubernetes_namespaces is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if extra_annotations is not None:
             pulumi.set(__self__, "extra_annotations", extra_annotations)
         if extra_labels is not None:
@@ -87,19 +96,6 @@ class SecretBackendRoleArgs:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
 
-    @property
-    @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
-        """
-        The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
-        """
-        return pulumi.get(self, "allowed_kubernetes_namespaces")
-
-    @allowed_kubernetes_namespaces.setter
-    def allowed_kubernetes_namespaces(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
-        pulumi.set(self, "allowed_kubernetes_namespaces", value)
-
     @property
     @pulumi.getter
     def backend(self) -> pulumi.Input[str]:
@@ -113,6 +109,35 @@ class SecretBackendRoleArgs:
     def backend(self, value: pulumi.Input[str]):
         pulumi.set(self, "backend", value)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
+
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaces")
+    def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        The list of Kubernetes namespaces this role 
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespaces")
+
+    @allowed_kubernetes_namespaces.setter
+    def allowed_kubernetes_namespaces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "allowed_kubernetes_namespaces", value)
+
     @property
     @pulumi.getter(name="extraAnnotations")
     def extra_annotations(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
@@ -266,6 +291,7 @@ class SecretBackendRoleArgs:
 @pulumi.input_type
 class _SecretBackendRoleState:
     def __init__(__self__, *,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -281,8 +307,13 @@ class _SecretBackendRoleState:
                  token_max_ttl: Optional[pulumi.Input[int]] = None):
         """
         Input properties used for looking up and filtering SecretBackendRole resources.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -314,6 +345,8 @@ class _SecretBackendRoleState:
         :param pulumi.Input[int] token_default_ttl: The default TTL for generated Kubernetes tokens in seconds.
         :param pulumi.Input[int] token_max_ttl: The maximum TTL for generated Kubernetes tokens in seconds.
         """
+        if allowed_kubernetes_namespace_selector is not None:
+            pulumi.set(__self__, "allowed_kubernetes_namespace_selector", allowed_kubernetes_namespace_selector)
         if allowed_kubernetes_namespaces is not None:
             pulumi.set(__self__, "allowed_kubernetes_namespaces", allowed_kubernetes_namespaces)
         if backend is not None:
@@ -341,12 +374,28 @@ class _SecretBackendRoleState:
         if token_max_ttl is not None:
             pulumi.set(__self__, "token_max_ttl", token_max_ttl)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> Optional[pulumi.Input[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
+    @allowed_kubernetes_namespace_selector.setter
+    def allowed_kubernetes_namespace_selector(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "allowed_kubernetes_namespace_selector", value)
+
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
     def allowed_kubernetes_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
         The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
 
@@ -522,6 +571,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -649,8 +699,13 @@ class SecretBackendRole(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -814,6 +869,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
                  allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -836,8 +892,7 @@ class SecretBackendRole(pulumi.CustomResource):
                 raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
             __props__ = SecretBackendRoleArgs.__new__(SecretBackendRoleArgs)
 
-            if allowed_kubernetes_namespaces is None and not opts.urn:
-                raise TypeError("Missing required property 'allowed_kubernetes_namespaces'")
+            __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
             __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
             if backend is None and not opts.urn:
                 raise TypeError("Missing required property 'backend'")
@@ -863,6 +918,7 @@ class SecretBackendRole(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
+            allowed_kubernetes_namespace_selector: Optional[pulumi.Input[str]] = None,
             allowed_kubernetes_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             extra_annotations: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -883,8 +939,13 @@ class SecretBackendRole(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] allowed_kubernetes_namespace_selector: A label selector for Kubernetes namespaces 
+               in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+               of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+               If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_kubernetes_namespaces: The list of Kubernetes namespaces this role 
-               can generate credentials for. If set to `*` all namespaces are allowed.
+               can generate credentials for. If set to `*` all namespaces are allowed. If set with
+               `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         :param pulumi.Input[str] backend: The path of the Kubernetes Secrets Engine backend mount to create
                the role in.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] extra_annotations: Additional annotations to apply to all generated 
@@ -920,6 +981,7 @@ class SecretBackendRole(pulumi.CustomResource):
 
         __props__ = _SecretBackendRoleState.__new__(_SecretBackendRoleState)
 
+        __props__.__dict__["allowed_kubernetes_namespace_selector"] = allowed_kubernetes_namespace_selector
         __props__.__dict__["allowed_kubernetes_namespaces"] = allowed_kubernetes_namespaces
         __props__.__dict__["backend"] = backend
         __props__.__dict__["extra_annotations"] = extra_annotations
@@ -935,12 +997,24 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["token_max_ttl"] = token_max_ttl
         return SecretBackendRole(resource_name, opts=opts, __props__=__props__)
 
+    @property
+    @pulumi.getter(name="allowedKubernetesNamespaceSelector")
+    def allowed_kubernetes_namespace_selector(self) -> pulumi.Output[Optional[str]]:
+        """
+        A label selector for Kubernetes namespaces 
+        in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
+        of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
+        If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
+        """
+        return pulumi.get(self, "allowed_kubernetes_namespace_selector")
+
     @property
     @pulumi.getter(name="allowedKubernetesNamespaces")
-    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Sequence[str]]:
+    def allowed_kubernetes_namespaces(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
         The list of Kubernetes namespaces this role 
-        can generate credentials for. If set to `*` all namespaces are allowed.
+        can generate credentials for. If set to `*` all namespaces are allowed. If set with
+        `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
         """
         return pulumi.get(self, "allowed_kubernetes_namespaces")
 

pulumi_vault/mongodbatlas/secret_backend.py

@@ -199,11 +199,11 @@ class SecretBackend(pulumi.CustomResource):
         import pulumi_vault as vault
 
         mongo = vault.Mount("mongo",
-            description="MongoDB Atlas secret engine mount",
             path="mongodbatlas",
-            type="mongodbatlas")
+            type="mongodbatlas",
+            description="MongoDB Atlas secret engine mount")
         config = vault.mongodbatlas.SecretBackend("config",
-            mount="vault_mount.mongo.path",
+            mount=mongo.path,
             private_key="privateKey",
             public_key="publicKey")
         ```
@@ -242,11 +242,11 @@ class SecretBackend(pulumi.CustomResource):
         import pulumi_vault as vault
 
         mongo = vault.Mount("mongo",
-            description="MongoDB Atlas secret engine mount",
             path="mongodbatlas",
-            type="mongodbatlas")
+            type="mongodbatlas",
+            description="MongoDB Atlas secret engine mount")
         config = vault.mongodbatlas.SecretBackend("config",
-            mount="vault_mount.mongo.path",
+            mount=mongo.path,
             private_key="privateKey",
             public_key="publicKey")
         ```