pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.6.0a1741836364__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. pulumi_vault/__init__.py +8 -0
  2. pulumi_vault/aws/auth_backend_client.py +228 -4
  3. pulumi_vault/aws/secret_backend.py +266 -50
  4. pulumi_vault/aws/secret_backend_static_role.py +217 -0
  5. pulumi_vault/azure/auth_backend_config.py +257 -5
  6. pulumi_vault/azure/backend.py +249 -4
  7. pulumi_vault/database/_inputs.py +1692 -36
  8. pulumi_vault/database/outputs.py +1170 -18
  9. pulumi_vault/database/secret_backend_connection.py +220 -0
  10. pulumi_vault/database/secret_backend_static_role.py +143 -1
  11. pulumi_vault/database/secrets_mount.py +8 -0
  12. pulumi_vault/gcp/auth_backend.py +222 -2
  13. pulumi_vault/gcp/secret_backend.py +244 -4
  14. pulumi_vault/ldap/auth_backend.py +222 -2
  15. pulumi_vault/ldap/secret_backend.py +222 -2
  16. pulumi_vault/pkisecret/__init__.py +2 -0
  17. pulumi_vault/pkisecret/_inputs.py +0 -6
  18. pulumi_vault/pkisecret/backend_config_acme.py +47 -0
  19. pulumi_vault/pkisecret/backend_config_auto_tidy.py +1376 -0
  20. pulumi_vault/pkisecret/backend_config_cmpv2.py +61 -14
  21. pulumi_vault/pkisecret/get_backend_cert_metadata.py +277 -0
  22. pulumi_vault/pkisecret/get_backend_config_cmpv2.py +18 -1
  23. pulumi_vault/pkisecret/get_backend_issuer.py +114 -1
  24. pulumi_vault/pkisecret/outputs.py +0 -4
  25. pulumi_vault/pkisecret/secret_backend_cert.py +148 -7
  26. pulumi_vault/pkisecret/secret_backend_crl_config.py +54 -0
  27. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +141 -0
  28. pulumi_vault/pkisecret/secret_backend_issuer.py +265 -0
  29. pulumi_vault/pkisecret/secret_backend_role.py +252 -3
  30. pulumi_vault/pkisecret/secret_backend_root_cert.py +423 -0
  31. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +581 -3
  32. pulumi_vault/pkisecret/secret_backend_sign.py +94 -0
  33. pulumi_vault/pulumi-plugin.json +1 -1
  34. pulumi_vault/ssh/__init__.py +1 -0
  35. pulumi_vault/ssh/get_secret_backend_sign.py +294 -0
  36. pulumi_vault/terraformcloud/secret_role.py +7 -7
  37. pulumi_vault/transit/__init__.py +2 -0
  38. pulumi_vault/transit/get_sign.py +324 -0
  39. pulumi_vault/transit/get_verify.py +354 -0
  40. pulumi_vault/transit/secret_backend_key.py +162 -0
  41. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.6.0a1741836364.dist-info}/METADATA +1 -1
  42. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.6.0a1741836364.dist-info}/RECORD +44 -39
  43. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.6.0a1741836364.dist-info}/WHEEL +1 -1
  44. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.6.0a1741836364.dist-info}/top_level.txt +0 -0
@@ -32,6 +32,7 @@ class SecretBackendArgs:
32
32
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
33
33
  delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
34
34
  description: Optional[pulumi.Input[str]] = None,
35
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
35
36
  disable_remount: Optional[pulumi.Input[bool]] = None,
36
37
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
37
38
  identity_token_key: Optional[pulumi.Input[str]] = None,
@@ -46,6 +47,9 @@ class SecretBackendArgs:
46
47
  path: Optional[pulumi.Input[str]] = None,
47
48
  plugin_version: Optional[pulumi.Input[str]] = None,
48
49
  request_timeout: Optional[pulumi.Input[int]] = None,
50
+ rotation_period: Optional[pulumi.Input[int]] = None,
51
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
52
+ rotation_window: Optional[pulumi.Input[int]] = None,
49
53
  schema: Optional[pulumi.Input[str]] = None,
50
54
  seal_wrap: Optional[pulumi.Input[bool]] = None,
51
55
  skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
@@ -71,6 +75,7 @@ class SecretBackendArgs:
71
75
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
72
76
  :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
73
77
  :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
78
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
74
79
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
75
80
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
76
81
  :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
@@ -92,6 +97,13 @@ class SecretBackendArgs:
92
97
  :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
93
98
  :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
94
99
  before returning back an error.
100
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
101
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
102
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
103
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
104
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
105
+ a rotation when a scheduled token rotation occurs. The default rotation window is
106
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
95
107
  :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
96
108
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
97
109
  :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
@@ -127,6 +139,8 @@ class SecretBackendArgs:
127
139
  pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
128
140
  if description is not None:
129
141
  pulumi.set(__self__, "description", description)
142
+ if disable_automated_rotation is not None:
143
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
130
144
  if disable_remount is not None:
131
145
  pulumi.set(__self__, "disable_remount", disable_remount)
132
146
  if external_entropy_access is not None:
@@ -155,6 +169,12 @@ class SecretBackendArgs:
155
169
  pulumi.set(__self__, "plugin_version", plugin_version)
156
170
  if request_timeout is not None:
157
171
  pulumi.set(__self__, "request_timeout", request_timeout)
172
+ if rotation_period is not None:
173
+ pulumi.set(__self__, "rotation_period", rotation_period)
174
+ if rotation_schedule is not None:
175
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
176
+ if rotation_window is not None:
177
+ pulumi.set(__self__, "rotation_window", rotation_window)
158
178
  if schema is not None:
159
179
  pulumi.set(__self__, "schema", schema)
160
180
  if seal_wrap is not None:
@@ -330,6 +350,18 @@ class SecretBackendArgs:
330
350
  def description(self, value: Optional[pulumi.Input[str]]):
331
351
  pulumi.set(self, "description", value)
332
352
 
353
+ @property
354
+ @pulumi.getter(name="disableAutomatedRotation")
355
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[bool]]:
356
+ """
357
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
358
+ """
359
+ return pulumi.get(self, "disable_automated_rotation")
360
+
361
+ @disable_automated_rotation.setter
362
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[bool]]):
363
+ pulumi.set(self, "disable_automated_rotation", value)
364
+
333
365
  @property
334
366
  @pulumi.getter(name="disableRemount")
335
367
  def disable_remount(self) -> Optional[pulumi.Input[bool]]:
@@ -505,6 +537,46 @@ class SecretBackendArgs:
505
537
  def request_timeout(self, value: Optional[pulumi.Input[int]]):
506
538
  pulumi.set(self, "request_timeout", value)
507
539
 
540
+ @property
541
+ @pulumi.getter(name="rotationPeriod")
542
+ def rotation_period(self) -> Optional[pulumi.Input[int]]:
543
+ """
544
+ The amount of time in seconds Vault should wait before rotating the root credential.
545
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
546
+ """
547
+ return pulumi.get(self, "rotation_period")
548
+
549
+ @rotation_period.setter
550
+ def rotation_period(self, value: Optional[pulumi.Input[int]]):
551
+ pulumi.set(self, "rotation_period", value)
552
+
553
+ @property
554
+ @pulumi.getter(name="rotationSchedule")
555
+ def rotation_schedule(self) -> Optional[pulumi.Input[str]]:
556
+ """
557
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
558
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
559
+ """
560
+ return pulumi.get(self, "rotation_schedule")
561
+
562
+ @rotation_schedule.setter
563
+ def rotation_schedule(self, value: Optional[pulumi.Input[str]]):
564
+ pulumi.set(self, "rotation_schedule", value)
565
+
566
+ @property
567
+ @pulumi.getter(name="rotationWindow")
568
+ def rotation_window(self) -> Optional[pulumi.Input[int]]:
569
+ """
570
+ The maximum amount of time in seconds allowed to complete
571
+ a rotation when a scheduled token rotation occurs. The default rotation window is
572
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
573
+ """
574
+ return pulumi.get(self, "rotation_window")
575
+
576
+ @rotation_window.setter
577
+ def rotation_window(self, value: Optional[pulumi.Input[int]]):
578
+ pulumi.set(self, "rotation_window", value)
579
+
508
580
  @property
509
581
  @pulumi.getter
510
582
  def schema(self) -> Optional[pulumi.Input[str]]:
@@ -621,6 +693,7 @@ class _SecretBackendState:
621
693
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
622
694
  delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
623
695
  description: Optional[pulumi.Input[str]] = None,
696
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
624
697
  disable_remount: Optional[pulumi.Input[bool]] = None,
625
698
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
626
699
  identity_token_key: Optional[pulumi.Input[str]] = None,
@@ -635,6 +708,9 @@ class _SecretBackendState:
635
708
  path: Optional[pulumi.Input[str]] = None,
636
709
  plugin_version: Optional[pulumi.Input[str]] = None,
637
710
  request_timeout: Optional[pulumi.Input[int]] = None,
711
+ rotation_period: Optional[pulumi.Input[int]] = None,
712
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
713
+ rotation_window: Optional[pulumi.Input[int]] = None,
638
714
  schema: Optional[pulumi.Input[str]] = None,
639
715
  seal_wrap: Optional[pulumi.Input[bool]] = None,
640
716
  skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
@@ -661,6 +737,7 @@ class _SecretBackendState:
661
737
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
662
738
  :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
663
739
  :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
740
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
664
741
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
665
742
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
666
743
  :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
@@ -682,6 +759,13 @@ class _SecretBackendState:
682
759
  :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
683
760
  :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
684
761
  before returning back an error.
762
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
763
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
764
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
765
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
766
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
767
+ a rotation when a scheduled token rotation occurs. The default rotation window is
768
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
685
769
  :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
686
770
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
687
771
  :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
@@ -721,6 +805,8 @@ class _SecretBackendState:
721
805
  pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
722
806
  if description is not None:
723
807
  pulumi.set(__self__, "description", description)
808
+ if disable_automated_rotation is not None:
809
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
724
810
  if disable_remount is not None:
725
811
  pulumi.set(__self__, "disable_remount", disable_remount)
726
812
  if external_entropy_access is not None:
@@ -749,6 +835,12 @@ class _SecretBackendState:
749
835
  pulumi.set(__self__, "plugin_version", plugin_version)
750
836
  if request_timeout is not None:
751
837
  pulumi.set(__self__, "request_timeout", request_timeout)
838
+ if rotation_period is not None:
839
+ pulumi.set(__self__, "rotation_period", rotation_period)
840
+ if rotation_schedule is not None:
841
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
842
+ if rotation_window is not None:
843
+ pulumi.set(__self__, "rotation_window", rotation_window)
752
844
  if schema is not None:
753
845
  pulumi.set(__self__, "schema", schema)
754
846
  if seal_wrap is not None:
@@ -936,6 +1028,18 @@ class _SecretBackendState:
936
1028
  def description(self, value: Optional[pulumi.Input[str]]):
937
1029
  pulumi.set(self, "description", value)
938
1030
 
1031
+ @property
1032
+ @pulumi.getter(name="disableAutomatedRotation")
1033
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[bool]]:
1034
+ """
1035
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1036
+ """
1037
+ return pulumi.get(self, "disable_automated_rotation")
1038
+
1039
+ @disable_automated_rotation.setter
1040
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[bool]]):
1041
+ pulumi.set(self, "disable_automated_rotation", value)
1042
+
939
1043
  @property
940
1044
  @pulumi.getter(name="disableRemount")
941
1045
  def disable_remount(self) -> Optional[pulumi.Input[bool]]:
@@ -1111,6 +1215,46 @@ class _SecretBackendState:
1111
1215
  def request_timeout(self, value: Optional[pulumi.Input[int]]):
1112
1216
  pulumi.set(self, "request_timeout", value)
1113
1217
 
1218
+ @property
1219
+ @pulumi.getter(name="rotationPeriod")
1220
+ def rotation_period(self) -> Optional[pulumi.Input[int]]:
1221
+ """
1222
+ The amount of time in seconds Vault should wait before rotating the root credential.
1223
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1224
+ """
1225
+ return pulumi.get(self, "rotation_period")
1226
+
1227
+ @rotation_period.setter
1228
+ def rotation_period(self, value: Optional[pulumi.Input[int]]):
1229
+ pulumi.set(self, "rotation_period", value)
1230
+
1231
+ @property
1232
+ @pulumi.getter(name="rotationSchedule")
1233
+ def rotation_schedule(self) -> Optional[pulumi.Input[str]]:
1234
+ """
1235
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1236
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1237
+ """
1238
+ return pulumi.get(self, "rotation_schedule")
1239
+
1240
+ @rotation_schedule.setter
1241
+ def rotation_schedule(self, value: Optional[pulumi.Input[str]]):
1242
+ pulumi.set(self, "rotation_schedule", value)
1243
+
1244
+ @property
1245
+ @pulumi.getter(name="rotationWindow")
1246
+ def rotation_window(self) -> Optional[pulumi.Input[int]]:
1247
+ """
1248
+ The maximum amount of time in seconds allowed to complete
1249
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1250
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1251
+ """
1252
+ return pulumi.get(self, "rotation_window")
1253
+
1254
+ @rotation_window.setter
1255
+ def rotation_window(self, value: Optional[pulumi.Input[int]]):
1256
+ pulumi.set(self, "rotation_window", value)
1257
+
1114
1258
  @property
1115
1259
  @pulumi.getter
1116
1260
  def schema(self) -> Optional[pulumi.Input[str]]:
@@ -1228,6 +1372,7 @@ class SecretBackend(pulumi.CustomResource):
1228
1372
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
1229
1373
  delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1230
1374
  description: Optional[pulumi.Input[str]] = None,
1375
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
1231
1376
  disable_remount: Optional[pulumi.Input[bool]] = None,
1232
1377
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
1233
1378
  identity_token_key: Optional[pulumi.Input[str]] = None,
@@ -1242,6 +1387,9 @@ class SecretBackend(pulumi.CustomResource):
1242
1387
  path: Optional[pulumi.Input[str]] = None,
1243
1388
  plugin_version: Optional[pulumi.Input[str]] = None,
1244
1389
  request_timeout: Optional[pulumi.Input[int]] = None,
1390
+ rotation_period: Optional[pulumi.Input[int]] = None,
1391
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
1392
+ rotation_window: Optional[pulumi.Input[int]] = None,
1245
1393
  schema: Optional[pulumi.Input[str]] = None,
1246
1394
  seal_wrap: Optional[pulumi.Input[bool]] = None,
1247
1395
  skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
@@ -1264,7 +1412,9 @@ class SecretBackend(pulumi.CustomResource):
1264
1412
  bindpass="SuperSecretPassw0rd",
1265
1413
  url="ldaps://localhost",
1266
1414
  insecure_tls=True,
1267
- userdn="CN=Users,DC=corp,DC=example,DC=net")
1415
+ userdn="CN=Users,DC=corp,DC=example,DC=net",
1416
+ rotation_schedule="0 * * * SAT",
1417
+ rotation_window=3600)
1268
1418
  ```
1269
1419
 
1270
1420
  ## Import
@@ -1292,6 +1442,7 @@ class SecretBackend(pulumi.CustomResource):
1292
1442
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
1293
1443
  :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
1294
1444
  :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
1445
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1295
1446
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
1296
1447
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
1297
1448
  :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
@@ -1313,6 +1464,13 @@ class SecretBackend(pulumi.CustomResource):
1313
1464
  :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
1314
1465
  :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
1315
1466
  before returning back an error.
1467
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
1468
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1469
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1470
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1471
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
1472
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1473
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1316
1474
  :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
1317
1475
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
1318
1476
  :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
@@ -1343,7 +1501,9 @@ class SecretBackend(pulumi.CustomResource):
1343
1501
  bindpass="SuperSecretPassw0rd",
1344
1502
  url="ldaps://localhost",
1345
1503
  insecure_tls=True,
1346
- userdn="CN=Users,DC=corp,DC=example,DC=net")
1504
+ userdn="CN=Users,DC=corp,DC=example,DC=net",
1505
+ rotation_schedule="0 * * * SAT",
1506
+ rotation_window=3600)
1347
1507
  ```
1348
1508
 
1349
1509
  ## Import
@@ -1382,6 +1542,7 @@ class SecretBackend(pulumi.CustomResource):
1382
1542
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
1383
1543
  delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1384
1544
  description: Optional[pulumi.Input[str]] = None,
1545
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
1385
1546
  disable_remount: Optional[pulumi.Input[bool]] = None,
1386
1547
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
1387
1548
  identity_token_key: Optional[pulumi.Input[str]] = None,
@@ -1396,6 +1557,9 @@ class SecretBackend(pulumi.CustomResource):
1396
1557
  path: Optional[pulumi.Input[str]] = None,
1397
1558
  plugin_version: Optional[pulumi.Input[str]] = None,
1398
1559
  request_timeout: Optional[pulumi.Input[int]] = None,
1560
+ rotation_period: Optional[pulumi.Input[int]] = None,
1561
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
1562
+ rotation_window: Optional[pulumi.Input[int]] = None,
1399
1563
  schema: Optional[pulumi.Input[str]] = None,
1400
1564
  seal_wrap: Optional[pulumi.Input[bool]] = None,
1401
1565
  skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
@@ -1430,6 +1594,7 @@ class SecretBackend(pulumi.CustomResource):
1430
1594
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
1431
1595
  __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
1432
1596
  __props__.__dict__["description"] = description
1597
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
1433
1598
  __props__.__dict__["disable_remount"] = disable_remount
1434
1599
  __props__.__dict__["external_entropy_access"] = external_entropy_access
1435
1600
  __props__.__dict__["identity_token_key"] = identity_token_key
@@ -1444,6 +1609,9 @@ class SecretBackend(pulumi.CustomResource):
1444
1609
  __props__.__dict__["path"] = path
1445
1610
  __props__.__dict__["plugin_version"] = plugin_version
1446
1611
  __props__.__dict__["request_timeout"] = request_timeout
1612
+ __props__.__dict__["rotation_period"] = rotation_period
1613
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1614
+ __props__.__dict__["rotation_window"] = rotation_window
1447
1615
  __props__.__dict__["schema"] = schema
1448
1616
  __props__.__dict__["seal_wrap"] = seal_wrap
1449
1617
  __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
@@ -1479,6 +1647,7 @@ class SecretBackend(pulumi.CustomResource):
1479
1647
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
1480
1648
  delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1481
1649
  description: Optional[pulumi.Input[str]] = None,
1650
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
1482
1651
  disable_remount: Optional[pulumi.Input[bool]] = None,
1483
1652
  external_entropy_access: Optional[pulumi.Input[bool]] = None,
1484
1653
  identity_token_key: Optional[pulumi.Input[str]] = None,
@@ -1493,6 +1662,9 @@ class SecretBackend(pulumi.CustomResource):
1493
1662
  path: Optional[pulumi.Input[str]] = None,
1494
1663
  plugin_version: Optional[pulumi.Input[str]] = None,
1495
1664
  request_timeout: Optional[pulumi.Input[int]] = None,
1665
+ rotation_period: Optional[pulumi.Input[int]] = None,
1666
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
1667
+ rotation_window: Optional[pulumi.Input[int]] = None,
1496
1668
  schema: Optional[pulumi.Input[str]] = None,
1497
1669
  seal_wrap: Optional[pulumi.Input[bool]] = None,
1498
1670
  skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
@@ -1524,6 +1696,7 @@ class SecretBackend(pulumi.CustomResource):
1524
1696
  :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
1525
1697
  :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
1526
1698
  :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
1699
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1527
1700
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
1528
1701
  :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
1529
1702
  :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
@@ -1545,6 +1718,13 @@ class SecretBackend(pulumi.CustomResource):
1545
1718
  :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
1546
1719
  :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
1547
1720
  before returning back an error.
1721
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
1722
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1723
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1724
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1725
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
1726
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1727
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1548
1728
  :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
1549
1729
  :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
1550
1730
  :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
@@ -1574,6 +1754,7 @@ class SecretBackend(pulumi.CustomResource):
1574
1754
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
1575
1755
  __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
1576
1756
  __props__.__dict__["description"] = description
1757
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
1577
1758
  __props__.__dict__["disable_remount"] = disable_remount
1578
1759
  __props__.__dict__["external_entropy_access"] = external_entropy_access
1579
1760
  __props__.__dict__["identity_token_key"] = identity_token_key
@@ -1588,6 +1769,9 @@ class SecretBackend(pulumi.CustomResource):
1588
1769
  __props__.__dict__["path"] = path
1589
1770
  __props__.__dict__["plugin_version"] = plugin_version
1590
1771
  __props__.__dict__["request_timeout"] = request_timeout
1772
+ __props__.__dict__["rotation_period"] = rotation_period
1773
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1774
+ __props__.__dict__["rotation_window"] = rotation_window
1591
1775
  __props__.__dict__["schema"] = schema
1592
1776
  __props__.__dict__["seal_wrap"] = seal_wrap
1593
1777
  __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
@@ -1712,6 +1896,14 @@ class SecretBackend(pulumi.CustomResource):
1712
1896
  """
1713
1897
  return pulumi.get(self, "description")
1714
1898
 
1899
+ @property
1900
+ @pulumi.getter(name="disableAutomatedRotation")
1901
+ def disable_automated_rotation(self) -> pulumi.Output[Optional[bool]]:
1902
+ """
1903
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1904
+ """
1905
+ return pulumi.get(self, "disable_automated_rotation")
1906
+
1715
1907
  @property
1716
1908
  @pulumi.getter(name="disableRemount")
1717
1909
  def disable_remount(self) -> pulumi.Output[Optional[bool]]:
@@ -1831,6 +2023,34 @@ class SecretBackend(pulumi.CustomResource):
1831
2023
  """
1832
2024
  return pulumi.get(self, "request_timeout")
1833
2025
 
2026
+ @property
2027
+ @pulumi.getter(name="rotationPeriod")
2028
+ def rotation_period(self) -> pulumi.Output[Optional[int]]:
2029
+ """
2030
+ The amount of time in seconds Vault should wait before rotating the root credential.
2031
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
2032
+ """
2033
+ return pulumi.get(self, "rotation_period")
2034
+
2035
+ @property
2036
+ @pulumi.getter(name="rotationSchedule")
2037
+ def rotation_schedule(self) -> pulumi.Output[Optional[str]]:
2038
+ """
2039
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
2040
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
2041
+ """
2042
+ return pulumi.get(self, "rotation_schedule")
2043
+
2044
+ @property
2045
+ @pulumi.getter(name="rotationWindow")
2046
+ def rotation_window(self) -> pulumi.Output[Optional[int]]:
2047
+ """
2048
+ The maximum amount of time in seconds allowed to complete
2049
+ a rotation when a scheduled token rotation occurs. The default rotation window is
2050
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
2051
+ """
2052
+ return pulumi.get(self, "rotation_window")
2053
+
1834
2054
  @property
1835
2055
  @pulumi.getter
1836
2056
  def schema(self) -> pulumi.Output[str]:
@@ -7,9 +7,11 @@ import typing
7
7
  # Export this package's modules as members:
8
8
  from .backend_acme_eab import *
9
9
  from .backend_config_acme import *
10
+ from .backend_config_auto_tidy import *
10
11
  from .backend_config_cluster import *
11
12
  from .backend_config_cmpv2 import *
12
13
  from .backend_config_est import *
14
+ from .get_backend_cert_metadata import *
13
15
  from .get_backend_config_cmpv2 import *
14
16
  from .get_backend_config_est import *
15
17
  from .get_backend_issuer import *
@@ -118,8 +118,6 @@ if not MYPY:
118
118
  cps: NotRequired[pulumi.Input[str]]
119
119
  """
120
120
  The URL of the CPS for the policy identifier
121
-
122
- Example usage:
123
121
  """
124
122
  notice: NotRequired[pulumi.Input[str]]
125
123
  """
@@ -137,8 +135,6 @@ class SecretBackendRolePolicyIdentifierArgs:
137
135
  """
138
136
  :param pulumi.Input[str] oid: The OID for the policy identifier
139
137
  :param pulumi.Input[str] cps: The URL of the CPS for the policy identifier
140
-
141
- Example usage:
142
138
  :param pulumi.Input[str] notice: A notice for the policy identifier
143
139
  """
144
140
  pulumi.set(__self__, "oid", oid)
@@ -164,8 +160,6 @@ class SecretBackendRolePolicyIdentifierArgs:
164
160
  def cps(self) -> Optional[pulumi.Input[str]]:
165
161
  """
166
162
  The URL of the CPS for the policy identifier
167
-
168
- Example usage:
169
163
  """
170
164
  return pulumi.get(self, "cps")
171
165
 
@@ -27,6 +27,7 @@ class BackendConfigAcmeArgs:
27
27
  default_directory_policy: Optional[pulumi.Input[str]] = None,
28
28
  dns_resolver: Optional[pulumi.Input[str]] = None,
29
29
  eab_policy: Optional[pulumi.Input[str]] = None,
30
+ max_ttl: Optional[pulumi.Input[int]] = None,
30
31
  namespace: Optional[pulumi.Input[str]] = None):
31
32
  """
32
33
  The set of arguments for constructing a BackendConfigAcme resource.
@@ -41,6 +42,7 @@ class BackendConfigAcmeArgs:
41
42
  Must be in the format `<host>:<port>`, with both parts mandatory.
42
43
  :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour.
43
44
  Allowed values are `not-required`, `new-account-required` or `always-required`.
45
+ :param pulumi.Input[int] max_ttl: The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
44
46
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
45
47
  The value should not contain leading or trailing forward slashes.
46
48
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
@@ -60,6 +62,8 @@ class BackendConfigAcmeArgs:
60
62
  pulumi.set(__self__, "dns_resolver", dns_resolver)
61
63
  if eab_policy is not None:
62
64
  pulumi.set(__self__, "eab_policy", eab_policy)
65
+ if max_ttl is not None:
66
+ pulumi.set(__self__, "max_ttl", max_ttl)
63
67
  if namespace is not None:
64
68
  pulumi.set(__self__, "namespace", namespace)
65
69
 
@@ -162,6 +166,18 @@ class BackendConfigAcmeArgs:
162
166
  def eab_policy(self, value: Optional[pulumi.Input[str]]):
163
167
  pulumi.set(self, "eab_policy", value)
164
168
 
169
+ @property
170
+ @pulumi.getter(name="maxTtl")
171
+ def max_ttl(self) -> Optional[pulumi.Input[int]]:
172
+ """
173
+ The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
174
+ """
175
+ return pulumi.get(self, "max_ttl")
176
+
177
+ @max_ttl.setter
178
+ def max_ttl(self, value: Optional[pulumi.Input[int]]):
179
+ pulumi.set(self, "max_ttl", value)
180
+
165
181
  @property
166
182
  @pulumi.getter
167
183
  def namespace(self) -> Optional[pulumi.Input[str]]:
@@ -189,6 +205,7 @@ class _BackendConfigAcmeState:
189
205
  dns_resolver: Optional[pulumi.Input[str]] = None,
190
206
  eab_policy: Optional[pulumi.Input[str]] = None,
191
207
  enabled: Optional[pulumi.Input[bool]] = None,
208
+ max_ttl: Optional[pulumi.Input[int]] = None,
192
209
  namespace: Optional[pulumi.Input[str]] = None):
193
210
  """
194
211
  Input properties used for looking up and filtering BackendConfigAcme resources.
@@ -203,6 +220,7 @@ class _BackendConfigAcmeState:
203
220
  :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour.
204
221
  Allowed values are `not-required`, `new-account-required` or `always-required`.
205
222
  :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled.
223
+ :param pulumi.Input[int] max_ttl: The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
206
224
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
207
225
  The value should not contain leading or trailing forward slashes.
208
226
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
@@ -224,6 +242,8 @@ class _BackendConfigAcmeState:
224
242
  pulumi.set(__self__, "eab_policy", eab_policy)
225
243
  if enabled is not None:
226
244
  pulumi.set(__self__, "enabled", enabled)
245
+ if max_ttl is not None:
246
+ pulumi.set(__self__, "max_ttl", max_ttl)
227
247
  if namespace is not None:
228
248
  pulumi.set(__self__, "namespace", namespace)
229
249
 
@@ -326,6 +346,18 @@ class _BackendConfigAcmeState:
326
346
  def enabled(self, value: Optional[pulumi.Input[bool]]):
327
347
  pulumi.set(self, "enabled", value)
328
348
 
349
+ @property
350
+ @pulumi.getter(name="maxTtl")
351
+ def max_ttl(self) -> Optional[pulumi.Input[int]]:
352
+ """
353
+ The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
354
+ """
355
+ return pulumi.get(self, "max_ttl")
356
+
357
+ @max_ttl.setter
358
+ def max_ttl(self, value: Optional[pulumi.Input[int]]):
359
+ pulumi.set(self, "max_ttl", value)
360
+
329
361
  @property
330
362
  @pulumi.getter
331
363
  def namespace(self) -> Optional[pulumi.Input[str]]:
@@ -355,6 +387,7 @@ class BackendConfigAcme(pulumi.CustomResource):
355
387
  dns_resolver: Optional[pulumi.Input[str]] = None,
356
388
  eab_policy: Optional[pulumi.Input[str]] = None,
357
389
  enabled: Optional[pulumi.Input[bool]] = None,
390
+ max_ttl: Optional[pulumi.Input[int]] = None,
358
391
  namespace: Optional[pulumi.Input[str]] = None,
359
392
  __props__=None):
360
393
  """
@@ -409,6 +442,7 @@ class BackendConfigAcme(pulumi.CustomResource):
409
442
  :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour.
410
443
  Allowed values are `not-required`, `new-account-required` or `always-required`.
411
444
  :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled.
445
+ :param pulumi.Input[int] max_ttl: The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
412
446
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
413
447
  The value should not contain leading or trailing forward slashes.
414
448
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
@@ -482,6 +516,7 @@ class BackendConfigAcme(pulumi.CustomResource):
482
516
  dns_resolver: Optional[pulumi.Input[str]] = None,
483
517
  eab_policy: Optional[pulumi.Input[str]] = None,
484
518
  enabled: Optional[pulumi.Input[bool]] = None,
519
+ max_ttl: Optional[pulumi.Input[int]] = None,
485
520
  namespace: Optional[pulumi.Input[str]] = None,
486
521
  __props__=None):
487
522
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -504,6 +539,7 @@ class BackendConfigAcme(pulumi.CustomResource):
504
539
  if enabled is None and not opts.urn:
505
540
  raise TypeError("Missing required property 'enabled'")
506
541
  __props__.__dict__["enabled"] = enabled
542
+ __props__.__dict__["max_ttl"] = max_ttl
507
543
  __props__.__dict__["namespace"] = namespace
508
544
  super(BackendConfigAcme, __self__).__init__(
509
545
  'vault:pkiSecret/backendConfigAcme:BackendConfigAcme',
@@ -523,6 +559,7 @@ class BackendConfigAcme(pulumi.CustomResource):
523
559
  dns_resolver: Optional[pulumi.Input[str]] = None,
524
560
  eab_policy: Optional[pulumi.Input[str]] = None,
525
561
  enabled: Optional[pulumi.Input[bool]] = None,
562
+ max_ttl: Optional[pulumi.Input[int]] = None,
526
563
  namespace: Optional[pulumi.Input[str]] = None) -> 'BackendConfigAcme':
527
564
  """
528
565
  Get an existing BackendConfigAcme resource's state with the given name, id, and optional extra
@@ -542,6 +579,7 @@ class BackendConfigAcme(pulumi.CustomResource):
542
579
  :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour.
543
580
  Allowed values are `not-required`, `new-account-required` or `always-required`.
544
581
  :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled.
582
+ :param pulumi.Input[int] max_ttl: The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
545
583
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
546
584
  The value should not contain leading or trailing forward slashes.
547
585
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
@@ -559,6 +597,7 @@ class BackendConfigAcme(pulumi.CustomResource):
559
597
  __props__.__dict__["dns_resolver"] = dns_resolver
560
598
  __props__.__dict__["eab_policy"] = eab_policy
561
599
  __props__.__dict__["enabled"] = enabled
600
+ __props__.__dict__["max_ttl"] = max_ttl
562
601
  __props__.__dict__["namespace"] = namespace
563
602
  return BackendConfigAcme(resource_name, opts=opts, __props__=__props__)
564
603
 
@@ -629,6 +668,14 @@ class BackendConfigAcme(pulumi.CustomResource):
629
668
  """
630
669
  return pulumi.get(self, "enabled")
631
670
 
671
+ @property
672
+ @pulumi.getter(name="maxTtl")
673
+ def max_ttl(self) -> pulumi.Output[int]:
674
+ """
675
+ The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**
676
+ """
677
+ return pulumi.get(self, "max_ttl")
678
+
632
679
  @property
633
680
  @pulumi.getter
634
681
  def namespace(self) -> pulumi.Output[Optional[str]]: