pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

pulumi_vault/ldap/secret_backend.py

@@ -2,6 +2,7 @@
 # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
+import builtins
 import copy
 import warnings
 import sys
@@ -19,89 +20,101 @@ __all__ = ['SecretBackendArgs', 'SecretBackend']
 @pulumi.input_type
 class SecretBackendArgs:
     def __init__(__self__, *,
-                 binddn: pulumi.Input[str],
-                 bindpass: pulumi.Input[str],
-                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 certificate: Optional[pulumi.Input[str]] = None,
-                 client_tls_cert: Optional[pulumi.Input[str]] = None,
-                 client_tls_key: Optional[pulumi.Input[str]] = None,
-                 connection_timeout: Optional[pulumi.Input[int]] = None,
-                 default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 disable_remount: Optional[pulumi.Input[bool]] = None,
-                 external_entropy_access: Optional[pulumi.Input[bool]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 listing_visibility: Optional[pulumi.Input[str]] = None,
-                 local: Optional[pulumi.Input[bool]] = None,
-                 max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
-                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 password_policy: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 plugin_version: Optional[pulumi.Input[str]] = None,
-                 request_timeout: Optional[pulumi.Input[int]] = None,
-                 schema: Optional[pulumi.Input[str]] = None,
-                 seal_wrap: Optional[pulumi.Input[bool]] = None,
-                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
-                 starttls: Optional[pulumi.Input[bool]] = None,
-                 upndomain: Optional[pulumi.Input[str]] = None,
-                 url: Optional[pulumi.Input[str]] = None,
-                 userattr: Optional[pulumi.Input[str]] = None,
-                 userdn: Optional[pulumi.Input[str]] = None):
+                 binddn: pulumi.Input[builtins.str],
+                 bindpass: pulumi.Input[builtins.str],
+                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 certificate: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_cert: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_key: Optional[pulumi.Input[builtins.str]] = None,
+                 connection_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
+                 external_entropy_access: Optional[pulumi.Input[builtins.bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
+                 insecure_tls: Optional[pulumi.Input[builtins.bool]] = None,
+                 listing_visibility: Optional[pulumi.Input[builtins.str]] = None,
+                 local: Optional[pulumi.Input[builtins.bool]] = None,
+                 max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 password_policy: Optional[pulumi.Input[builtins.str]] = None,
+                 path: Optional[pulumi.Input[builtins.str]] = None,
+                 plugin_version: Optional[pulumi.Input[builtins.str]] = None,
+                 request_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_period: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
+                 rotation_window: Optional[pulumi.Input[builtins.int]] = None,
+                 schema: Optional[pulumi.Input[builtins.str]] = None,
+                 seal_wrap: Optional[pulumi.Input[builtins.bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 starttls: Optional[pulumi.Input[builtins.bool]] = None,
+                 upndomain: Optional[pulumi.Input[builtins.str]] = None,
+                 url: Optional[pulumi.Input[builtins.str]] = None,
+                 userattr: Optional[pulumi.Input[builtins.str]] = None,
+                 userdn: Optional[pulumi.Input[builtins.str]] = None):
         """
         The set of arguments for constructing a SecretBackend resource.
-        :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
-        :param pulumi.Input[str] bindpass: Password to use along with binddn when performing user search.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
-        :param pulumi.Input[str] certificate: CA certificate to use when verifying LDAP server certificate, must be
+        :param pulumi.Input[builtins.str] binddn: Distinguished name of object to bind when performing user and group search.
+        :param pulumi.Input[builtins.str] bindpass: Password to use along with binddn when performing user search.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+        :param pulumi.Input[builtins.str] certificate: CA certificate to use when verifying LDAP server certificate, must be
                x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
+        :param pulumi.Input[builtins.str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
-        :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
-        :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
-        :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
-        :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
+        :param pulumi.Input[builtins.int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the Active Directory backend.
+        :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[builtins.bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin workload identity tokens
+        :param pulumi.Input[builtins.bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
-        :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
+        :param pulumi.Input[builtins.str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
+        :param pulumi.Input[builtins.bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
-        :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
-        :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] password_policy: Name of the password policy to use to generate passwords.
+        :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
-        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
-        :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
+        :param pulumi.Input[builtins.str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        :param pulumi.Input[builtins.int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
-        :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
-        :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
-        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+        :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
+               A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+               defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
+               a rotation when a scheduled token rotation occurs. The default rotation window is
+               unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
+        :param pulumi.Input[builtins.bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[builtins.bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
                Defaults to false. Requires Vault 1.16 or above.
-        :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
-        :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
-        :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
+        :param pulumi.Input[builtins.bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
+        :param pulumi.Input[builtins.str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
+        :param pulumi.Input[builtins.str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
                them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
-        :param pulumi.Input[str] userattr: Attribute used when searching users. Defaults to `cn`.
-        :param pulumi.Input[str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+        :param pulumi.Input[builtins.str] userattr: Attribute used when searching users. Defaults to `cn`.
+        :param pulumi.Input[builtins.str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         pulumi.set(__self__, "binddn", binddn)
         pulumi.set(__self__, "bindpass", bindpass)
@@ -127,6 +140,8 @@ class SecretBackendArgs:
             pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
         if description is not None:
             pulumi.set(__self__, "description", description)
+        if disable_automated_rotation is not None:
+            pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if external_entropy_access is not None:
@@ -155,6 +170,12 @@ class SecretBackendArgs:
             pulumi.set(__self__, "plugin_version", plugin_version)
         if request_timeout is not None:
             pulumi.set(__self__, "request_timeout", request_timeout)
+        if rotation_period is not None:
+            pulumi.set(__self__, "rotation_period", rotation_period)
+        if rotation_schedule is not None:
+            pulumi.set(__self__, "rotation_schedule", rotation_schedule)
+        if rotation_window is not None:
+            pulumi.set(__self__, "rotation_window", rotation_window)
         if schema is not None:
             pulumi.set(__self__, "schema", schema)
         if seal_wrap is not None:
@@ -174,79 +195,79 @@ class SecretBackendArgs:
 
     @property
     @pulumi.getter
-    def binddn(self) -> pulumi.Input[str]:
+    def binddn(self) -> pulumi.Input[builtins.str]:
         """
         Distinguished name of object to bind when performing user and group search.
         """
         return pulumi.get(self, "binddn")
 
     @binddn.setter
-    def binddn(self, value: pulumi.Input[str]):
+    def binddn(self, value: pulumi.Input[builtins.str]):
         pulumi.set(self, "binddn", value)
 
     @property
     @pulumi.getter
-    def bindpass(self) -> pulumi.Input[str]:
+    def bindpass(self) -> pulumi.Input[builtins.str]:
         """
         Password to use along with binddn when performing user search.
         """
         return pulumi.get(self, "bindpass")
 
     @bindpass.setter
-    def bindpass(self, value: pulumi.Input[str]):
+    def bindpass(self, value: pulumi.Input[builtins.str]):
         pulumi.set(self, "bindpass", value)
 
     @property
     @pulumi.getter(name="allowedManagedKeys")
-    def allowed_managed_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_managed_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of managed key registry entry names that the mount in question is allowed to access
         """
         return pulumi.get(self, "allowed_managed_keys")
 
     @allowed_managed_keys.setter
-    def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_managed_keys", value)
 
     @property
     @pulumi.getter(name="allowedResponseHeaders")
-    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "allowed_response_headers")
 
     @allowed_response_headers.setter
-    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_response_headers", value)
 
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
-    def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         """
         return pulumi.get(self, "audit_non_hmac_request_keys")
 
     @audit_non_hmac_request_keys.setter
-    def audit_non_hmac_request_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def audit_non_hmac_request_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "audit_non_hmac_request_keys", value)
 
     @property
     @pulumi.getter(name="auditNonHmacResponseKeys")
-    def audit_non_hmac_response_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def audit_non_hmac_response_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         """
         return pulumi.get(self, "audit_non_hmac_response_keys")
 
     @audit_non_hmac_response_keys.setter
-    def audit_non_hmac_response_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def audit_non_hmac_response_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "audit_non_hmac_response_keys", value)
 
     @property
     @pulumi.getter
-    def certificate(self) -> Optional[pulumi.Input[str]]:
+    def certificate(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         CA certificate to use when verifying LDAP server certificate, must be
         x509 PEM encoded.
@@ -254,36 +275,36 @@ class SecretBackendArgs:
         return pulumi.get(self, "certificate")
 
     @certificate.setter
-    def certificate(self, value: Optional[pulumi.Input[str]]):
+    def certificate(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "certificate", value)
 
     @property
     @pulumi.getter(name="clientTlsCert")
-    def client_tls_cert(self) -> Optional[pulumi.Input[str]]:
+    def client_tls_cert(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Client certificate to provide to the LDAP server, must be x509 PEM encoded.
         """
         return pulumi.get(self, "client_tls_cert")
 
     @client_tls_cert.setter
-    def client_tls_cert(self, value: Optional[pulumi.Input[str]]):
+    def client_tls_cert(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "client_tls_cert", value)
 
     @property
     @pulumi.getter(name="clientTlsKey")
-    def client_tls_key(self) -> Optional[pulumi.Input[str]]:
+    def client_tls_key(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
         """
         return pulumi.get(self, "client_tls_key")
 
     @client_tls_key.setter
-    def client_tls_key(self, value: Optional[pulumi.Input[str]]):
+    def client_tls_key(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "client_tls_key", value)
 
     @property
     @pulumi.getter(name="connectionTimeout")
-    def connection_timeout(self) -> Optional[pulumi.Input[int]]:
+    def connection_timeout(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Timeout, in seconds, when attempting to connect to the LDAP server before trying
         the next URL in the configuration.
@@ -291,84 +312,96 @@ class SecretBackendArgs:
         return pulumi.get(self, "connection_timeout")
 
     @connection_timeout.setter
-    def connection_timeout(self, value: Optional[pulumi.Input[int]]):
+    def connection_timeout(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "connection_timeout", value)
 
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
-    def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
+    def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Default lease duration for secrets in seconds.
         """
         return pulumi.get(self, "default_lease_ttl_seconds")
 
     @default_lease_ttl_seconds.setter
-    def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
+    def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "default_lease_ttl_seconds", value)
 
     @property
     @pulumi.getter(name="delegatedAuthAccessors")
-    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "delegated_auth_accessors")
 
     @delegated_auth_accessors.setter
-    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "delegated_auth_accessors", value)
 
     @property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Human-friendly description of the mount for the Active Directory backend.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "description", value)
 
+    @property
+    @pulumi.getter(name="disableAutomatedRotation")
+    def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "disable_automated_rotation")
+
+    @disable_automated_rotation.setter
+    def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "disable_automated_rotation", value)
+
     @property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> Optional[pulumi.Input[bool]]:
+    def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         """
         return pulumi.get(self, "disable_remount")
 
     @disable_remount.setter
-    def disable_remount(self, value: Optional[pulumi.Input[bool]]):
+    def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "disable_remount", value)
 
     @property
     @pulumi.getter(name="externalEntropyAccess")
-    def external_entropy_access(self) -> Optional[pulumi.Input[bool]]:
+    def external_entropy_access(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enable the secrets engine to access Vault's external entropy source
         """
         return pulumi.get(self, "external_entropy_access")
 
     @external_entropy_access.setter
-    def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
+    def external_entropy_access(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "external_entropy_access", value)
 
     @property
     @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+    def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The key to use for signing plugin workload identity tokens
         """
         return pulumi.get(self, "identity_token_key")
 
     @identity_token_key.setter
-    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+    def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "identity_token_key", value)
 
     @property
     @pulumi.getter(name="insecureTls")
-    def insecure_tls(self) -> Optional[pulumi.Input[bool]]:
+    def insecure_tls(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Skip LDAP server SSL Certificate verification. This is not recommended for production.
         Defaults to `false`.
@@ -376,24 +409,24 @@ class SecretBackendArgs:
         return pulumi.get(self, "insecure_tls")
 
     @insecure_tls.setter
-    def insecure_tls(self, value: Optional[pulumi.Input[bool]]):
+    def insecure_tls(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "insecure_tls", value)
 
     @property
     @pulumi.getter(name="listingVisibility")
-    def listing_visibility(self) -> Optional[pulumi.Input[str]]:
+    def listing_visibility(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies whether to show this mount in the UI-specific listing endpoint
         """
         return pulumi.get(self, "listing_visibility")
 
     @listing_visibility.setter
-    def listing_visibility(self, value: Optional[pulumi.Input[str]]):
+    def listing_visibility(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "listing_visibility", value)
 
     @property
     @pulumi.getter
-    def local(self) -> Optional[pulumi.Input[bool]]:
+    def local(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Mark the secrets engine as local-only. Local engines are not replicated or removed by
         replication.Tolerance duration to use when checking the last rotation time.
@@ -401,24 +434,24 @@ class SecretBackendArgs:
         return pulumi.get(self, "local")
 
     @local.setter
-    def local(self, value: Optional[pulumi.Input[bool]]):
+    def local(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "local", value)
 
     @property
     @pulumi.getter(name="maxLeaseTtlSeconds")
-    def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
+    def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Maximum possible lease duration for secrets in seconds.
         """
         return pulumi.get(self, "max_lease_ttl_seconds")
 
     @max_lease_ttl_seconds.setter
-    def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
+    def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "max_lease_ttl_seconds", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -428,48 +461,48 @@ class SecretBackendArgs:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter
-    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
         return pulumi.get(self, "options")
 
     @options.setter
-    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "options", value)
 
     @property
     @pulumi.getter(name="passthroughRequestHeaders")
-    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "passthrough_request_headers")
 
     @passthrough_request_headers.setter
-    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "passthrough_request_headers", value)
 
     @property
     @pulumi.getter(name="passwordPolicy")
-    def password_policy(self) -> Optional[pulumi.Input[str]]:
+    def password_policy(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Name of the password policy to use to generate passwords.
         """
         return pulumi.get(self, "password_policy")
 
     @password_policy.setter
-    def password_policy(self, value: Optional[pulumi.Input[str]]):
+    def password_policy(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "password_policy", value)
 
     @property
     @pulumi.getter
-    def path(self) -> Optional[pulumi.Input[str]]:
+    def path(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The unique path this backend should be mounted at. Must
         not begin or end with a `/`. Defaults to `ldap`.
@@ -477,24 +510,24 @@ class SecretBackendArgs:
         return pulumi.get(self, "path")
 
     @path.setter
-    def path(self, value: Optional[pulumi.Input[str]]):
+    def path(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "path", value)
 
     @property
     @pulumi.getter(name="pluginVersion")
-    def plugin_version(self) -> Optional[pulumi.Input[str]]:
+    def plugin_version(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         """
         return pulumi.get(self, "plugin_version")
 
     @plugin_version.setter
-    def plugin_version(self, value: Optional[pulumi.Input[str]]):
+    def plugin_version(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "plugin_version", value)
 
     @property
     @pulumi.getter(name="requestTimeout")
-    def request_timeout(self) -> Optional[pulumi.Input[int]]:
+    def request_timeout(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Timeout, in seconds, for the connection when making requests against the server
         before returning back an error.
@@ -502,36 +535,76 @@ class SecretBackendArgs:
         return pulumi.get(self, "request_timeout")
 
     @request_timeout.setter
-    def request_timeout(self, value: Optional[pulumi.Input[int]]):
+    def request_timeout(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "request_timeout", value)
 
+    @property
+    @pulumi.getter(name="rotationPeriod")
+    def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The amount of time in seconds Vault should wait before rotating the root credential.
+        A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_period")
+
+    @rotation_period.setter
+    def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "rotation_period", value)
+
+    @property
+    @pulumi.getter(name="rotationSchedule")
+    def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+        defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_schedule")
+
+    @rotation_schedule.setter
+    def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "rotation_schedule", value)
+
+    @property
+    @pulumi.getter(name="rotationWindow")
+    def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The maximum amount of time in seconds allowed to complete
+        a rotation when a scheduled token rotation occurs. The default rotation window is
+        unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_window")
+
+    @rotation_window.setter
+    def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "rotation_window", value)
+
     @property
     @pulumi.getter
-    def schema(self) -> Optional[pulumi.Input[str]]:
+    def schema(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         """
         return pulumi.get(self, "schema")
 
     @schema.setter
-    def schema(self, value: Optional[pulumi.Input[str]]):
+    def schema(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "schema", value)
 
     @property
     @pulumi.getter(name="sealWrap")
-    def seal_wrap(self) -> Optional[pulumi.Input[bool]]:
+    def seal_wrap(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
         """
         return pulumi.get(self, "seal_wrap")
 
     @seal_wrap.setter
-    def seal_wrap(self, value: Optional[pulumi.Input[bool]]):
+    def seal_wrap(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "seal_wrap", value)
 
     @property
     @pulumi.getter(name="skipStaticRoleImportRotation")
-    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[bool]]:
+    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         If set to true, static roles will not be rotated during import.
         Defaults to false. Requires Vault 1.16 or above.
@@ -539,36 +612,36 @@ class SecretBackendArgs:
         return pulumi.get(self, "skip_static_role_import_rotation")
 
     @skip_static_role_import_rotation.setter
-    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[bool]]):
+    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "skip_static_role_import_rotation", value)
 
     @property
     @pulumi.getter
-    def starttls(self) -> Optional[pulumi.Input[bool]]:
+    def starttls(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Issue a StartTLS command after establishing unencrypted connection.
         """
         return pulumi.get(self, "starttls")
 
     @starttls.setter
-    def starttls(self, value: Optional[pulumi.Input[bool]]):
+    def starttls(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "starttls", value)
 
     @property
     @pulumi.getter
-    def upndomain(self) -> Optional[pulumi.Input[str]]:
+    def upndomain(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Enables userPrincipalDomain login with [username]@UPNDomain.
         """
         return pulumi.get(self, "upndomain")
 
     @upndomain.setter
-    def upndomain(self, value: Optional[pulumi.Input[str]]):
+    def upndomain(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "upndomain", value)
 
     @property
     @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[str]]:
+    def url(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         LDAP URL to connect to. Multiple URLs can be specified by concatenating
         them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
@@ -576,122 +649,134 @@ class SecretBackendArgs:
         return pulumi.get(self, "url")
 
     @url.setter
-    def url(self, value: Optional[pulumi.Input[str]]):
+    def url(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "url", value)
 
     @property
     @pulumi.getter
-    def userattr(self) -> Optional[pulumi.Input[str]]:
+    def userattr(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Attribute used when searching users. Defaults to `cn`.
         """
         return pulumi.get(self, "userattr")
 
     @userattr.setter
-    def userattr(self, value: Optional[pulumi.Input[str]]):
+    def userattr(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "userattr", value)
 
     @property
     @pulumi.getter
-    def userdn(self) -> Optional[pulumi.Input[str]]:
+    def userdn(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         return pulumi.get(self, "userdn")
 
     @userdn.setter
-    def userdn(self, value: Optional[pulumi.Input[str]]):
+    def userdn(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "userdn", value)
 
 
 @pulumi.input_type
 class _SecretBackendState:
     def __init__(__self__, *,
-                 accessor: Optional[pulumi.Input[str]] = None,
-                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 binddn: Optional[pulumi.Input[str]] = None,
-                 bindpass: Optional[pulumi.Input[str]] = None,
-                 certificate: Optional[pulumi.Input[str]] = None,
-                 client_tls_cert: Optional[pulumi.Input[str]] = None,
-                 client_tls_key: Optional[pulumi.Input[str]] = None,
-                 connection_timeout: Optional[pulumi.Input[int]] = None,
-                 default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 disable_remount: Optional[pulumi.Input[bool]] = None,
-                 external_entropy_access: Optional[pulumi.Input[bool]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 listing_visibility: Optional[pulumi.Input[str]] = None,
-                 local: Optional[pulumi.Input[bool]] = None,
-                 max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
-                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 password_policy: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 plugin_version: Optional[pulumi.Input[str]] = None,
-                 request_timeout: Optional[pulumi.Input[int]] = None,
-                 schema: Optional[pulumi.Input[str]] = None,
-                 seal_wrap: Optional[pulumi.Input[bool]] = None,
-                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
-                 starttls: Optional[pulumi.Input[bool]] = None,
-                 upndomain: Optional[pulumi.Input[str]] = None,
-                 url: Optional[pulumi.Input[str]] = None,
-                 userattr: Optional[pulumi.Input[str]] = None,
-                 userdn: Optional[pulumi.Input[str]] = None):
+                 accessor: Optional[pulumi.Input[builtins.str]] = None,
+                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 binddn: Optional[pulumi.Input[builtins.str]] = None,
+                 bindpass: Optional[pulumi.Input[builtins.str]] = None,
+                 certificate: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_cert: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_key: Optional[pulumi.Input[builtins.str]] = None,
+                 connection_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
+                 external_entropy_access: Optional[pulumi.Input[builtins.bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
+                 insecure_tls: Optional[pulumi.Input[builtins.bool]] = None,
+                 listing_visibility: Optional[pulumi.Input[builtins.str]] = None,
+                 local: Optional[pulumi.Input[builtins.bool]] = None,
+                 max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 password_policy: Optional[pulumi.Input[builtins.str]] = None,
+                 path: Optional[pulumi.Input[builtins.str]] = None,
+                 plugin_version: Optional[pulumi.Input[builtins.str]] = None,
+                 request_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_period: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
+                 rotation_window: Optional[pulumi.Input[builtins.int]] = None,
+                 schema: Optional[pulumi.Input[builtins.str]] = None,
+                 seal_wrap: Optional[pulumi.Input[builtins.bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 starttls: Optional[pulumi.Input[builtins.bool]] = None,
+                 upndomain: Optional[pulumi.Input[builtins.str]] = None,
+                 url: Optional[pulumi.Input[builtins.str]] = None,
+                 userattr: Optional[pulumi.Input[builtins.str]] = None,
+                 userdn: Optional[pulumi.Input[builtins.str]] = None):
         """
         Input properties used for looking up and filtering SecretBackend resources.
-        :param pulumi.Input[str] accessor: Accessor of the mount
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
-        :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
-        :param pulumi.Input[str] bindpass: Password to use along with binddn when performing user search.
-        :param pulumi.Input[str] certificate: CA certificate to use when verifying LDAP server certificate, must be
+        :param pulumi.Input[builtins.str] accessor: Accessor of the mount
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+        :param pulumi.Input[builtins.str] binddn: Distinguished name of object to bind when performing user and group search.
+        :param pulumi.Input[builtins.str] bindpass: Password to use along with binddn when performing user search.
+        :param pulumi.Input[builtins.str] certificate: CA certificate to use when verifying LDAP server certificate, must be
                x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
+        :param pulumi.Input[builtins.str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
-        :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
-        :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
-        :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
-        :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
+        :param pulumi.Input[builtins.int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the Active Directory backend.
+        :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[builtins.bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin workload identity tokens
+        :param pulumi.Input[builtins.bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
-        :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
+        :param pulumi.Input[builtins.str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
+        :param pulumi.Input[builtins.bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
-        :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
-        :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] password_policy: Name of the password policy to use to generate passwords.
+        :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
-        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
-        :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
+        :param pulumi.Input[builtins.str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        :param pulumi.Input[builtins.int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
-        :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
-        :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
-        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+        :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
+               A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+               defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
+               a rotation when a scheduled token rotation occurs. The default rotation window is
+               unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
+        :param pulumi.Input[builtins.bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[builtins.bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
                Defaults to false. Requires Vault 1.16 or above.
-        :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
-        :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
-        :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
+        :param pulumi.Input[builtins.bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
+        :param pulumi.Input[builtins.str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
+        :param pulumi.Input[builtins.str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
                them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
-        :param pulumi.Input[str] userattr: Attribute used when searching users. Defaults to `cn`.
-        :param pulumi.Input[str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+        :param pulumi.Input[builtins.str] userattr: Attribute used when searching users. Defaults to `cn`.
+        :param pulumi.Input[builtins.str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         if accessor is not None:
             pulumi.set(__self__, "accessor", accessor)
@@ -721,6 +806,8 @@ class _SecretBackendState:
             pulumi.set(__self__, "delegated_auth_accessors", delegated_auth_accessors)
         if description is not None:
             pulumi.set(__self__, "description", description)
+        if disable_automated_rotation is not None:
+            pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if external_entropy_access is not None:
@@ -749,6 +836,12 @@ class _SecretBackendState:
             pulumi.set(__self__, "plugin_version", plugin_version)
         if request_timeout is not None:
             pulumi.set(__self__, "request_timeout", request_timeout)
+        if rotation_period is not None:
+            pulumi.set(__self__, "rotation_period", rotation_period)
+        if rotation_schedule is not None:
+            pulumi.set(__self__, "rotation_schedule", rotation_schedule)
+        if rotation_window is not None:
+            pulumi.set(__self__, "rotation_window", rotation_window)
         if schema is not None:
             pulumi.set(__self__, "schema", schema)
         if seal_wrap is not None:
@@ -768,91 +861,91 @@ class _SecretBackendState:
 
     @property
     @pulumi.getter
-    def accessor(self) -> Optional[pulumi.Input[str]]:
+    def accessor(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Accessor of the mount
         """
         return pulumi.get(self, "accessor")
 
     @accessor.setter
-    def accessor(self, value: Optional[pulumi.Input[str]]):
+    def accessor(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "accessor", value)
 
     @property
     @pulumi.getter(name="allowedManagedKeys")
-    def allowed_managed_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_managed_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of managed key registry entry names that the mount in question is allowed to access
         """
         return pulumi.get(self, "allowed_managed_keys")
 
     @allowed_managed_keys.setter
-    def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_managed_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_managed_keys", value)
 
     @property
     @pulumi.getter(name="allowedResponseHeaders")
-    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def allowed_response_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "allowed_response_headers")
 
     @allowed_response_headers.setter
-    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def allowed_response_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "allowed_response_headers", value)
 
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
-    def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def audit_non_hmac_request_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         """
         return pulumi.get(self, "audit_non_hmac_request_keys")
 
     @audit_non_hmac_request_keys.setter
-    def audit_non_hmac_request_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def audit_non_hmac_request_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "audit_non_hmac_request_keys", value)
 
     @property
     @pulumi.getter(name="auditNonHmacResponseKeys")
-    def audit_non_hmac_response_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def audit_non_hmac_response_keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         """
         return pulumi.get(self, "audit_non_hmac_response_keys")
 
     @audit_non_hmac_response_keys.setter
-    def audit_non_hmac_response_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def audit_non_hmac_response_keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "audit_non_hmac_response_keys", value)
 
     @property
     @pulumi.getter
-    def binddn(self) -> Optional[pulumi.Input[str]]:
+    def binddn(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Distinguished name of object to bind when performing user and group search.
         """
         return pulumi.get(self, "binddn")
 
     @binddn.setter
-    def binddn(self, value: Optional[pulumi.Input[str]]):
+    def binddn(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "binddn", value)
 
     @property
     @pulumi.getter
-    def bindpass(self) -> Optional[pulumi.Input[str]]:
+    def bindpass(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Password to use along with binddn when performing user search.
         """
         return pulumi.get(self, "bindpass")
 
     @bindpass.setter
-    def bindpass(self, value: Optional[pulumi.Input[str]]):
+    def bindpass(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "bindpass", value)
 
     @property
     @pulumi.getter
-    def certificate(self) -> Optional[pulumi.Input[str]]:
+    def certificate(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         CA certificate to use when verifying LDAP server certificate, must be
         x509 PEM encoded.
@@ -860,36 +953,36 @@ class _SecretBackendState:
         return pulumi.get(self, "certificate")
 
     @certificate.setter
-    def certificate(self, value: Optional[pulumi.Input[str]]):
+    def certificate(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "certificate", value)
 
     @property
     @pulumi.getter(name="clientTlsCert")
-    def client_tls_cert(self) -> Optional[pulumi.Input[str]]:
+    def client_tls_cert(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Client certificate to provide to the LDAP server, must be x509 PEM encoded.
         """
         return pulumi.get(self, "client_tls_cert")
 
     @client_tls_cert.setter
-    def client_tls_cert(self, value: Optional[pulumi.Input[str]]):
+    def client_tls_cert(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "client_tls_cert", value)
 
     @property
     @pulumi.getter(name="clientTlsKey")
-    def client_tls_key(self) -> Optional[pulumi.Input[str]]:
+    def client_tls_key(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
         """
         return pulumi.get(self, "client_tls_key")
 
     @client_tls_key.setter
-    def client_tls_key(self, value: Optional[pulumi.Input[str]]):
+    def client_tls_key(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "client_tls_key", value)
 
     @property
     @pulumi.getter(name="connectionTimeout")
-    def connection_timeout(self) -> Optional[pulumi.Input[int]]:
+    def connection_timeout(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Timeout, in seconds, when attempting to connect to the LDAP server before trying
         the next URL in the configuration.
@@ -897,84 +990,96 @@ class _SecretBackendState:
         return pulumi.get(self, "connection_timeout")
 
     @connection_timeout.setter
-    def connection_timeout(self, value: Optional[pulumi.Input[int]]):
+    def connection_timeout(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "connection_timeout", value)
 
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
-    def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
+    def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Default lease duration for secrets in seconds.
         """
         return pulumi.get(self, "default_lease_ttl_seconds")
 
     @default_lease_ttl_seconds.setter
-    def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
+    def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "default_lease_ttl_seconds", value)
 
     @property
     @pulumi.getter(name="delegatedAuthAccessors")
-    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def delegated_auth_accessors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "delegated_auth_accessors")
 
     @delegated_auth_accessors.setter
-    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def delegated_auth_accessors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "delegated_auth_accessors", value)
 
     @property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Human-friendly description of the mount for the Active Directory backend.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "description", value)
 
+    @property
+    @pulumi.getter(name="disableAutomatedRotation")
+    def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
+        """
+        Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "disable_automated_rotation")
+
+    @disable_automated_rotation.setter
+    def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
+        pulumi.set(self, "disable_automated_rotation", value)
+
     @property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> Optional[pulumi.Input[bool]]:
+    def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         """
         return pulumi.get(self, "disable_remount")
 
     @disable_remount.setter
-    def disable_remount(self, value: Optional[pulumi.Input[bool]]):
+    def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "disable_remount", value)
 
     @property
     @pulumi.getter(name="externalEntropyAccess")
-    def external_entropy_access(self) -> Optional[pulumi.Input[bool]]:
+    def external_entropy_access(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enable the secrets engine to access Vault's external entropy source
         """
         return pulumi.get(self, "external_entropy_access")
 
     @external_entropy_access.setter
-    def external_entropy_access(self, value: Optional[pulumi.Input[bool]]):
+    def external_entropy_access(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "external_entropy_access", value)
 
     @property
     @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+    def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The key to use for signing plugin workload identity tokens
         """
         return pulumi.get(self, "identity_token_key")
 
     @identity_token_key.setter
-    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+    def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "identity_token_key", value)
 
     @property
     @pulumi.getter(name="insecureTls")
-    def insecure_tls(self) -> Optional[pulumi.Input[bool]]:
+    def insecure_tls(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Skip LDAP server SSL Certificate verification. This is not recommended for production.
         Defaults to `false`.
@@ -982,24 +1087,24 @@ class _SecretBackendState:
         return pulumi.get(self, "insecure_tls")
 
     @insecure_tls.setter
-    def insecure_tls(self, value: Optional[pulumi.Input[bool]]):
+    def insecure_tls(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "insecure_tls", value)
 
     @property
     @pulumi.getter(name="listingVisibility")
-    def listing_visibility(self) -> Optional[pulumi.Input[str]]:
+    def listing_visibility(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies whether to show this mount in the UI-specific listing endpoint
         """
         return pulumi.get(self, "listing_visibility")
 
     @listing_visibility.setter
-    def listing_visibility(self, value: Optional[pulumi.Input[str]]):
+    def listing_visibility(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "listing_visibility", value)
 
     @property
     @pulumi.getter
-    def local(self) -> Optional[pulumi.Input[bool]]:
+    def local(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Mark the secrets engine as local-only. Local engines are not replicated or removed by
         replication.Tolerance duration to use when checking the last rotation time.
@@ -1007,24 +1112,24 @@ class _SecretBackendState:
         return pulumi.get(self, "local")
 
     @local.setter
-    def local(self, value: Optional[pulumi.Input[bool]]):
+    def local(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "local", value)
 
     @property
     @pulumi.getter(name="maxLeaseTtlSeconds")
-    def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
+    def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Maximum possible lease duration for secrets in seconds.
         """
         return pulumi.get(self, "max_lease_ttl_seconds")
 
     @max_lease_ttl_seconds.setter
-    def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
+    def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "max_lease_ttl_seconds", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -1034,48 +1139,48 @@ class _SecretBackendState:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter
-    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+    def options(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
         return pulumi.get(self, "options")
 
     @options.setter
-    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+    def options(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "options", value)
 
     @property
     @pulumi.getter(name="passthroughRequestHeaders")
-    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def passthrough_request_headers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
         return pulumi.get(self, "passthrough_request_headers")
 
     @passthrough_request_headers.setter
-    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def passthrough_request_headers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "passthrough_request_headers", value)
 
     @property
     @pulumi.getter(name="passwordPolicy")
-    def password_policy(self) -> Optional[pulumi.Input[str]]:
+    def password_policy(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Name of the password policy to use to generate passwords.
         """
         return pulumi.get(self, "password_policy")
 
     @password_policy.setter
-    def password_policy(self, value: Optional[pulumi.Input[str]]):
+    def password_policy(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "password_policy", value)
 
     @property
     @pulumi.getter
-    def path(self) -> Optional[pulumi.Input[str]]:
+    def path(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The unique path this backend should be mounted at. Must
         not begin or end with a `/`. Defaults to `ldap`.
@@ -1083,24 +1188,24 @@ class _SecretBackendState:
         return pulumi.get(self, "path")
 
     @path.setter
-    def path(self, value: Optional[pulumi.Input[str]]):
+    def path(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "path", value)
 
     @property
     @pulumi.getter(name="pluginVersion")
-    def plugin_version(self) -> Optional[pulumi.Input[str]]:
+    def plugin_version(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         """
         return pulumi.get(self, "plugin_version")
 
     @plugin_version.setter
-    def plugin_version(self, value: Optional[pulumi.Input[str]]):
+    def plugin_version(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "plugin_version", value)
 
     @property
     @pulumi.getter(name="requestTimeout")
-    def request_timeout(self) -> Optional[pulumi.Input[int]]:
+    def request_timeout(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Timeout, in seconds, for the connection when making requests against the server
         before returning back an error.
@@ -1108,36 +1213,76 @@ class _SecretBackendState:
         return pulumi.get(self, "request_timeout")
 
     @request_timeout.setter
-    def request_timeout(self, value: Optional[pulumi.Input[int]]):
+    def request_timeout(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "request_timeout", value)
 
+    @property
+    @pulumi.getter(name="rotationPeriod")
+    def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The amount of time in seconds Vault should wait before rotating the root credential.
+        A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_period")
+
+    @rotation_period.setter
+    def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "rotation_period", value)
+
+    @property
+    @pulumi.getter(name="rotationSchedule")
+    def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+        defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_schedule")
+
+    @rotation_schedule.setter
+    def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "rotation_schedule", value)
+
+    @property
+    @pulumi.getter(name="rotationWindow")
+    def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The maximum amount of time in seconds allowed to complete
+        a rotation when a scheduled token rotation occurs. The default rotation window is
+        unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_window")
+
+    @rotation_window.setter
+    def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "rotation_window", value)
+
     @property
     @pulumi.getter
-    def schema(self) -> Optional[pulumi.Input[str]]:
+    def schema(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         """
         return pulumi.get(self, "schema")
 
     @schema.setter
-    def schema(self, value: Optional[pulumi.Input[str]]):
+    def schema(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "schema", value)
 
     @property
     @pulumi.getter(name="sealWrap")
-    def seal_wrap(self) -> Optional[pulumi.Input[bool]]:
+    def seal_wrap(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
         """
         return pulumi.get(self, "seal_wrap")
 
     @seal_wrap.setter
-    def seal_wrap(self, value: Optional[pulumi.Input[bool]]):
+    def seal_wrap(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "seal_wrap", value)
 
     @property
     @pulumi.getter(name="skipStaticRoleImportRotation")
-    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[bool]]:
+    def skip_static_role_import_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         If set to true, static roles will not be rotated during import.
         Defaults to false. Requires Vault 1.16 or above.
@@ -1145,36 +1290,36 @@ class _SecretBackendState:
         return pulumi.get(self, "skip_static_role_import_rotation")
 
     @skip_static_role_import_rotation.setter
-    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[bool]]):
+    def skip_static_role_import_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "skip_static_role_import_rotation", value)
 
     @property
     @pulumi.getter
-    def starttls(self) -> Optional[pulumi.Input[bool]]:
+    def starttls(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Issue a StartTLS command after establishing unencrypted connection.
         """
         return pulumi.get(self, "starttls")
 
     @starttls.setter
-    def starttls(self, value: Optional[pulumi.Input[bool]]):
+    def starttls(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "starttls", value)
 
     @property
     @pulumi.getter
-    def upndomain(self) -> Optional[pulumi.Input[str]]:
+    def upndomain(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Enables userPrincipalDomain login with [username]@UPNDomain.
         """
         return pulumi.get(self, "upndomain")
 
     @upndomain.setter
-    def upndomain(self, value: Optional[pulumi.Input[str]]):
+    def upndomain(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "upndomain", value)
 
     @property
     @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[str]]:
+    def url(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         LDAP URL to connect to. Multiple URLs can be specified by concatenating
         them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
@@ -1182,31 +1327,31 @@ class _SecretBackendState:
         return pulumi.get(self, "url")
 
     @url.setter
-    def url(self, value: Optional[pulumi.Input[str]]):
+    def url(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "url", value)
 
     @property
     @pulumi.getter
-    def userattr(self) -> Optional[pulumi.Input[str]]:
+    def userattr(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Attribute used when searching users. Defaults to `cn`.
         """
         return pulumi.get(self, "userattr")
 
     @userattr.setter
-    def userattr(self, value: Optional[pulumi.Input[str]]):
+    def userattr(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "userattr", value)
 
     @property
     @pulumi.getter
-    def userdn(self) -> Optional[pulumi.Input[str]]:
+    def userdn(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         return pulumi.get(self, "userdn")
 
     @userdn.setter
-    def userdn(self, value: Optional[pulumi.Input[str]]):
+    def userdn(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "userdn", value)
 
 
@@ -1215,41 +1360,45 @@ class SecretBackend(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 binddn: Optional[pulumi.Input[str]] = None,
-                 bindpass: Optional[pulumi.Input[str]] = None,
-                 certificate: Optional[pulumi.Input[str]] = None,
-                 client_tls_cert: Optional[pulumi.Input[str]] = None,
-                 client_tls_key: Optional[pulumi.Input[str]] = None,
-                 connection_timeout: Optional[pulumi.Input[int]] = None,
-                 default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 disable_remount: Optional[pulumi.Input[bool]] = None,
-                 external_entropy_access: Optional[pulumi.Input[bool]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 listing_visibility: Optional[pulumi.Input[str]] = None,
-                 local: Optional[pulumi.Input[bool]] = None,
-                 max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
-                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 password_policy: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 plugin_version: Optional[pulumi.Input[str]] = None,
-                 request_timeout: Optional[pulumi.Input[int]] = None,
-                 schema: Optional[pulumi.Input[str]] = None,
-                 seal_wrap: Optional[pulumi.Input[bool]] = None,
-                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
-                 starttls: Optional[pulumi.Input[bool]] = None,
-                 upndomain: Optional[pulumi.Input[str]] = None,
-                 url: Optional[pulumi.Input[str]] = None,
-                 userattr: Optional[pulumi.Input[str]] = None,
-                 userdn: Optional[pulumi.Input[str]] = None,
+                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 binddn: Optional[pulumi.Input[builtins.str]] = None,
+                 bindpass: Optional[pulumi.Input[builtins.str]] = None,
+                 certificate: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_cert: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_key: Optional[pulumi.Input[builtins.str]] = None,
+                 connection_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
+                 external_entropy_access: Optional[pulumi.Input[builtins.bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
+                 insecure_tls: Optional[pulumi.Input[builtins.bool]] = None,
+                 listing_visibility: Optional[pulumi.Input[builtins.str]] = None,
+                 local: Optional[pulumi.Input[builtins.bool]] = None,
+                 max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 password_policy: Optional[pulumi.Input[builtins.str]] = None,
+                 path: Optional[pulumi.Input[builtins.str]] = None,
+                 plugin_version: Optional[pulumi.Input[builtins.str]] = None,
+                 request_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_period: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
+                 rotation_window: Optional[pulumi.Input[builtins.int]] = None,
+                 schema: Optional[pulumi.Input[builtins.str]] = None,
+                 seal_wrap: Optional[pulumi.Input[builtins.bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 starttls: Optional[pulumi.Input[builtins.bool]] = None,
+                 upndomain: Optional[pulumi.Input[builtins.str]] = None,
+                 url: Optional[pulumi.Input[builtins.str]] = None,
+                 userattr: Optional[pulumi.Input[builtins.str]] = None,
+                 userdn: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         """
         ## Example Usage
@@ -1264,7 +1413,9 @@ class SecretBackend(pulumi.CustomResource):
             bindpass="SuperSecretPassw0rd",
             url="ldaps://localhost",
             insecure_tls=True,
-            userdn="CN=Users,DC=corp,DC=example,DC=net")
+            userdn="CN=Users,DC=corp,DC=example,DC=net",
+            rotation_schedule="0 * * * SAT",
+            rotation_window=3600)
         ```
 
         ## Import
@@ -1277,52 +1428,60 @@ class SecretBackend(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
-        :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
-        :param pulumi.Input[str] bindpass: Password to use along with binddn when performing user search.
-        :param pulumi.Input[str] certificate: CA certificate to use when verifying LDAP server certificate, must be
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+        :param pulumi.Input[builtins.str] binddn: Distinguished name of object to bind when performing user and group search.
+        :param pulumi.Input[builtins.str] bindpass: Password to use along with binddn when performing user search.
+        :param pulumi.Input[builtins.str] certificate: CA certificate to use when verifying LDAP server certificate, must be
                x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
+        :param pulumi.Input[builtins.str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
-        :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
-        :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
-        :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
-        :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
+        :param pulumi.Input[builtins.int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the Active Directory backend.
+        :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[builtins.bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin workload identity tokens
+        :param pulumi.Input[builtins.bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
-        :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
+        :param pulumi.Input[builtins.str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
+        :param pulumi.Input[builtins.bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
-        :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
-        :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] password_policy: Name of the password policy to use to generate passwords.
+        :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
-        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
-        :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
+        :param pulumi.Input[builtins.str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        :param pulumi.Input[builtins.int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
-        :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
-        :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
-        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+        :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
+               A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+               defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
+               a rotation when a scheduled token rotation occurs. The default rotation window is
+               unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
+        :param pulumi.Input[builtins.bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[builtins.bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
                Defaults to false. Requires Vault 1.16 or above.
-        :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
-        :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
-        :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
+        :param pulumi.Input[builtins.bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
+        :param pulumi.Input[builtins.str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
+        :param pulumi.Input[builtins.str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
                them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
-        :param pulumi.Input[str] userattr: Attribute used when searching users. Defaults to `cn`.
-        :param pulumi.Input[str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+        :param pulumi.Input[builtins.str] userattr: Attribute used when searching users. Defaults to `cn`.
+        :param pulumi.Input[builtins.str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         ...
     @overload
@@ -1343,7 +1502,9 @@ class SecretBackend(pulumi.CustomResource):
             bindpass="SuperSecretPassw0rd",
             url="ldaps://localhost",
             insecure_tls=True,
-            userdn="CN=Users,DC=corp,DC=example,DC=net")
+            userdn="CN=Users,DC=corp,DC=example,DC=net",
+            rotation_schedule="0 * * * SAT",
+            rotation_window=3600)
         ```
 
         ## Import
@@ -1369,41 +1530,45 @@ class SecretBackend(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 binddn: Optional[pulumi.Input[str]] = None,
-                 bindpass: Optional[pulumi.Input[str]] = None,
-                 certificate: Optional[pulumi.Input[str]] = None,
-                 client_tls_cert: Optional[pulumi.Input[str]] = None,
-                 client_tls_key: Optional[pulumi.Input[str]] = None,
-                 connection_timeout: Optional[pulumi.Input[int]] = None,
-                 default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 disable_remount: Optional[pulumi.Input[bool]] = None,
-                 external_entropy_access: Optional[pulumi.Input[bool]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 insecure_tls: Optional[pulumi.Input[bool]] = None,
-                 listing_visibility: Optional[pulumi.Input[str]] = None,
-                 local: Optional[pulumi.Input[bool]] = None,
-                 max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
-                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 password_policy: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 plugin_version: Optional[pulumi.Input[str]] = None,
-                 request_timeout: Optional[pulumi.Input[int]] = None,
-                 schema: Optional[pulumi.Input[str]] = None,
-                 seal_wrap: Optional[pulumi.Input[bool]] = None,
-                 skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
-                 starttls: Optional[pulumi.Input[bool]] = None,
-                 upndomain: Optional[pulumi.Input[str]] = None,
-                 url: Optional[pulumi.Input[str]] = None,
-                 userattr: Optional[pulumi.Input[str]] = None,
-                 userdn: Optional[pulumi.Input[str]] = None,
+                 allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 binddn: Optional[pulumi.Input[builtins.str]] = None,
+                 bindpass: Optional[pulumi.Input[builtins.str]] = None,
+                 certificate: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_cert: Optional[pulumi.Input[builtins.str]] = None,
+                 client_tls_key: Optional[pulumi.Input[builtins.str]] = None,
+                 connection_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
+                 external_entropy_access: Optional[pulumi.Input[builtins.bool]] = None,
+                 identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
+                 insecure_tls: Optional[pulumi.Input[builtins.bool]] = None,
+                 listing_visibility: Optional[pulumi.Input[builtins.str]] = None,
+                 local: Optional[pulumi.Input[builtins.bool]] = None,
+                 max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 password_policy: Optional[pulumi.Input[builtins.str]] = None,
+                 path: Optional[pulumi.Input[builtins.str]] = None,
+                 plugin_version: Optional[pulumi.Input[builtins.str]] = None,
+                 request_timeout: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_period: Optional[pulumi.Input[builtins.int]] = None,
+                 rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
+                 rotation_window: Optional[pulumi.Input[builtins.int]] = None,
+                 schema: Optional[pulumi.Input[builtins.str]] = None,
+                 seal_wrap: Optional[pulumi.Input[builtins.bool]] = None,
+                 skip_static_role_import_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+                 starttls: Optional[pulumi.Input[builtins.bool]] = None,
+                 upndomain: Optional[pulumi.Input[builtins.str]] = None,
+                 url: Optional[pulumi.Input[builtins.str]] = None,
+                 userattr: Optional[pulumi.Input[builtins.str]] = None,
+                 userdn: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1430,6 +1595,7 @@ class SecretBackend(pulumi.CustomResource):
             __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
             __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
             __props__.__dict__["description"] = description
+            __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
             __props__.__dict__["disable_remount"] = disable_remount
             __props__.__dict__["external_entropy_access"] = external_entropy_access
             __props__.__dict__["identity_token_key"] = identity_token_key
@@ -1444,6 +1610,9 @@ class SecretBackend(pulumi.CustomResource):
             __props__.__dict__["path"] = path
             __props__.__dict__["plugin_version"] = plugin_version
             __props__.__dict__["request_timeout"] = request_timeout
+            __props__.__dict__["rotation_period"] = rotation_period
+            __props__.__dict__["rotation_schedule"] = rotation_schedule
+            __props__.__dict__["rotation_window"] = rotation_window
             __props__.__dict__["schema"] = schema
             __props__.__dict__["seal_wrap"] = seal_wrap
             __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
@@ -1465,42 +1634,46 @@ class SecretBackend(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            accessor: Optional[pulumi.Input[str]] = None,
-            allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            binddn: Optional[pulumi.Input[str]] = None,
-            bindpass: Optional[pulumi.Input[str]] = None,
-            certificate: Optional[pulumi.Input[str]] = None,
-            client_tls_cert: Optional[pulumi.Input[str]] = None,
-            client_tls_key: Optional[pulumi.Input[str]] = None,
-            connection_timeout: Optional[pulumi.Input[int]] = None,
-            default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-            delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            description: Optional[pulumi.Input[str]] = None,
-            disable_remount: Optional[pulumi.Input[bool]] = None,
-            external_entropy_access: Optional[pulumi.Input[bool]] = None,
-            identity_token_key: Optional[pulumi.Input[str]] = None,
-            insecure_tls: Optional[pulumi.Input[bool]] = None,
-            listing_visibility: Optional[pulumi.Input[str]] = None,
-            local: Optional[pulumi.Input[bool]] = None,
-            max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
-            namespace: Optional[pulumi.Input[str]] = None,
-            options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
-            passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            password_policy: Optional[pulumi.Input[str]] = None,
-            path: Optional[pulumi.Input[str]] = None,
-            plugin_version: Optional[pulumi.Input[str]] = None,
-            request_timeout: Optional[pulumi.Input[int]] = None,
-            schema: Optional[pulumi.Input[str]] = None,
-            seal_wrap: Optional[pulumi.Input[bool]] = None,
-            skip_static_role_import_rotation: Optional[pulumi.Input[bool]] = None,
-            starttls: Optional[pulumi.Input[bool]] = None,
-            upndomain: Optional[pulumi.Input[str]] = None,
-            url: Optional[pulumi.Input[str]] = None,
-            userattr: Optional[pulumi.Input[str]] = None,
-            userdn: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
+            accessor: Optional[pulumi.Input[builtins.str]] = None,
+            allowed_managed_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            allowed_response_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            audit_non_hmac_request_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            audit_non_hmac_response_keys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            binddn: Optional[pulumi.Input[builtins.str]] = None,
+            bindpass: Optional[pulumi.Input[builtins.str]] = None,
+            certificate: Optional[pulumi.Input[builtins.str]] = None,
+            client_tls_cert: Optional[pulumi.Input[builtins.str]] = None,
+            client_tls_key: Optional[pulumi.Input[builtins.str]] = None,
+            connection_timeout: Optional[pulumi.Input[builtins.int]] = None,
+            default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+            delegated_auth_accessors: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            description: Optional[pulumi.Input[builtins.str]] = None,
+            disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+            disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
+            external_entropy_access: Optional[pulumi.Input[builtins.bool]] = None,
+            identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
+            insecure_tls: Optional[pulumi.Input[builtins.bool]] = None,
+            listing_visibility: Optional[pulumi.Input[builtins.str]] = None,
+            local: Optional[pulumi.Input[builtins.bool]] = None,
+            max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
+            namespace: Optional[pulumi.Input[builtins.str]] = None,
+            options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+            passthrough_request_headers: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            password_policy: Optional[pulumi.Input[builtins.str]] = None,
+            path: Optional[pulumi.Input[builtins.str]] = None,
+            plugin_version: Optional[pulumi.Input[builtins.str]] = None,
+            request_timeout: Optional[pulumi.Input[builtins.int]] = None,
+            rotation_period: Optional[pulumi.Input[builtins.int]] = None,
+            rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
+            rotation_window: Optional[pulumi.Input[builtins.int]] = None,
+            schema: Optional[pulumi.Input[builtins.str]] = None,
+            seal_wrap: Optional[pulumi.Input[builtins.bool]] = None,
+            skip_static_role_import_rotation: Optional[pulumi.Input[builtins.bool]] = None,
+            starttls: Optional[pulumi.Input[builtins.bool]] = None,
+            upndomain: Optional[pulumi.Input[builtins.str]] = None,
+            url: Optional[pulumi.Input[builtins.str]] = None,
+            userattr: Optional[pulumi.Input[builtins.str]] = None,
+            userdn: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackend':
         """
         Get an existing SecretBackend resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -1508,53 +1681,61 @@ class SecretBackend(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] accessor: Accessor of the mount
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
-        :param pulumi.Input[str] binddn: Distinguished name of object to bind when performing user and group search.
-        :param pulumi.Input[str] bindpass: Password to use along with binddn when performing user search.
-        :param pulumi.Input[str] certificate: CA certificate to use when verifying LDAP server certificate, must be
+        :param pulumi.Input[builtins.str] accessor: Accessor of the mount
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_managed_keys: List of managed key registry entry names that the mount in question is allowed to access
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] allowed_response_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+        :param pulumi.Input[builtins.str] binddn: Distinguished name of object to bind when performing user and group search.
+        :param pulumi.Input[builtins.str] bindpass: Password to use along with binddn when performing user search.
+        :param pulumi.Input[builtins.str] certificate: CA certificate to use when verifying LDAP server certificate, must be
                x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
-        :param pulumi.Input[int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
+        :param pulumi.Input[builtins.str] client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.str] client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
+        :param pulumi.Input[builtins.int] connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying
                the next URL in the configuration.
-        :param pulumi.Input[int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the Active Directory backend.
-        :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
-        :param pulumi.Input[bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin workload identity tokens
-        :param pulumi.Input[bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
+        :param pulumi.Input[builtins.int] default_lease_ttl_seconds: Default lease duration for secrets in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] delegated_auth_accessors: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the Active Directory backend.
+        :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[builtins.bool] external_entropy_access: Enable the secrets engine to access Vault's external entropy source
+        :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin workload identity tokens
+        :param pulumi.Input[builtins.bool] insecure_tls: Skip LDAP server SSL Certificate verification. This is not recommended for production.
                Defaults to `false`.
-        :param pulumi.Input[str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
-        :param pulumi.Input[bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
+        :param pulumi.Input[builtins.str] listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint
+        :param pulumi.Input[builtins.bool] local: Mark the secrets engine as local-only. Local engines are not replicated or removed by
                replication.Tolerance duration to use when checking the last rotation time.
-        :param pulumi.Input[int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] max_lease_ttl_seconds: Maximum possible lease duration for secrets in seconds.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] options: Specifies mount type specific options that are passed to the backend
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
-        :param pulumi.Input[str] password_policy: Name of the password policy to use to generate passwords.
-        :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] options: Specifies mount type specific options that are passed to the backend
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] passthrough_request_headers: List of headers to allow and pass from the request to the plugin
+        :param pulumi.Input[builtins.str] password_policy: Name of the password policy to use to generate passwords.
+        :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `ldap`.
-        :param pulumi.Input[str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
-        :param pulumi.Input[int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
+        :param pulumi.Input[builtins.str] plugin_version: Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
+        :param pulumi.Input[builtins.int] request_timeout: Timeout, in seconds, for the connection when making requests against the server
                before returning back an error.
-        :param pulumi.Input[str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
-        :param pulumi.Input[bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
-        :param pulumi.Input[bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
+        :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
+               A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+               defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
+               a rotation when a scheduled token rotation occurs. The default rotation window is
+               unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[builtins.str] schema: The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
+        :param pulumi.Input[builtins.bool] seal_wrap: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
+        :param pulumi.Input[builtins.bool] skip_static_role_import_rotation: If set to true, static roles will not be rotated during import.
                Defaults to false. Requires Vault 1.16 or above.
-        :param pulumi.Input[bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
-        :param pulumi.Input[str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
-        :param pulumi.Input[str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
+        :param pulumi.Input[builtins.bool] starttls: Issue a StartTLS command after establishing unencrypted connection.
+        :param pulumi.Input[builtins.str] upndomain: Enables userPrincipalDomain login with [username]@UPNDomain.
+        :param pulumi.Input[builtins.str] url: LDAP URL to connect to. Multiple URLs can be specified by concatenating
                them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
-        :param pulumi.Input[str] userattr: Attribute used when searching users. Defaults to `cn`.
-        :param pulumi.Input[str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
+        :param pulumi.Input[builtins.str] userattr: Attribute used when searching users. Defaults to `cn`.
+        :param pulumi.Input[builtins.str] userdn: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -1574,6 +1755,7 @@ class SecretBackend(pulumi.CustomResource):
         __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
         __props__.__dict__["delegated_auth_accessors"] = delegated_auth_accessors
         __props__.__dict__["description"] = description
+        __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
         __props__.__dict__["disable_remount"] = disable_remount
         __props__.__dict__["external_entropy_access"] = external_entropy_access
         __props__.__dict__["identity_token_key"] = identity_token_key
@@ -1588,6 +1770,9 @@ class SecretBackend(pulumi.CustomResource):
         __props__.__dict__["path"] = path
         __props__.__dict__["plugin_version"] = plugin_version
         __props__.__dict__["request_timeout"] = request_timeout
+        __props__.__dict__["rotation_period"] = rotation_period
+        __props__.__dict__["rotation_schedule"] = rotation_schedule
+        __props__.__dict__["rotation_window"] = rotation_window
         __props__.__dict__["schema"] = schema
         __props__.__dict__["seal_wrap"] = seal_wrap
         __props__.__dict__["skip_static_role_import_rotation"] = skip_static_role_import_rotation
@@ -1600,7 +1785,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def accessor(self) -> pulumi.Output[str]:
+    def accessor(self) -> pulumi.Output[builtins.str]:
         """
         Accessor of the mount
         """
@@ -1608,7 +1793,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedManagedKeys")
-    def allowed_managed_keys(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_managed_keys(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         List of managed key registry entry names that the mount in question is allowed to access
         """
@@ -1616,7 +1801,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowedResponseHeaders")
-    def allowed_response_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def allowed_response_headers(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
@@ -1624,7 +1809,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="auditNonHmacRequestKeys")
-    def audit_non_hmac_request_keys(self) -> pulumi.Output[Sequence[str]]:
+    def audit_non_hmac_request_keys(self) -> pulumi.Output[Sequence[builtins.str]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
         """
@@ -1632,7 +1817,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="auditNonHmacResponseKeys")
-    def audit_non_hmac_response_keys(self) -> pulumi.Output[Sequence[str]]:
+    def audit_non_hmac_response_keys(self) -> pulumi.Output[Sequence[builtins.str]]:
         """
         Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
         """
@@ -1640,7 +1825,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def binddn(self) -> pulumi.Output[str]:
+    def binddn(self) -> pulumi.Output[builtins.str]:
         """
         Distinguished name of object to bind when performing user and group search.
         """
@@ -1648,7 +1833,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def bindpass(self) -> pulumi.Output[str]:
+    def bindpass(self) -> pulumi.Output[builtins.str]:
         """
         Password to use along with binddn when performing user search.
         """
@@ -1656,7 +1841,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def certificate(self) -> pulumi.Output[Optional[str]]:
+    def certificate(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         CA certificate to use when verifying LDAP server certificate, must be
         x509 PEM encoded.
@@ -1665,7 +1850,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="clientTlsCert")
-    def client_tls_cert(self) -> pulumi.Output[Optional[str]]:
+    def client_tls_cert(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Client certificate to provide to the LDAP server, must be x509 PEM encoded.
         """
@@ -1673,7 +1858,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="clientTlsKey")
-    def client_tls_key(self) -> pulumi.Output[Optional[str]]:
+    def client_tls_key(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
         """
@@ -1681,7 +1866,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="connectionTimeout")
-    def connection_timeout(self) -> pulumi.Output[Optional[int]]:
+    def connection_timeout(self) -> pulumi.Output[Optional[builtins.int]]:
         """
         Timeout, in seconds, when attempting to connect to the LDAP server before trying
         the next URL in the configuration.
@@ -1690,7 +1875,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
-    def default_lease_ttl_seconds(self) -> pulumi.Output[int]:
+    def default_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
         """
         Default lease duration for secrets in seconds.
         """
@@ -1698,7 +1883,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="delegatedAuthAccessors")
-    def delegated_auth_accessors(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def delegated_auth_accessors(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
@@ -1706,15 +1891,23 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def description(self) -> pulumi.Output[Optional[str]]:
+    def description(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Human-friendly description of the mount for the Active Directory backend.
         """
         return pulumi.get(self, "description")
 
+    @property
+    @pulumi.getter(name="disableAutomatedRotation")
+    def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
+        """
+        Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "disable_automated_rotation")
+
     @property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> pulumi.Output[Optional[bool]]:
+    def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         """
@@ -1722,7 +1915,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="externalEntropyAccess")
-    def external_entropy_access(self) -> pulumi.Output[Optional[bool]]:
+    def external_entropy_access(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Enable the secrets engine to access Vault's external entropy source
         """
@@ -1730,7 +1923,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> pulumi.Output[Optional[str]]:
+    def identity_token_key(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The key to use for signing plugin workload identity tokens
         """
@@ -1738,7 +1931,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="insecureTls")
-    def insecure_tls(self) -> pulumi.Output[Optional[bool]]:
+    def insecure_tls(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Skip LDAP server SSL Certificate verification. This is not recommended for production.
         Defaults to `false`.
@@ -1747,7 +1940,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="listingVisibility")
-    def listing_visibility(self) -> pulumi.Output[Optional[str]]:
+    def listing_visibility(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies whether to show this mount in the UI-specific listing endpoint
         """
@@ -1755,7 +1948,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def local(self) -> pulumi.Output[Optional[bool]]:
+    def local(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Mark the secrets engine as local-only. Local engines are not replicated or removed by
         replication.Tolerance duration to use when checking the last rotation time.
@@ -1764,7 +1957,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="maxLeaseTtlSeconds")
-    def max_lease_ttl_seconds(self) -> pulumi.Output[int]:
+    def max_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
         """
         Maximum possible lease duration for secrets in seconds.
         """
@@ -1772,7 +1965,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def namespace(self) -> pulumi.Output[Optional[str]]:
+    def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -1783,7 +1976,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def options(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
+    def options(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
         """
         Specifies mount type specific options that are passed to the backend
         """
@@ -1791,7 +1984,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="passthroughRequestHeaders")
-    def passthrough_request_headers(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def passthrough_request_headers(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         List of headers to allow and pass from the request to the plugin
         """
@@ -1799,7 +1992,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="passwordPolicy")
-    def password_policy(self) -> pulumi.Output[Optional[str]]:
+    def password_policy(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Name of the password policy to use to generate passwords.
         """
@@ -1807,7 +2000,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def path(self) -> pulumi.Output[Optional[str]]:
+    def path(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The unique path this backend should be mounted at. Must
         not begin or end with a `/`. Defaults to `ldap`.
@@ -1816,7 +2009,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="pluginVersion")
-    def plugin_version(self) -> pulumi.Output[Optional[str]]:
+    def plugin_version(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
         """
@@ -1824,16 +2017,44 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="requestTimeout")
-    def request_timeout(self) -> pulumi.Output[int]:
+    def request_timeout(self) -> pulumi.Output[builtins.int]:
         """
         Timeout, in seconds, for the connection when making requests against the server
         before returning back an error.
         """
         return pulumi.get(self, "request_timeout")
 
+    @property
+    @pulumi.getter(name="rotationPeriod")
+    def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
+        """
+        The amount of time in seconds Vault should wait before rotating the root credential.
+        A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_period")
+
+    @property
+    @pulumi.getter(name="rotationSchedule")
+    def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
+        defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_schedule")
+
+    @property
+    @pulumi.getter(name="rotationWindow")
+    def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
+        """
+        The maximum amount of time in seconds allowed to complete
+        a rotation when a scheduled token rotation occurs. The default rotation window is
+        unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        """
+        return pulumi.get(self, "rotation_window")
+
     @property
     @pulumi.getter
-    def schema(self) -> pulumi.Output[str]:
+    def schema(self) -> pulumi.Output[builtins.str]:
         """
         The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
         """
@@ -1841,7 +2062,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="sealWrap")
-    def seal_wrap(self) -> pulumi.Output[bool]:
+    def seal_wrap(self) -> pulumi.Output[builtins.bool]:
         """
         Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
         """
@@ -1849,7 +2070,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="skipStaticRoleImportRotation")
-    def skip_static_role_import_rotation(self) -> pulumi.Output[Optional[bool]]:
+    def skip_static_role_import_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         If set to true, static roles will not be rotated during import.
         Defaults to false. Requires Vault 1.16 or above.
@@ -1858,7 +2079,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def starttls(self) -> pulumi.Output[bool]:
+    def starttls(self) -> pulumi.Output[builtins.bool]:
         """
         Issue a StartTLS command after establishing unencrypted connection.
         """
@@ -1866,7 +2087,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def upndomain(self) -> pulumi.Output[str]:
+    def upndomain(self) -> pulumi.Output[builtins.str]:
         """
         Enables userPrincipalDomain login with [username]@UPNDomain.
         """
@@ -1874,7 +2095,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def url(self) -> pulumi.Output[str]:
+    def url(self) -> pulumi.Output[builtins.str]:
         """
         LDAP URL to connect to. Multiple URLs can be specified by concatenating
         them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
@@ -1883,7 +2104,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def userattr(self) -> pulumi.Output[str]:
+    def userattr(self) -> pulumi.Output[builtins.str]:
         """
         Attribute used when searching users. Defaults to `cn`.
         """
@@ -1891,7 +2112,7 @@ class SecretBackend(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def userdn(self) -> pulumi.Output[Optional[str]]:
+    def userdn(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
         """