pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. pulumi_vault/__init__.py +9 -0
  2. pulumi_vault/_inputs.py +583 -562
  3. pulumi_vault/ad/__init__.py +1 -0
  4. pulumi_vault/ad/get_access_credentials.py +20 -19
  5. pulumi_vault/ad/secret_backend.py +477 -476
  6. pulumi_vault/ad/secret_library.py +99 -98
  7. pulumi_vault/ad/secret_role.py +85 -84
  8. pulumi_vault/alicloud/__init__.py +1 -0
  9. pulumi_vault/alicloud/auth_backend_role.py +183 -182
  10. pulumi_vault/approle/__init__.py +1 -0
  11. pulumi_vault/approle/auth_backend_login.py +106 -105
  12. pulumi_vault/approle/auth_backend_role.py +239 -238
  13. pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
  14. pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
  15. pulumi_vault/audit.py +85 -84
  16. pulumi_vault/audit_request_header.py +43 -42
  17. pulumi_vault/auth_backend.py +106 -105
  18. pulumi_vault/aws/__init__.py +1 -0
  19. pulumi_vault/aws/auth_backend_cert.py +71 -70
  20. pulumi_vault/aws/auth_backend_client.py +425 -200
  21. pulumi_vault/aws/auth_backend_config_identity.py +85 -84
  22. pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
  23. pulumi_vault/aws/auth_backend_login.py +209 -208
  24. pulumi_vault/aws/auth_backend_role.py +400 -399
  25. pulumi_vault/aws/auth_backend_role_tag.py +127 -126
  26. pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
  27. pulumi_vault/aws/auth_backend_sts_role.py +71 -70
  28. pulumi_vault/aws/get_access_credentials.py +44 -43
  29. pulumi_vault/aws/get_static_access_credentials.py +13 -12
  30. pulumi_vault/aws/secret_backend.py +523 -306
  31. pulumi_vault/aws/secret_backend_role.py +211 -210
  32. pulumi_vault/aws/secret_backend_static_role.py +288 -70
  33. pulumi_vault/azure/__init__.py +1 -0
  34. pulumi_vault/azure/_inputs.py +21 -20
  35. pulumi_vault/azure/auth_backend_config.py +383 -130
  36. pulumi_vault/azure/auth_backend_role.py +253 -252
  37. pulumi_vault/azure/backend.py +432 -186
  38. pulumi_vault/azure/backend_role.py +188 -140
  39. pulumi_vault/azure/get_access_credentials.py +58 -57
  40. pulumi_vault/azure/outputs.py +11 -10
  41. pulumi_vault/cert_auth_backend_role.py +365 -364
  42. pulumi_vault/config/__init__.py +1 -0
  43. pulumi_vault/config/__init__.pyi +1 -0
  44. pulumi_vault/config/_inputs.py +11 -10
  45. pulumi_vault/config/outputs.py +287 -286
  46. pulumi_vault/config/ui_custom_message.py +113 -112
  47. pulumi_vault/config/vars.py +1 -0
  48. pulumi_vault/consul/__init__.py +1 -0
  49. pulumi_vault/consul/secret_backend.py +197 -196
  50. pulumi_vault/consul/secret_backend_role.py +183 -182
  51. pulumi_vault/database/__init__.py +1 -0
  52. pulumi_vault/database/_inputs.py +3857 -2200
  53. pulumi_vault/database/outputs.py +2483 -1330
  54. pulumi_vault/database/secret_backend_connection.py +333 -112
  55. pulumi_vault/database/secret_backend_role.py +169 -168
  56. pulumi_vault/database/secret_backend_static_role.py +283 -140
  57. pulumi_vault/database/secrets_mount.py +275 -266
  58. pulumi_vault/egp_policy.py +71 -70
  59. pulumi_vault/gcp/__init__.py +1 -0
  60. pulumi_vault/gcp/_inputs.py +82 -81
  61. pulumi_vault/gcp/auth_backend.py +426 -205
  62. pulumi_vault/gcp/auth_backend_role.py +281 -280
  63. pulumi_vault/gcp/get_auth_backend_role.py +70 -69
  64. pulumi_vault/gcp/outputs.py +50 -49
  65. pulumi_vault/gcp/secret_backend.py +420 -179
  66. pulumi_vault/gcp/secret_impersonated_account.py +92 -91
  67. pulumi_vault/gcp/secret_roleset.py +92 -91
  68. pulumi_vault/gcp/secret_static_account.py +92 -91
  69. pulumi_vault/generic/__init__.py +1 -0
  70. pulumi_vault/generic/endpoint.py +113 -112
  71. pulumi_vault/generic/get_secret.py +28 -27
  72. pulumi_vault/generic/secret.py +78 -77
  73. pulumi_vault/get_auth_backend.py +19 -18
  74. pulumi_vault/get_auth_backends.py +14 -13
  75. pulumi_vault/get_namespace.py +15 -14
  76. pulumi_vault/get_namespaces.py +68 -18
  77. pulumi_vault/get_nomad_access_token.py +19 -18
  78. pulumi_vault/get_policy_document.py +6 -5
  79. pulumi_vault/get_raft_autopilot_state.py +18 -17
  80. pulumi_vault/github/__init__.py +1 -0
  81. pulumi_vault/github/_inputs.py +42 -41
  82. pulumi_vault/github/auth_backend.py +232 -231
  83. pulumi_vault/github/outputs.py +26 -25
  84. pulumi_vault/github/team.py +57 -56
  85. pulumi_vault/github/user.py +57 -56
  86. pulumi_vault/identity/__init__.py +1 -0
  87. pulumi_vault/identity/entity.py +85 -84
  88. pulumi_vault/identity/entity_alias.py +71 -70
  89. pulumi_vault/identity/entity_policies.py +64 -63
  90. pulumi_vault/identity/get_entity.py +43 -42
  91. pulumi_vault/identity/get_group.py +50 -49
  92. pulumi_vault/identity/get_oidc_client_creds.py +14 -13
  93. pulumi_vault/identity/get_oidc_openid_config.py +24 -23
  94. pulumi_vault/identity/get_oidc_public_keys.py +13 -12
  95. pulumi_vault/identity/group.py +141 -140
  96. pulumi_vault/identity/group_alias.py +57 -56
  97. pulumi_vault/identity/group_member_entity_ids.py +57 -56
  98. pulumi_vault/identity/group_member_group_ids.py +57 -56
  99. pulumi_vault/identity/group_policies.py +64 -63
  100. pulumi_vault/identity/mfa_duo.py +148 -147
  101. pulumi_vault/identity/mfa_login_enforcement.py +120 -119
  102. pulumi_vault/identity/mfa_okta.py +134 -133
  103. pulumi_vault/identity/mfa_pingid.py +127 -126
  104. pulumi_vault/identity/mfa_totp.py +176 -175
  105. pulumi_vault/identity/oidc.py +29 -28
  106. pulumi_vault/identity/oidc_assignment.py +57 -56
  107. pulumi_vault/identity/oidc_client.py +127 -126
  108. pulumi_vault/identity/oidc_key.py +85 -84
  109. pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
  110. pulumi_vault/identity/oidc_provider.py +92 -91
  111. pulumi_vault/identity/oidc_role.py +85 -84
  112. pulumi_vault/identity/oidc_scope.py +57 -56
  113. pulumi_vault/identity/outputs.py +32 -31
  114. pulumi_vault/jwt/__init__.py +1 -0
  115. pulumi_vault/jwt/_inputs.py +42 -41
  116. pulumi_vault/jwt/auth_backend.py +288 -287
  117. pulumi_vault/jwt/auth_backend_role.py +407 -406
  118. pulumi_vault/jwt/outputs.py +26 -25
  119. pulumi_vault/kmip/__init__.py +1 -0
  120. pulumi_vault/kmip/secret_backend.py +183 -182
  121. pulumi_vault/kmip/secret_role.py +295 -294
  122. pulumi_vault/kmip/secret_scope.py +57 -56
  123. pulumi_vault/kubernetes/__init__.py +1 -0
  124. pulumi_vault/kubernetes/auth_backend_config.py +141 -140
  125. pulumi_vault/kubernetes/auth_backend_role.py +225 -224
  126. pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
  127. pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
  128. pulumi_vault/kubernetes/get_service_account_token.py +38 -37
  129. pulumi_vault/kubernetes/secret_backend.py +316 -315
  130. pulumi_vault/kubernetes/secret_backend_role.py +197 -196
  131. pulumi_vault/kv/__init__.py +1 -0
  132. pulumi_vault/kv/_inputs.py +21 -20
  133. pulumi_vault/kv/get_secret.py +17 -16
  134. pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
  135. pulumi_vault/kv/get_secret_v2.py +29 -28
  136. pulumi_vault/kv/get_secrets_list.py +13 -12
  137. pulumi_vault/kv/get_secrets_list_v2.py +19 -18
  138. pulumi_vault/kv/outputs.py +13 -12
  139. pulumi_vault/kv/secret.py +50 -49
  140. pulumi_vault/kv/secret_backend_v2.py +71 -70
  141. pulumi_vault/kv/secret_v2.py +134 -133
  142. pulumi_vault/ldap/__init__.py +1 -0
  143. pulumi_vault/ldap/auth_backend.py +754 -533
  144. pulumi_vault/ldap/auth_backend_group.py +57 -56
  145. pulumi_vault/ldap/auth_backend_user.py +71 -70
  146. pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
  147. pulumi_vault/ldap/get_static_credentials.py +18 -17
  148. pulumi_vault/ldap/secret_backend.py +720 -499
  149. pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
  150. pulumi_vault/ldap/secret_backend_library_set.py +99 -98
  151. pulumi_vault/ldap/secret_backend_static_role.py +99 -98
  152. pulumi_vault/managed/__init__.py +1 -0
  153. pulumi_vault/managed/_inputs.py +229 -228
  154. pulumi_vault/managed/keys.py +15 -14
  155. pulumi_vault/managed/outputs.py +139 -138
  156. pulumi_vault/mfa_duo.py +113 -112
  157. pulumi_vault/mfa_okta.py +113 -112
  158. pulumi_vault/mfa_pingid.py +120 -119
  159. pulumi_vault/mfa_totp.py +127 -126
  160. pulumi_vault/mongodbatlas/__init__.py +1 -0
  161. pulumi_vault/mongodbatlas/secret_backend.py +64 -63
  162. pulumi_vault/mongodbatlas/secret_role.py +155 -154
  163. pulumi_vault/mount.py +274 -273
  164. pulumi_vault/namespace.py +64 -63
  165. pulumi_vault/nomad_secret_backend.py +211 -210
  166. pulumi_vault/nomad_secret_role.py +85 -84
  167. pulumi_vault/okta/__init__.py +1 -0
  168. pulumi_vault/okta/_inputs.py +26 -25
  169. pulumi_vault/okta/auth_backend.py +274 -273
  170. pulumi_vault/okta/auth_backend_group.py +57 -56
  171. pulumi_vault/okta/auth_backend_user.py +71 -70
  172. pulumi_vault/okta/outputs.py +16 -15
  173. pulumi_vault/outputs.py +73 -60
  174. pulumi_vault/password_policy.py +43 -42
  175. pulumi_vault/pkisecret/__init__.py +3 -0
  176. pulumi_vault/pkisecret/_inputs.py +31 -36
  177. pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
  178. pulumi_vault/pkisecret/backend_config_acme.py +174 -126
  179. pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
  180. pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
  181. pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
  182. pulumi_vault/pkisecret/backend_config_est.py +120 -119
  183. pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
  184. pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
  185. pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
  186. pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
  187. pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
  188. pulumi_vault/pkisecret/get_backend_key.py +20 -19
  189. pulumi_vault/pkisecret/get_backend_keys.py +15 -14
  190. pulumi_vault/pkisecret/outputs.py +28 -31
  191. pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
  192. pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
  193. pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
  194. pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
  195. pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
  196. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
  197. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
  198. pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
  199. pulumi_vault/pkisecret/secret_backend_key.py +120 -119
  200. pulumi_vault/pkisecret/secret_backend_role.py +894 -644
  201. pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
  202. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
  203. pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
  204. pulumi_vault/plugin.py +127 -126
  205. pulumi_vault/plugin_pinned_version.py +43 -42
  206. pulumi_vault/policy.py +43 -42
  207. pulumi_vault/provider.py +120 -119
  208. pulumi_vault/pulumi-plugin.json +1 -1
  209. pulumi_vault/quota_lease_count.py +85 -84
  210. pulumi_vault/quota_rate_limit.py +113 -112
  211. pulumi_vault/rabbitmq/__init__.py +1 -0
  212. pulumi_vault/rabbitmq/_inputs.py +41 -40
  213. pulumi_vault/rabbitmq/outputs.py +25 -24
  214. pulumi_vault/rabbitmq/secret_backend.py +169 -168
  215. pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
  216. pulumi_vault/raft_autopilot.py +113 -112
  217. pulumi_vault/raft_snapshot_agent_config.py +393 -392
  218. pulumi_vault/rgp_policy.py +57 -56
  219. pulumi_vault/saml/__init__.py +1 -0
  220. pulumi_vault/saml/auth_backend.py +155 -154
  221. pulumi_vault/saml/auth_backend_role.py +239 -238
  222. pulumi_vault/secrets/__init__.py +1 -0
  223. pulumi_vault/secrets/_inputs.py +16 -15
  224. pulumi_vault/secrets/outputs.py +10 -9
  225. pulumi_vault/secrets/sync_association.py +71 -70
  226. pulumi_vault/secrets/sync_aws_destination.py +148 -147
  227. pulumi_vault/secrets/sync_azure_destination.py +148 -147
  228. pulumi_vault/secrets/sync_config.py +43 -42
  229. pulumi_vault/secrets/sync_gcp_destination.py +106 -105
  230. pulumi_vault/secrets/sync_gh_destination.py +134 -133
  231. pulumi_vault/secrets/sync_github_apps.py +64 -63
  232. pulumi_vault/secrets/sync_vercel_destination.py +120 -119
  233. pulumi_vault/ssh/__init__.py +2 -0
  234. pulumi_vault/ssh/_inputs.py +11 -10
  235. pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
  236. pulumi_vault/ssh/outputs.py +7 -6
  237. pulumi_vault/ssh/secret_backend_ca.py +99 -98
  238. pulumi_vault/ssh/secret_backend_role.py +365 -364
  239. pulumi_vault/terraformcloud/__init__.py +1 -0
  240. pulumi_vault/terraformcloud/secret_backend.py +111 -110
  241. pulumi_vault/terraformcloud/secret_creds.py +74 -73
  242. pulumi_vault/terraformcloud/secret_role.py +96 -95
  243. pulumi_vault/token.py +246 -245
  244. pulumi_vault/tokenauth/__init__.py +1 -0
  245. pulumi_vault/tokenauth/auth_backend_role.py +267 -266
  246. pulumi_vault/transform/__init__.py +1 -0
  247. pulumi_vault/transform/alphabet.py +57 -56
  248. pulumi_vault/transform/get_decode.py +47 -46
  249. pulumi_vault/transform/get_encode.py +47 -46
  250. pulumi_vault/transform/role.py +57 -56
  251. pulumi_vault/transform/template.py +113 -112
  252. pulumi_vault/transform/transformation.py +141 -140
  253. pulumi_vault/transit/__init__.py +3 -0
  254. pulumi_vault/transit/get_decrypt.py +18 -17
  255. pulumi_vault/transit/get_encrypt.py +21 -20
  256. pulumi_vault/transit/get_sign.py +325 -0
  257. pulumi_vault/transit/get_verify.py +355 -0
  258. pulumi_vault/transit/secret_backend_key.py +394 -231
  259. pulumi_vault/transit/secret_cache_config.py +43 -42
  260. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
  261. pulumi_vault-6.7.0.dist-info/RECORD +265 -0
  262. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
  263. pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
  264. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
2
2
  # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
3
3
  # *** Do not edit by hand unless you're certain you know what you are doing! ***
4
4
 
5
+ import builtins
5
6
  import copy
6
7
  import warnings
7
8
  import sys
@@ -19,52 +20,64 @@ __all__ = ['AuthBackendClientArgs', 'AuthBackendClient']
19
20
  @pulumi.input_type
20
21
  class AuthBackendClientArgs:
21
22
  def __init__(__self__, *,
22
- access_key: Optional[pulumi.Input[str]] = None,
23
- backend: Optional[pulumi.Input[str]] = None,
24
- ec2_endpoint: Optional[pulumi.Input[str]] = None,
25
- iam_endpoint: Optional[pulumi.Input[str]] = None,
26
- iam_server_id_header_value: Optional[pulumi.Input[str]] = None,
27
- identity_token_audience: Optional[pulumi.Input[str]] = None,
28
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
29
- max_retries: Optional[pulumi.Input[int]] = None,
30
- namespace: Optional[pulumi.Input[str]] = None,
31
- role_arn: Optional[pulumi.Input[str]] = None,
32
- secret_key: Optional[pulumi.Input[str]] = None,
33
- sts_endpoint: Optional[pulumi.Input[str]] = None,
34
- sts_region: Optional[pulumi.Input[str]] = None,
35
- use_sts_region_from_client: Optional[pulumi.Input[bool]] = None):
23
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
24
+ backend: Optional[pulumi.Input[builtins.str]] = None,
25
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
26
+ ec2_endpoint: Optional[pulumi.Input[builtins.str]] = None,
27
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
28
+ iam_server_id_header_value: Optional[pulumi.Input[builtins.str]] = None,
29
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
30
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
31
+ max_retries: Optional[pulumi.Input[builtins.int]] = None,
32
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
33
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
34
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
35
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
36
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
37
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
38
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
39
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
40
+ use_sts_region_from_client: Optional[pulumi.Input[builtins.bool]] = None):
36
41
  """
37
42
  The set of arguments for constructing a AuthBackendClient resource.
38
- :param pulumi.Input[str] access_key: The AWS access key that Vault should use for the
43
+ :param pulumi.Input[builtins.str] access_key: The AWS access key that Vault should use for the
39
44
  auth backend. Mutually exclusive with `identity_token_audience`.
40
- :param pulumi.Input[str] backend: The path the AWS auth backend being configured was
45
+ :param pulumi.Input[builtins.str] backend: The path the AWS auth backend being configured was
41
46
  mounted at. Defaults to `aws`.
42
- :param pulumi.Input[str] ec2_endpoint: Override the URL Vault uses when making EC2 API
47
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
48
+ :param pulumi.Input[builtins.str] ec2_endpoint: Override the URL Vault uses when making EC2 API
43
49
  calls.
44
- :param pulumi.Input[str] iam_endpoint: Override the URL Vault uses when making IAM API
50
+ :param pulumi.Input[builtins.str] iam_endpoint: Override the URL Vault uses when making IAM API
45
51
  calls.
46
- :param pulumi.Input[str] iam_server_id_header_value: The value to require in the
52
+ :param pulumi.Input[builtins.str] iam_server_id_header_value: The value to require in the
47
53
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
48
54
  that are used in the IAM auth method.
49
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
55
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
50
56
  Requires Vault 1.17+. *Available only for Vault Enterprise*
51
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
57
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
52
58
  *Available only for Vault Enterprise*
53
- :param pulumi.Input[int] max_retries: Number of max retries the client should use for recoverable errors.
59
+ :param pulumi.Input[builtins.int] max_retries: Number of max retries the client should use for recoverable errors.
54
60
  The default `-1` falls back to the AWS SDK's default behavior.
55
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
61
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
56
62
  The value should not contain leading or trailing forward slashes.
57
63
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
58
64
  *Available only for Vault Enterprise*.
59
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
65
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
60
66
  *Available only for Vault Enterprise*
61
- :param pulumi.Input[str] secret_key: The AWS secret key that Vault should use for the
67
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
68
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
69
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
70
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
71
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
72
+ a rotation when a scheduled token rotation occurs. The default rotation window is
73
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
74
+ :param pulumi.Input[builtins.str] secret_key: The AWS secret key that Vault should use for the
62
75
  auth backend.
63
- :param pulumi.Input[str] sts_endpoint: Override the URL Vault uses when making STS API
76
+ :param pulumi.Input[builtins.str] sts_endpoint: Override the URL Vault uses when making STS API
64
77
  calls.
65
- :param pulumi.Input[str] sts_region: Override the default region when making STS API
78
+ :param pulumi.Input[builtins.str] sts_region: Override the default region when making STS API
66
79
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
67
- :param pulumi.Input[bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
80
+ :param pulumi.Input[builtins.bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
68
81
  overrides both `sts_endpoint` and `sts_region` to instead use the region
69
82
  specified in the client request headers for IAM-based authentication.
70
83
  This can be useful when you have client requests coming from different
@@ -74,6 +87,8 @@ class AuthBackendClientArgs:
74
87
  pulumi.set(__self__, "access_key", access_key)
75
88
  if backend is not None:
76
89
  pulumi.set(__self__, "backend", backend)
90
+ if disable_automated_rotation is not None:
91
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
77
92
  if ec2_endpoint is not None:
78
93
  pulumi.set(__self__, "ec2_endpoint", ec2_endpoint)
79
94
  if iam_endpoint is not None:
@@ -90,6 +105,12 @@ class AuthBackendClientArgs:
90
105
  pulumi.set(__self__, "namespace", namespace)
91
106
  if role_arn is not None:
92
107
  pulumi.set(__self__, "role_arn", role_arn)
108
+ if rotation_period is not None:
109
+ pulumi.set(__self__, "rotation_period", rotation_period)
110
+ if rotation_schedule is not None:
111
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
112
+ if rotation_window is not None:
113
+ pulumi.set(__self__, "rotation_window", rotation_window)
93
114
  if secret_key is not None:
94
115
  pulumi.set(__self__, "secret_key", secret_key)
95
116
  if sts_endpoint is not None:
@@ -101,7 +122,7 @@ class AuthBackendClientArgs:
101
122
 
102
123
  @property
103
124
  @pulumi.getter(name="accessKey")
104
- def access_key(self) -> Optional[pulumi.Input[str]]:
125
+ def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
105
126
  """
106
127
  The AWS access key that Vault should use for the
107
128
  auth backend. Mutually exclusive with `identity_token_audience`.
@@ -109,12 +130,12 @@ class AuthBackendClientArgs:
109
130
  return pulumi.get(self, "access_key")
110
131
 
111
132
  @access_key.setter
112
- def access_key(self, value: Optional[pulumi.Input[str]]):
133
+ def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
113
134
  pulumi.set(self, "access_key", value)
114
135
 
115
136
  @property
116
137
  @pulumi.getter
117
- def backend(self) -> Optional[pulumi.Input[str]]:
138
+ def backend(self) -> Optional[pulumi.Input[builtins.str]]:
118
139
  """
119
140
  The path the AWS auth backend being configured was
120
141
  mounted at. Defaults to `aws`.
@@ -122,12 +143,24 @@ class AuthBackendClientArgs:
122
143
  return pulumi.get(self, "backend")
123
144
 
124
145
  @backend.setter
125
- def backend(self, value: Optional[pulumi.Input[str]]):
146
+ def backend(self, value: Optional[pulumi.Input[builtins.str]]):
126
147
  pulumi.set(self, "backend", value)
127
148
 
149
+ @property
150
+ @pulumi.getter(name="disableAutomatedRotation")
151
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
152
+ """
153
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
154
+ """
155
+ return pulumi.get(self, "disable_automated_rotation")
156
+
157
+ @disable_automated_rotation.setter
158
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
159
+ pulumi.set(self, "disable_automated_rotation", value)
160
+
128
161
  @property
129
162
  @pulumi.getter(name="ec2Endpoint")
130
- def ec2_endpoint(self) -> Optional[pulumi.Input[str]]:
163
+ def ec2_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
131
164
  """
132
165
  Override the URL Vault uses when making EC2 API
133
166
  calls.
@@ -135,12 +168,12 @@ class AuthBackendClientArgs:
135
168
  return pulumi.get(self, "ec2_endpoint")
136
169
 
137
170
  @ec2_endpoint.setter
138
- def ec2_endpoint(self, value: Optional[pulumi.Input[str]]):
171
+ def ec2_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
139
172
  pulumi.set(self, "ec2_endpoint", value)
140
173
 
141
174
  @property
142
175
  @pulumi.getter(name="iamEndpoint")
143
- def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
176
+ def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
144
177
  """
145
178
  Override the URL Vault uses when making IAM API
146
179
  calls.
@@ -148,12 +181,12 @@ class AuthBackendClientArgs:
148
181
  return pulumi.get(self, "iam_endpoint")
149
182
 
150
183
  @iam_endpoint.setter
151
- def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
184
+ def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
152
185
  pulumi.set(self, "iam_endpoint", value)
153
186
 
154
187
  @property
155
188
  @pulumi.getter(name="iamServerIdHeaderValue")
156
- def iam_server_id_header_value(self) -> Optional[pulumi.Input[str]]:
189
+ def iam_server_id_header_value(self) -> Optional[pulumi.Input[builtins.str]]:
157
190
  """
158
191
  The value to require in the
159
192
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
@@ -162,12 +195,12 @@ class AuthBackendClientArgs:
162
195
  return pulumi.get(self, "iam_server_id_header_value")
163
196
 
164
197
  @iam_server_id_header_value.setter
165
- def iam_server_id_header_value(self, value: Optional[pulumi.Input[str]]):
198
+ def iam_server_id_header_value(self, value: Optional[pulumi.Input[builtins.str]]):
166
199
  pulumi.set(self, "iam_server_id_header_value", value)
167
200
 
168
201
  @property
169
202
  @pulumi.getter(name="identityTokenAudience")
170
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
203
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
171
204
  """
172
205
  The audience claim value. Mutually exclusive with `access_key`.
173
206
  Requires Vault 1.17+. *Available only for Vault Enterprise*
@@ -175,12 +208,12 @@ class AuthBackendClientArgs:
175
208
  return pulumi.get(self, "identity_token_audience")
176
209
 
177
210
  @identity_token_audience.setter
178
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
211
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
179
212
  pulumi.set(self, "identity_token_audience", value)
180
213
 
181
214
  @property
182
215
  @pulumi.getter(name="identityTokenTtl")
183
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
216
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
184
217
  """
185
218
  The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
186
219
  *Available only for Vault Enterprise*
@@ -188,12 +221,12 @@ class AuthBackendClientArgs:
188
221
  return pulumi.get(self, "identity_token_ttl")
189
222
 
190
223
  @identity_token_ttl.setter
191
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
224
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
192
225
  pulumi.set(self, "identity_token_ttl", value)
193
226
 
194
227
  @property
195
228
  @pulumi.getter(name="maxRetries")
196
- def max_retries(self) -> Optional[pulumi.Input[int]]:
229
+ def max_retries(self) -> Optional[pulumi.Input[builtins.int]]:
197
230
  """
198
231
  Number of max retries the client should use for recoverable errors.
199
232
  The default `-1` falls back to the AWS SDK's default behavior.
@@ -201,12 +234,12 @@ class AuthBackendClientArgs:
201
234
  return pulumi.get(self, "max_retries")
202
235
 
203
236
  @max_retries.setter
204
- def max_retries(self, value: Optional[pulumi.Input[int]]):
237
+ def max_retries(self, value: Optional[pulumi.Input[builtins.int]]):
205
238
  pulumi.set(self, "max_retries", value)
206
239
 
207
240
  @property
208
241
  @pulumi.getter
209
- def namespace(self) -> Optional[pulumi.Input[str]]:
242
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
210
243
  """
211
244
  The namespace to provision the resource in.
212
245
  The value should not contain leading or trailing forward slashes.
@@ -216,12 +249,12 @@ class AuthBackendClientArgs:
216
249
  return pulumi.get(self, "namespace")
217
250
 
218
251
  @namespace.setter
219
- def namespace(self, value: Optional[pulumi.Input[str]]):
252
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
220
253
  pulumi.set(self, "namespace", value)
221
254
 
222
255
  @property
223
256
  @pulumi.getter(name="roleArn")
224
- def role_arn(self) -> Optional[pulumi.Input[str]]:
257
+ def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
225
258
  """
226
259
  Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
227
260
  *Available only for Vault Enterprise*
@@ -229,12 +262,52 @@ class AuthBackendClientArgs:
229
262
  return pulumi.get(self, "role_arn")
230
263
 
231
264
  @role_arn.setter
232
- def role_arn(self, value: Optional[pulumi.Input[str]]):
265
+ def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
233
266
  pulumi.set(self, "role_arn", value)
234
267
 
268
+ @property
269
+ @pulumi.getter(name="rotationPeriod")
270
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
271
+ """
272
+ The amount of time in seconds Vault should wait before rotating the root credential.
273
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
274
+ """
275
+ return pulumi.get(self, "rotation_period")
276
+
277
+ @rotation_period.setter
278
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
279
+ pulumi.set(self, "rotation_period", value)
280
+
281
+ @property
282
+ @pulumi.getter(name="rotationSchedule")
283
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
284
+ """
285
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
286
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
287
+ """
288
+ return pulumi.get(self, "rotation_schedule")
289
+
290
+ @rotation_schedule.setter
291
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
292
+ pulumi.set(self, "rotation_schedule", value)
293
+
294
+ @property
295
+ @pulumi.getter(name="rotationWindow")
296
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
297
+ """
298
+ The maximum amount of time in seconds allowed to complete
299
+ a rotation when a scheduled token rotation occurs. The default rotation window is
300
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
301
+ """
302
+ return pulumi.get(self, "rotation_window")
303
+
304
+ @rotation_window.setter
305
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
306
+ pulumi.set(self, "rotation_window", value)
307
+
235
308
  @property
236
309
  @pulumi.getter(name="secretKey")
237
- def secret_key(self) -> Optional[pulumi.Input[str]]:
310
+ def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
238
311
  """
239
312
  The AWS secret key that Vault should use for the
240
313
  auth backend.
@@ -242,12 +315,12 @@ class AuthBackendClientArgs:
242
315
  return pulumi.get(self, "secret_key")
243
316
 
244
317
  @secret_key.setter
245
- def secret_key(self, value: Optional[pulumi.Input[str]]):
318
+ def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
246
319
  pulumi.set(self, "secret_key", value)
247
320
 
248
321
  @property
249
322
  @pulumi.getter(name="stsEndpoint")
250
- def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
323
+ def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
251
324
  """
252
325
  Override the URL Vault uses when making STS API
253
326
  calls.
@@ -255,12 +328,12 @@ class AuthBackendClientArgs:
255
328
  return pulumi.get(self, "sts_endpoint")
256
329
 
257
330
  @sts_endpoint.setter
258
- def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
331
+ def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
259
332
  pulumi.set(self, "sts_endpoint", value)
260
333
 
261
334
  @property
262
335
  @pulumi.getter(name="stsRegion")
263
- def sts_region(self) -> Optional[pulumi.Input[str]]:
336
+ def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
264
337
  """
265
338
  Override the default region when making STS API
266
339
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
@@ -268,12 +341,12 @@ class AuthBackendClientArgs:
268
341
  return pulumi.get(self, "sts_region")
269
342
 
270
343
  @sts_region.setter
271
- def sts_region(self, value: Optional[pulumi.Input[str]]):
344
+ def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
272
345
  pulumi.set(self, "sts_region", value)
273
346
 
274
347
  @property
275
348
  @pulumi.getter(name="useStsRegionFromClient")
276
- def use_sts_region_from_client(self) -> Optional[pulumi.Input[bool]]:
349
+ def use_sts_region_from_client(self) -> Optional[pulumi.Input[builtins.bool]]:
277
350
  """
278
351
  Available in Vault v1.15+. If set,
279
352
  overrides both `sts_endpoint` and `sts_region` to instead use the region
@@ -284,59 +357,71 @@ class AuthBackendClientArgs:
284
357
  return pulumi.get(self, "use_sts_region_from_client")
285
358
 
286
359
  @use_sts_region_from_client.setter
287
- def use_sts_region_from_client(self, value: Optional[pulumi.Input[bool]]):
360
+ def use_sts_region_from_client(self, value: Optional[pulumi.Input[builtins.bool]]):
288
361
  pulumi.set(self, "use_sts_region_from_client", value)
289
362
 
290
363
 
291
364
  @pulumi.input_type
292
365
  class _AuthBackendClientState:
293
366
  def __init__(__self__, *,
294
- access_key: Optional[pulumi.Input[str]] = None,
295
- backend: Optional[pulumi.Input[str]] = None,
296
- ec2_endpoint: Optional[pulumi.Input[str]] = None,
297
- iam_endpoint: Optional[pulumi.Input[str]] = None,
298
- iam_server_id_header_value: Optional[pulumi.Input[str]] = None,
299
- identity_token_audience: Optional[pulumi.Input[str]] = None,
300
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
301
- max_retries: Optional[pulumi.Input[int]] = None,
302
- namespace: Optional[pulumi.Input[str]] = None,
303
- role_arn: Optional[pulumi.Input[str]] = None,
304
- secret_key: Optional[pulumi.Input[str]] = None,
305
- sts_endpoint: Optional[pulumi.Input[str]] = None,
306
- sts_region: Optional[pulumi.Input[str]] = None,
307
- use_sts_region_from_client: Optional[pulumi.Input[bool]] = None):
367
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
368
+ backend: Optional[pulumi.Input[builtins.str]] = None,
369
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
370
+ ec2_endpoint: Optional[pulumi.Input[builtins.str]] = None,
371
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
372
+ iam_server_id_header_value: Optional[pulumi.Input[builtins.str]] = None,
373
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
374
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
375
+ max_retries: Optional[pulumi.Input[builtins.int]] = None,
376
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
377
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
378
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
379
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
380
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
381
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
382
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
383
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
384
+ use_sts_region_from_client: Optional[pulumi.Input[builtins.bool]] = None):
308
385
  """
309
386
  Input properties used for looking up and filtering AuthBackendClient resources.
310
- :param pulumi.Input[str] access_key: The AWS access key that Vault should use for the
387
+ :param pulumi.Input[builtins.str] access_key: The AWS access key that Vault should use for the
311
388
  auth backend. Mutually exclusive with `identity_token_audience`.
312
- :param pulumi.Input[str] backend: The path the AWS auth backend being configured was
389
+ :param pulumi.Input[builtins.str] backend: The path the AWS auth backend being configured was
313
390
  mounted at. Defaults to `aws`.
314
- :param pulumi.Input[str] ec2_endpoint: Override the URL Vault uses when making EC2 API
391
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
392
+ :param pulumi.Input[builtins.str] ec2_endpoint: Override the URL Vault uses when making EC2 API
315
393
  calls.
316
- :param pulumi.Input[str] iam_endpoint: Override the URL Vault uses when making IAM API
394
+ :param pulumi.Input[builtins.str] iam_endpoint: Override the URL Vault uses when making IAM API
317
395
  calls.
318
- :param pulumi.Input[str] iam_server_id_header_value: The value to require in the
396
+ :param pulumi.Input[builtins.str] iam_server_id_header_value: The value to require in the
319
397
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
320
398
  that are used in the IAM auth method.
321
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
399
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
322
400
  Requires Vault 1.17+. *Available only for Vault Enterprise*
323
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
401
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
324
402
  *Available only for Vault Enterprise*
325
- :param pulumi.Input[int] max_retries: Number of max retries the client should use for recoverable errors.
403
+ :param pulumi.Input[builtins.int] max_retries: Number of max retries the client should use for recoverable errors.
326
404
  The default `-1` falls back to the AWS SDK's default behavior.
327
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
405
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
328
406
  The value should not contain leading or trailing forward slashes.
329
407
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
330
408
  *Available only for Vault Enterprise*.
331
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
409
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
332
410
  *Available only for Vault Enterprise*
333
- :param pulumi.Input[str] secret_key: The AWS secret key that Vault should use for the
411
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
412
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
413
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
414
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
415
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
416
+ a rotation when a scheduled token rotation occurs. The default rotation window is
417
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
418
+ :param pulumi.Input[builtins.str] secret_key: The AWS secret key that Vault should use for the
334
419
  auth backend.
335
- :param pulumi.Input[str] sts_endpoint: Override the URL Vault uses when making STS API
420
+ :param pulumi.Input[builtins.str] sts_endpoint: Override the URL Vault uses when making STS API
336
421
  calls.
337
- :param pulumi.Input[str] sts_region: Override the default region when making STS API
422
+ :param pulumi.Input[builtins.str] sts_region: Override the default region when making STS API
338
423
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
339
- :param pulumi.Input[bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
424
+ :param pulumi.Input[builtins.bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
340
425
  overrides both `sts_endpoint` and `sts_region` to instead use the region
341
426
  specified in the client request headers for IAM-based authentication.
342
427
  This can be useful when you have client requests coming from different
@@ -346,6 +431,8 @@ class _AuthBackendClientState:
346
431
  pulumi.set(__self__, "access_key", access_key)
347
432
  if backend is not None:
348
433
  pulumi.set(__self__, "backend", backend)
434
+ if disable_automated_rotation is not None:
435
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
349
436
  if ec2_endpoint is not None:
350
437
  pulumi.set(__self__, "ec2_endpoint", ec2_endpoint)
351
438
  if iam_endpoint is not None:
@@ -362,6 +449,12 @@ class _AuthBackendClientState:
362
449
  pulumi.set(__self__, "namespace", namespace)
363
450
  if role_arn is not None:
364
451
  pulumi.set(__self__, "role_arn", role_arn)
452
+ if rotation_period is not None:
453
+ pulumi.set(__self__, "rotation_period", rotation_period)
454
+ if rotation_schedule is not None:
455
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
456
+ if rotation_window is not None:
457
+ pulumi.set(__self__, "rotation_window", rotation_window)
365
458
  if secret_key is not None:
366
459
  pulumi.set(__self__, "secret_key", secret_key)
367
460
  if sts_endpoint is not None:
@@ -373,7 +466,7 @@ class _AuthBackendClientState:
373
466
 
374
467
  @property
375
468
  @pulumi.getter(name="accessKey")
376
- def access_key(self) -> Optional[pulumi.Input[str]]:
469
+ def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
377
470
  """
378
471
  The AWS access key that Vault should use for the
379
472
  auth backend. Mutually exclusive with `identity_token_audience`.
@@ -381,12 +474,12 @@ class _AuthBackendClientState:
381
474
  return pulumi.get(self, "access_key")
382
475
 
383
476
  @access_key.setter
384
- def access_key(self, value: Optional[pulumi.Input[str]]):
477
+ def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
385
478
  pulumi.set(self, "access_key", value)
386
479
 
387
480
  @property
388
481
  @pulumi.getter
389
- def backend(self) -> Optional[pulumi.Input[str]]:
482
+ def backend(self) -> Optional[pulumi.Input[builtins.str]]:
390
483
  """
391
484
  The path the AWS auth backend being configured was
392
485
  mounted at. Defaults to `aws`.
@@ -394,12 +487,24 @@ class _AuthBackendClientState:
394
487
  return pulumi.get(self, "backend")
395
488
 
396
489
  @backend.setter
397
- def backend(self, value: Optional[pulumi.Input[str]]):
490
+ def backend(self, value: Optional[pulumi.Input[builtins.str]]):
398
491
  pulumi.set(self, "backend", value)
399
492
 
493
+ @property
494
+ @pulumi.getter(name="disableAutomatedRotation")
495
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
496
+ """
497
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
498
+ """
499
+ return pulumi.get(self, "disable_automated_rotation")
500
+
501
+ @disable_automated_rotation.setter
502
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
503
+ pulumi.set(self, "disable_automated_rotation", value)
504
+
400
505
  @property
401
506
  @pulumi.getter(name="ec2Endpoint")
402
- def ec2_endpoint(self) -> Optional[pulumi.Input[str]]:
507
+ def ec2_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
403
508
  """
404
509
  Override the URL Vault uses when making EC2 API
405
510
  calls.
@@ -407,12 +512,12 @@ class _AuthBackendClientState:
407
512
  return pulumi.get(self, "ec2_endpoint")
408
513
 
409
514
  @ec2_endpoint.setter
410
- def ec2_endpoint(self, value: Optional[pulumi.Input[str]]):
515
+ def ec2_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
411
516
  pulumi.set(self, "ec2_endpoint", value)
412
517
 
413
518
  @property
414
519
  @pulumi.getter(name="iamEndpoint")
415
- def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
520
+ def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
416
521
  """
417
522
  Override the URL Vault uses when making IAM API
418
523
  calls.
@@ -420,12 +525,12 @@ class _AuthBackendClientState:
420
525
  return pulumi.get(self, "iam_endpoint")
421
526
 
422
527
  @iam_endpoint.setter
423
- def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
528
+ def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
424
529
  pulumi.set(self, "iam_endpoint", value)
425
530
 
426
531
  @property
427
532
  @pulumi.getter(name="iamServerIdHeaderValue")
428
- def iam_server_id_header_value(self) -> Optional[pulumi.Input[str]]:
533
+ def iam_server_id_header_value(self) -> Optional[pulumi.Input[builtins.str]]:
429
534
  """
430
535
  The value to require in the
431
536
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
@@ -434,12 +539,12 @@ class _AuthBackendClientState:
434
539
  return pulumi.get(self, "iam_server_id_header_value")
435
540
 
436
541
  @iam_server_id_header_value.setter
437
- def iam_server_id_header_value(self, value: Optional[pulumi.Input[str]]):
542
+ def iam_server_id_header_value(self, value: Optional[pulumi.Input[builtins.str]]):
438
543
  pulumi.set(self, "iam_server_id_header_value", value)
439
544
 
440
545
  @property
441
546
  @pulumi.getter(name="identityTokenAudience")
442
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
547
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
443
548
  """
444
549
  The audience claim value. Mutually exclusive with `access_key`.
445
550
  Requires Vault 1.17+. *Available only for Vault Enterprise*
@@ -447,12 +552,12 @@ class _AuthBackendClientState:
447
552
  return pulumi.get(self, "identity_token_audience")
448
553
 
449
554
  @identity_token_audience.setter
450
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
555
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
451
556
  pulumi.set(self, "identity_token_audience", value)
452
557
 
453
558
  @property
454
559
  @pulumi.getter(name="identityTokenTtl")
455
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
560
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
456
561
  """
457
562
  The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
458
563
  *Available only for Vault Enterprise*
@@ -460,12 +565,12 @@ class _AuthBackendClientState:
460
565
  return pulumi.get(self, "identity_token_ttl")
461
566
 
462
567
  @identity_token_ttl.setter
463
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
568
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
464
569
  pulumi.set(self, "identity_token_ttl", value)
465
570
 
466
571
  @property
467
572
  @pulumi.getter(name="maxRetries")
468
- def max_retries(self) -> Optional[pulumi.Input[int]]:
573
+ def max_retries(self) -> Optional[pulumi.Input[builtins.int]]:
469
574
  """
470
575
  Number of max retries the client should use for recoverable errors.
471
576
  The default `-1` falls back to the AWS SDK's default behavior.
@@ -473,12 +578,12 @@ class _AuthBackendClientState:
473
578
  return pulumi.get(self, "max_retries")
474
579
 
475
580
  @max_retries.setter
476
- def max_retries(self, value: Optional[pulumi.Input[int]]):
581
+ def max_retries(self, value: Optional[pulumi.Input[builtins.int]]):
477
582
  pulumi.set(self, "max_retries", value)
478
583
 
479
584
  @property
480
585
  @pulumi.getter
481
- def namespace(self) -> Optional[pulumi.Input[str]]:
586
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
482
587
  """
483
588
  The namespace to provision the resource in.
484
589
  The value should not contain leading or trailing forward slashes.
@@ -488,12 +593,12 @@ class _AuthBackendClientState:
488
593
  return pulumi.get(self, "namespace")
489
594
 
490
595
  @namespace.setter
491
- def namespace(self, value: Optional[pulumi.Input[str]]):
596
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
492
597
  pulumi.set(self, "namespace", value)
493
598
 
494
599
  @property
495
600
  @pulumi.getter(name="roleArn")
496
- def role_arn(self) -> Optional[pulumi.Input[str]]:
601
+ def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
497
602
  """
498
603
  Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
499
604
  *Available only for Vault Enterprise*
@@ -501,12 +606,52 @@ class _AuthBackendClientState:
501
606
  return pulumi.get(self, "role_arn")
502
607
 
503
608
  @role_arn.setter
504
- def role_arn(self, value: Optional[pulumi.Input[str]]):
609
+ def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
505
610
  pulumi.set(self, "role_arn", value)
506
611
 
612
+ @property
613
+ @pulumi.getter(name="rotationPeriod")
614
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
615
+ """
616
+ The amount of time in seconds Vault should wait before rotating the root credential.
617
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
618
+ """
619
+ return pulumi.get(self, "rotation_period")
620
+
621
+ @rotation_period.setter
622
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
623
+ pulumi.set(self, "rotation_period", value)
624
+
625
+ @property
626
+ @pulumi.getter(name="rotationSchedule")
627
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
628
+ """
629
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
630
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
631
+ """
632
+ return pulumi.get(self, "rotation_schedule")
633
+
634
+ @rotation_schedule.setter
635
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
636
+ pulumi.set(self, "rotation_schedule", value)
637
+
638
+ @property
639
+ @pulumi.getter(name="rotationWindow")
640
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
641
+ """
642
+ The maximum amount of time in seconds allowed to complete
643
+ a rotation when a scheduled token rotation occurs. The default rotation window is
644
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
645
+ """
646
+ return pulumi.get(self, "rotation_window")
647
+
648
+ @rotation_window.setter
649
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
650
+ pulumi.set(self, "rotation_window", value)
651
+
507
652
  @property
508
653
  @pulumi.getter(name="secretKey")
509
- def secret_key(self) -> Optional[pulumi.Input[str]]:
654
+ def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
510
655
  """
511
656
  The AWS secret key that Vault should use for the
512
657
  auth backend.
@@ -514,12 +659,12 @@ class _AuthBackendClientState:
514
659
  return pulumi.get(self, "secret_key")
515
660
 
516
661
  @secret_key.setter
517
- def secret_key(self, value: Optional[pulumi.Input[str]]):
662
+ def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
518
663
  pulumi.set(self, "secret_key", value)
519
664
 
520
665
  @property
521
666
  @pulumi.getter(name="stsEndpoint")
522
- def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
667
+ def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
523
668
  """
524
669
  Override the URL Vault uses when making STS API
525
670
  calls.
@@ -527,12 +672,12 @@ class _AuthBackendClientState:
527
672
  return pulumi.get(self, "sts_endpoint")
528
673
 
529
674
  @sts_endpoint.setter
530
- def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
675
+ def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
531
676
  pulumi.set(self, "sts_endpoint", value)
532
677
 
533
678
  @property
534
679
  @pulumi.getter(name="stsRegion")
535
- def sts_region(self) -> Optional[pulumi.Input[str]]:
680
+ def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
536
681
  """
537
682
  Override the default region when making STS API
538
683
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
@@ -540,12 +685,12 @@ class _AuthBackendClientState:
540
685
  return pulumi.get(self, "sts_region")
541
686
 
542
687
  @sts_region.setter
543
- def sts_region(self, value: Optional[pulumi.Input[str]]):
688
+ def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
544
689
  pulumi.set(self, "sts_region", value)
545
690
 
546
691
  @property
547
692
  @pulumi.getter(name="useStsRegionFromClient")
548
- def use_sts_region_from_client(self) -> Optional[pulumi.Input[bool]]:
693
+ def use_sts_region_from_client(self) -> Optional[pulumi.Input[builtins.bool]]:
549
694
  """
550
695
  Available in Vault v1.15+. If set,
551
696
  overrides both `sts_endpoint` and `sts_region` to instead use the region
@@ -556,7 +701,7 @@ class _AuthBackendClientState:
556
701
  return pulumi.get(self, "use_sts_region_from_client")
557
702
 
558
703
  @use_sts_region_from_client.setter
559
- def use_sts_region_from_client(self, value: Optional[pulumi.Input[bool]]):
704
+ def use_sts_region_from_client(self, value: Optional[pulumi.Input[builtins.bool]]):
560
705
  pulumi.set(self, "use_sts_region_from_client", value)
561
706
 
562
707
 
@@ -565,20 +710,24 @@ class AuthBackendClient(pulumi.CustomResource):
565
710
  def __init__(__self__,
566
711
  resource_name: str,
567
712
  opts: Optional[pulumi.ResourceOptions] = None,
568
- access_key: Optional[pulumi.Input[str]] = None,
569
- backend: Optional[pulumi.Input[str]] = None,
570
- ec2_endpoint: Optional[pulumi.Input[str]] = None,
571
- iam_endpoint: Optional[pulumi.Input[str]] = None,
572
- iam_server_id_header_value: Optional[pulumi.Input[str]] = None,
573
- identity_token_audience: Optional[pulumi.Input[str]] = None,
574
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
575
- max_retries: Optional[pulumi.Input[int]] = None,
576
- namespace: Optional[pulumi.Input[str]] = None,
577
- role_arn: Optional[pulumi.Input[str]] = None,
578
- secret_key: Optional[pulumi.Input[str]] = None,
579
- sts_endpoint: Optional[pulumi.Input[str]] = None,
580
- sts_region: Optional[pulumi.Input[str]] = None,
581
- use_sts_region_from_client: Optional[pulumi.Input[bool]] = None,
713
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
714
+ backend: Optional[pulumi.Input[builtins.str]] = None,
715
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
716
+ ec2_endpoint: Optional[pulumi.Input[builtins.str]] = None,
717
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
718
+ iam_server_id_header_value: Optional[pulumi.Input[builtins.str]] = None,
719
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
720
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
721
+ max_retries: Optional[pulumi.Input[builtins.int]] = None,
722
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
723
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
724
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
725
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
726
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
727
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
728
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
729
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
730
+ use_sts_region_from_client: Optional[pulumi.Input[builtins.bool]] = None,
582
731
  __props__=None):
583
732
  """
584
733
  ## Example Usage
@@ -592,7 +741,9 @@ class AuthBackendClient(pulumi.CustomResource):
592
741
  example_auth_backend_client = vault.aws.AuthBackendClient("example",
593
742
  identity_token_audience="<TOKEN_AUDIENCE>",
594
743
  identity_token_ttl="<TOKEN_TTL>",
595
- role_arn="<AWS_ROLE_ARN>")
744
+ role_arn="<AWS_ROLE_ARN>",
745
+ rotation_schedule="0 * * * SAT",
746
+ rotation_window=3600)
596
747
  ```
597
748
 
598
749
  ```python
@@ -603,7 +754,9 @@ class AuthBackendClient(pulumi.CustomResource):
603
754
  example_auth_backend_client = vault.aws.AuthBackendClient("example",
604
755
  backend=example.path,
605
756
  access_key="INSERT_AWS_ACCESS_KEY",
606
- secret_key="INSERT_AWS_SECRET_KEY")
757
+ secret_key="INSERT_AWS_SECRET_KEY",
758
+ rotation_schedule="0 * * * SAT",
759
+ rotation_window=3600)
607
760
  ```
608
761
 
609
762
  ## Import
@@ -616,36 +769,44 @@ class AuthBackendClient(pulumi.CustomResource):
616
769
 
617
770
  :param str resource_name: The name of the resource.
618
771
  :param pulumi.ResourceOptions opts: Options for the resource.
619
- :param pulumi.Input[str] access_key: The AWS access key that Vault should use for the
772
+ :param pulumi.Input[builtins.str] access_key: The AWS access key that Vault should use for the
620
773
  auth backend. Mutually exclusive with `identity_token_audience`.
621
- :param pulumi.Input[str] backend: The path the AWS auth backend being configured was
774
+ :param pulumi.Input[builtins.str] backend: The path the AWS auth backend being configured was
622
775
  mounted at. Defaults to `aws`.
623
- :param pulumi.Input[str] ec2_endpoint: Override the URL Vault uses when making EC2 API
776
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
777
+ :param pulumi.Input[builtins.str] ec2_endpoint: Override the URL Vault uses when making EC2 API
624
778
  calls.
625
- :param pulumi.Input[str] iam_endpoint: Override the URL Vault uses when making IAM API
779
+ :param pulumi.Input[builtins.str] iam_endpoint: Override the URL Vault uses when making IAM API
626
780
  calls.
627
- :param pulumi.Input[str] iam_server_id_header_value: The value to require in the
781
+ :param pulumi.Input[builtins.str] iam_server_id_header_value: The value to require in the
628
782
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
629
783
  that are used in the IAM auth method.
630
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
784
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
631
785
  Requires Vault 1.17+. *Available only for Vault Enterprise*
632
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
786
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
633
787
  *Available only for Vault Enterprise*
634
- :param pulumi.Input[int] max_retries: Number of max retries the client should use for recoverable errors.
788
+ :param pulumi.Input[builtins.int] max_retries: Number of max retries the client should use for recoverable errors.
635
789
  The default `-1` falls back to the AWS SDK's default behavior.
636
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
790
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
637
791
  The value should not contain leading or trailing forward slashes.
638
792
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
639
793
  *Available only for Vault Enterprise*.
640
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
794
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
641
795
  *Available only for Vault Enterprise*
642
- :param pulumi.Input[str] secret_key: The AWS secret key that Vault should use for the
796
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
797
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
798
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
799
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
800
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
801
+ a rotation when a scheduled token rotation occurs. The default rotation window is
802
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
803
+ :param pulumi.Input[builtins.str] secret_key: The AWS secret key that Vault should use for the
643
804
  auth backend.
644
- :param pulumi.Input[str] sts_endpoint: Override the URL Vault uses when making STS API
805
+ :param pulumi.Input[builtins.str] sts_endpoint: Override the URL Vault uses when making STS API
645
806
  calls.
646
- :param pulumi.Input[str] sts_region: Override the default region when making STS API
807
+ :param pulumi.Input[builtins.str] sts_region: Override the default region when making STS API
647
808
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
648
- :param pulumi.Input[bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
809
+ :param pulumi.Input[builtins.bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
649
810
  overrides both `sts_endpoint` and `sts_region` to instead use the region
650
811
  specified in the client request headers for IAM-based authentication.
651
812
  This can be useful when you have client requests coming from different
@@ -669,7 +830,9 @@ class AuthBackendClient(pulumi.CustomResource):
669
830
  example_auth_backend_client = vault.aws.AuthBackendClient("example",
670
831
  identity_token_audience="<TOKEN_AUDIENCE>",
671
832
  identity_token_ttl="<TOKEN_TTL>",
672
- role_arn="<AWS_ROLE_ARN>")
833
+ role_arn="<AWS_ROLE_ARN>",
834
+ rotation_schedule="0 * * * SAT",
835
+ rotation_window=3600)
673
836
  ```
674
837
 
675
838
  ```python
@@ -680,7 +843,9 @@ class AuthBackendClient(pulumi.CustomResource):
680
843
  example_auth_backend_client = vault.aws.AuthBackendClient("example",
681
844
  backend=example.path,
682
845
  access_key="INSERT_AWS_ACCESS_KEY",
683
- secret_key="INSERT_AWS_SECRET_KEY")
846
+ secret_key="INSERT_AWS_SECRET_KEY",
847
+ rotation_schedule="0 * * * SAT",
848
+ rotation_window=3600)
684
849
  ```
685
850
 
686
851
  ## Import
@@ -706,20 +871,24 @@ class AuthBackendClient(pulumi.CustomResource):
706
871
  def _internal_init(__self__,
707
872
  resource_name: str,
708
873
  opts: Optional[pulumi.ResourceOptions] = None,
709
- access_key: Optional[pulumi.Input[str]] = None,
710
- backend: Optional[pulumi.Input[str]] = None,
711
- ec2_endpoint: Optional[pulumi.Input[str]] = None,
712
- iam_endpoint: Optional[pulumi.Input[str]] = None,
713
- iam_server_id_header_value: Optional[pulumi.Input[str]] = None,
714
- identity_token_audience: Optional[pulumi.Input[str]] = None,
715
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
716
- max_retries: Optional[pulumi.Input[int]] = None,
717
- namespace: Optional[pulumi.Input[str]] = None,
718
- role_arn: Optional[pulumi.Input[str]] = None,
719
- secret_key: Optional[pulumi.Input[str]] = None,
720
- sts_endpoint: Optional[pulumi.Input[str]] = None,
721
- sts_region: Optional[pulumi.Input[str]] = None,
722
- use_sts_region_from_client: Optional[pulumi.Input[bool]] = None,
874
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
875
+ backend: Optional[pulumi.Input[builtins.str]] = None,
876
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
877
+ ec2_endpoint: Optional[pulumi.Input[builtins.str]] = None,
878
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
879
+ iam_server_id_header_value: Optional[pulumi.Input[builtins.str]] = None,
880
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
881
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
882
+ max_retries: Optional[pulumi.Input[builtins.int]] = None,
883
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
884
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
885
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
886
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
887
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
888
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
889
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
890
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
891
+ use_sts_region_from_client: Optional[pulumi.Input[builtins.bool]] = None,
723
892
  __props__=None):
724
893
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
725
894
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -731,6 +900,7 @@ class AuthBackendClient(pulumi.CustomResource):
731
900
 
732
901
  __props__.__dict__["access_key"] = None if access_key is None else pulumi.Output.secret(access_key)
733
902
  __props__.__dict__["backend"] = backend
903
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
734
904
  __props__.__dict__["ec2_endpoint"] = ec2_endpoint
735
905
  __props__.__dict__["iam_endpoint"] = iam_endpoint
736
906
  __props__.__dict__["iam_server_id_header_value"] = iam_server_id_header_value
@@ -739,6 +909,9 @@ class AuthBackendClient(pulumi.CustomResource):
739
909
  __props__.__dict__["max_retries"] = max_retries
740
910
  __props__.__dict__["namespace"] = namespace
741
911
  __props__.__dict__["role_arn"] = role_arn
912
+ __props__.__dict__["rotation_period"] = rotation_period
913
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
914
+ __props__.__dict__["rotation_window"] = rotation_window
742
915
  __props__.__dict__["secret_key"] = None if secret_key is None else pulumi.Output.secret(secret_key)
743
916
  __props__.__dict__["sts_endpoint"] = sts_endpoint
744
917
  __props__.__dict__["sts_region"] = sts_region
@@ -755,20 +928,24 @@ class AuthBackendClient(pulumi.CustomResource):
755
928
  def get(resource_name: str,
756
929
  id: pulumi.Input[str],
757
930
  opts: Optional[pulumi.ResourceOptions] = None,
758
- access_key: Optional[pulumi.Input[str]] = None,
759
- backend: Optional[pulumi.Input[str]] = None,
760
- ec2_endpoint: Optional[pulumi.Input[str]] = None,
761
- iam_endpoint: Optional[pulumi.Input[str]] = None,
762
- iam_server_id_header_value: Optional[pulumi.Input[str]] = None,
763
- identity_token_audience: Optional[pulumi.Input[str]] = None,
764
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
765
- max_retries: Optional[pulumi.Input[int]] = None,
766
- namespace: Optional[pulumi.Input[str]] = None,
767
- role_arn: Optional[pulumi.Input[str]] = None,
768
- secret_key: Optional[pulumi.Input[str]] = None,
769
- sts_endpoint: Optional[pulumi.Input[str]] = None,
770
- sts_region: Optional[pulumi.Input[str]] = None,
771
- use_sts_region_from_client: Optional[pulumi.Input[bool]] = None) -> 'AuthBackendClient':
931
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
932
+ backend: Optional[pulumi.Input[builtins.str]] = None,
933
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
934
+ ec2_endpoint: Optional[pulumi.Input[builtins.str]] = None,
935
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
936
+ iam_server_id_header_value: Optional[pulumi.Input[builtins.str]] = None,
937
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
938
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
939
+ max_retries: Optional[pulumi.Input[builtins.int]] = None,
940
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
941
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
942
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
943
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
944
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
945
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
946
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
947
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
948
+ use_sts_region_from_client: Optional[pulumi.Input[builtins.bool]] = None) -> 'AuthBackendClient':
772
949
  """
773
950
  Get an existing AuthBackendClient resource's state with the given name, id, and optional extra
774
951
  properties used to qualify the lookup.
@@ -776,36 +953,44 @@ class AuthBackendClient(pulumi.CustomResource):
776
953
  :param str resource_name: The unique name of the resulting resource.
777
954
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
778
955
  :param pulumi.ResourceOptions opts: Options for the resource.
779
- :param pulumi.Input[str] access_key: The AWS access key that Vault should use for the
956
+ :param pulumi.Input[builtins.str] access_key: The AWS access key that Vault should use for the
780
957
  auth backend. Mutually exclusive with `identity_token_audience`.
781
- :param pulumi.Input[str] backend: The path the AWS auth backend being configured was
958
+ :param pulumi.Input[builtins.str] backend: The path the AWS auth backend being configured was
782
959
  mounted at. Defaults to `aws`.
783
- :param pulumi.Input[str] ec2_endpoint: Override the URL Vault uses when making EC2 API
960
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
961
+ :param pulumi.Input[builtins.str] ec2_endpoint: Override the URL Vault uses when making EC2 API
784
962
  calls.
785
- :param pulumi.Input[str] iam_endpoint: Override the URL Vault uses when making IAM API
963
+ :param pulumi.Input[builtins.str] iam_endpoint: Override the URL Vault uses when making IAM API
786
964
  calls.
787
- :param pulumi.Input[str] iam_server_id_header_value: The value to require in the
965
+ :param pulumi.Input[builtins.str] iam_server_id_header_value: The value to require in the
788
966
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
789
967
  that are used in the IAM auth method.
790
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
968
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Mutually exclusive with `access_key`.
791
969
  Requires Vault 1.17+. *Available only for Vault Enterprise*
792
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
970
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
793
971
  *Available only for Vault Enterprise*
794
- :param pulumi.Input[int] max_retries: Number of max retries the client should use for recoverable errors.
972
+ :param pulumi.Input[builtins.int] max_retries: Number of max retries the client should use for recoverable errors.
795
973
  The default `-1` falls back to the AWS SDK's default behavior.
796
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
974
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
797
975
  The value should not contain leading or trailing forward slashes.
798
976
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
799
977
  *Available only for Vault Enterprise*.
800
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
978
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
801
979
  *Available only for Vault Enterprise*
802
- :param pulumi.Input[str] secret_key: The AWS secret key that Vault should use for the
980
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
981
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
982
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
983
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
984
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
985
+ a rotation when a scheduled token rotation occurs. The default rotation window is
986
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
987
+ :param pulumi.Input[builtins.str] secret_key: The AWS secret key that Vault should use for the
803
988
  auth backend.
804
- :param pulumi.Input[str] sts_endpoint: Override the URL Vault uses when making STS API
989
+ :param pulumi.Input[builtins.str] sts_endpoint: Override the URL Vault uses when making STS API
805
990
  calls.
806
- :param pulumi.Input[str] sts_region: Override the default region when making STS API
991
+ :param pulumi.Input[builtins.str] sts_region: Override the default region when making STS API
807
992
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
808
- :param pulumi.Input[bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
993
+ :param pulumi.Input[builtins.bool] use_sts_region_from_client: Available in Vault v1.15+. If set,
809
994
  overrides both `sts_endpoint` and `sts_region` to instead use the region
810
995
  specified in the client request headers for IAM-based authentication.
811
996
  This can be useful when you have client requests coming from different
@@ -817,6 +1002,7 @@ class AuthBackendClient(pulumi.CustomResource):
817
1002
 
818
1003
  __props__.__dict__["access_key"] = access_key
819
1004
  __props__.__dict__["backend"] = backend
1005
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
820
1006
  __props__.__dict__["ec2_endpoint"] = ec2_endpoint
821
1007
  __props__.__dict__["iam_endpoint"] = iam_endpoint
822
1008
  __props__.__dict__["iam_server_id_header_value"] = iam_server_id_header_value
@@ -825,6 +1011,9 @@ class AuthBackendClient(pulumi.CustomResource):
825
1011
  __props__.__dict__["max_retries"] = max_retries
826
1012
  __props__.__dict__["namespace"] = namespace
827
1013
  __props__.__dict__["role_arn"] = role_arn
1014
+ __props__.__dict__["rotation_period"] = rotation_period
1015
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1016
+ __props__.__dict__["rotation_window"] = rotation_window
828
1017
  __props__.__dict__["secret_key"] = secret_key
829
1018
  __props__.__dict__["sts_endpoint"] = sts_endpoint
830
1019
  __props__.__dict__["sts_region"] = sts_region
@@ -833,7 +1022,7 @@ class AuthBackendClient(pulumi.CustomResource):
833
1022
 
834
1023
  @property
835
1024
  @pulumi.getter(name="accessKey")
836
- def access_key(self) -> pulumi.Output[Optional[str]]:
1025
+ def access_key(self) -> pulumi.Output[Optional[builtins.str]]:
837
1026
  """
838
1027
  The AWS access key that Vault should use for the
839
1028
  auth backend. Mutually exclusive with `identity_token_audience`.
@@ -842,16 +1031,24 @@ class AuthBackendClient(pulumi.CustomResource):
842
1031
 
843
1032
  @property
844
1033
  @pulumi.getter
845
- def backend(self) -> pulumi.Output[Optional[str]]:
1034
+ def backend(self) -> pulumi.Output[Optional[builtins.str]]:
846
1035
  """
847
1036
  The path the AWS auth backend being configured was
848
1037
  mounted at. Defaults to `aws`.
849
1038
  """
850
1039
  return pulumi.get(self, "backend")
851
1040
 
1041
+ @property
1042
+ @pulumi.getter(name="disableAutomatedRotation")
1043
+ def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
1044
+ """
1045
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1046
+ """
1047
+ return pulumi.get(self, "disable_automated_rotation")
1048
+
852
1049
  @property
853
1050
  @pulumi.getter(name="ec2Endpoint")
854
- def ec2_endpoint(self) -> pulumi.Output[Optional[str]]:
1051
+ def ec2_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
855
1052
  """
856
1053
  Override the URL Vault uses when making EC2 API
857
1054
  calls.
@@ -860,7 +1057,7 @@ class AuthBackendClient(pulumi.CustomResource):
860
1057
 
861
1058
  @property
862
1059
  @pulumi.getter(name="iamEndpoint")
863
- def iam_endpoint(self) -> pulumi.Output[Optional[str]]:
1060
+ def iam_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
864
1061
  """
865
1062
  Override the URL Vault uses when making IAM API
866
1063
  calls.
@@ -869,7 +1066,7 @@ class AuthBackendClient(pulumi.CustomResource):
869
1066
 
870
1067
  @property
871
1068
  @pulumi.getter(name="iamServerIdHeaderValue")
872
- def iam_server_id_header_value(self) -> pulumi.Output[Optional[str]]:
1069
+ def iam_server_id_header_value(self) -> pulumi.Output[Optional[builtins.str]]:
873
1070
  """
874
1071
  The value to require in the
875
1072
  `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
@@ -879,7 +1076,7 @@ class AuthBackendClient(pulumi.CustomResource):
879
1076
 
880
1077
  @property
881
1078
  @pulumi.getter(name="identityTokenAudience")
882
- def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
1079
+ def identity_token_audience(self) -> pulumi.Output[Optional[builtins.str]]:
883
1080
  """
884
1081
  The audience claim value. Mutually exclusive with `access_key`.
885
1082
  Requires Vault 1.17+. *Available only for Vault Enterprise*
@@ -888,7 +1085,7 @@ class AuthBackendClient(pulumi.CustomResource):
888
1085
 
889
1086
  @property
890
1087
  @pulumi.getter(name="identityTokenTtl")
891
- def identity_token_ttl(self) -> pulumi.Output[int]:
1088
+ def identity_token_ttl(self) -> pulumi.Output[builtins.int]:
892
1089
  """
893
1090
  The TTL of generated identity tokens in seconds. Requires Vault 1.17+.
894
1091
  *Available only for Vault Enterprise*
@@ -897,7 +1094,7 @@ class AuthBackendClient(pulumi.CustomResource):
897
1094
 
898
1095
  @property
899
1096
  @pulumi.getter(name="maxRetries")
900
- def max_retries(self) -> pulumi.Output[Optional[int]]:
1097
+ def max_retries(self) -> pulumi.Output[Optional[builtins.int]]:
901
1098
  """
902
1099
  Number of max retries the client should use for recoverable errors.
903
1100
  The default `-1` falls back to the AWS SDK's default behavior.
@@ -906,7 +1103,7 @@ class AuthBackendClient(pulumi.CustomResource):
906
1103
 
907
1104
  @property
908
1105
  @pulumi.getter
909
- def namespace(self) -> pulumi.Output[Optional[str]]:
1106
+ def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
910
1107
  """
911
1108
  The namespace to provision the resource in.
912
1109
  The value should not contain leading or trailing forward slashes.
@@ -917,16 +1114,44 @@ class AuthBackendClient(pulumi.CustomResource):
917
1114
 
918
1115
  @property
919
1116
  @pulumi.getter(name="roleArn")
920
- def role_arn(self) -> pulumi.Output[Optional[str]]:
1117
+ def role_arn(self) -> pulumi.Output[Optional[builtins.str]]:
921
1118
  """
922
1119
  Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.
923
1120
  *Available only for Vault Enterprise*
924
1121
  """
925
1122
  return pulumi.get(self, "role_arn")
926
1123
 
1124
+ @property
1125
+ @pulumi.getter(name="rotationPeriod")
1126
+ def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
1127
+ """
1128
+ The amount of time in seconds Vault should wait before rotating the root credential.
1129
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1130
+ """
1131
+ return pulumi.get(self, "rotation_period")
1132
+
1133
+ @property
1134
+ @pulumi.getter(name="rotationSchedule")
1135
+ def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
1136
+ """
1137
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1138
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1139
+ """
1140
+ return pulumi.get(self, "rotation_schedule")
1141
+
1142
+ @property
1143
+ @pulumi.getter(name="rotationWindow")
1144
+ def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
1145
+ """
1146
+ The maximum amount of time in seconds allowed to complete
1147
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1148
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1149
+ """
1150
+ return pulumi.get(self, "rotation_window")
1151
+
927
1152
  @property
928
1153
  @pulumi.getter(name="secretKey")
929
- def secret_key(self) -> pulumi.Output[Optional[str]]:
1154
+ def secret_key(self) -> pulumi.Output[Optional[builtins.str]]:
930
1155
  """
931
1156
  The AWS secret key that Vault should use for the
932
1157
  auth backend.
@@ -935,7 +1160,7 @@ class AuthBackendClient(pulumi.CustomResource):
935
1160
 
936
1161
  @property
937
1162
  @pulumi.getter(name="stsEndpoint")
938
- def sts_endpoint(self) -> pulumi.Output[Optional[str]]:
1163
+ def sts_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
939
1164
  """
940
1165
  Override the URL Vault uses when making STS API
941
1166
  calls.
@@ -944,7 +1169,7 @@ class AuthBackendClient(pulumi.CustomResource):
944
1169
 
945
1170
  @property
946
1171
  @pulumi.getter(name="stsRegion")
947
- def sts_region(self) -> pulumi.Output[Optional[str]]:
1172
+ def sts_region(self) -> pulumi.Output[Optional[builtins.str]]:
948
1173
  """
949
1174
  Override the default region when making STS API
950
1175
  calls. The `sts_endpoint` argument must be set when using `sts_region`.
@@ -953,7 +1178,7 @@ class AuthBackendClient(pulumi.CustomResource):
953
1178
 
954
1179
  @property
955
1180
  @pulumi.getter(name="useStsRegionFromClient")
956
- def use_sts_region_from_client(self) -> pulumi.Output[bool]:
1181
+ def use_sts_region_from_client(self) -> pulumi.Output[builtins.bool]:
957
1182
  """
958
1183
  Available in Vault v1.15+. If set,
959
1184
  overrides both `sts_endpoint` and `sts_region` to instead use the region