pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

pulumi_vault/transit/secret_backend_key.py

@@ -2,6 +2,7 @@
 # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
+import builtins
 import copy
 import warnings
 import sys
@@ -19,39 +20,48 @@ __all__ = ['SecretBackendKeyArgs', 'SecretBackendKey']
 @pulumi.input_type
 class SecretBackendKeyArgs:
     def __init__(__self__, *,
-                 backend: pulumi.Input[str],
-                 allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
-                 auto_rotate_period: Optional[pulumi.Input[int]] = None,
-                 convergent_encryption: Optional[pulumi.Input[bool]] = None,
-                 deletion_allowed: Optional[pulumi.Input[bool]] = None,
-                 derived: Optional[pulumi.Input[bool]] = None,
-                 exportable: Optional[pulumi.Input[bool]] = None,
-                 key_size: Optional[pulumi.Input[int]] = None,
-                 min_decryption_version: Optional[pulumi.Input[int]] = None,
-                 min_encryption_version: Optional[pulumi.Input[int]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 type: Optional[pulumi.Input[str]] = None):
+                 backend: pulumi.Input[builtins.str],
+                 allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
+                 auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
+                 convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
+                 derived: Optional[pulumi.Input[builtins.bool]] = None,
+                 exportable: Optional[pulumi.Input[builtins.bool]] = None,
+                 hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
+                 hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
+                 key_size: Optional[pulumi.Input[builtins.int]] = None,
+                 min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 parameter_set: Optional[pulumi.Input[builtins.str]] = None,
+                 type: Optional[pulumi.Input[builtins.str]] = None):
         """
         The set of arguments for constructing a SecretBackendKey resource.
-        :param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
                * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
-        :param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
+        :param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
                A value of 0 disables automatic rotation for the key.
-        :param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
-        :param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
-        :param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
-        :param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
-        :param pulumi.Input[int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
-        :param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
-        :param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
-        :param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
+        :param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
+        :param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+        :param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
+               Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        :param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
+               Currently, ML-DSA is the only supported key type.
+        :param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
+        :param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
+        :param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
+        :param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
+        :param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
+               ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        :param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
                * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
         """
         pulumi.set(__self__, "backend", backend)
@@ -67,6 +77,10 @@ class SecretBackendKeyArgs:
             pulumi.set(__self__, "derived", derived)
         if exportable is not None:
             pulumi.set(__self__, "exportable", exportable)
+        if hybrid_key_type_ec is not None:
+            pulumi.set(__self__, "hybrid_key_type_ec", hybrid_key_type_ec)
+        if hybrid_key_type_pqc is not None:
+            pulumi.set(__self__, "hybrid_key_type_pqc", hybrid_key_type_pqc)
         if key_size is not None:
             pulumi.set(__self__, "key_size", key_size)
         if min_decryption_version is not None:
@@ -77,24 +91,26 @@ class SecretBackendKeyArgs:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if parameter_set is not None:
+            pulumi.set(__self__, "parameter_set", parameter_set)
         if type is not None:
             pulumi.set(__self__, "type", type)
 
     @property
     @pulumi.getter
-    def backend(self) -> pulumi.Input[str]:
+    def backend(self) -> pulumi.Input[builtins.str]:
         """
         The path the transit secret backend is mounted at, with no leading or trailing `/`s.
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: pulumi.Input[str]):
+    def backend(self, value: pulumi.Input[builtins.str]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter(name="allowPlaintextBackup")
-    def allow_plaintext_backup(self) -> Optional[pulumi.Input[bool]]:
+    def allow_plaintext_backup(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
         * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
@@ -102,12 +118,12 @@ class SecretBackendKeyArgs:
         return pulumi.get(self, "allow_plaintext_backup")
 
     @allow_plaintext_backup.setter
-    def allow_plaintext_backup(self, value: Optional[pulumi.Input[bool]]):
+    def allow_plaintext_backup(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_plaintext_backup", value)
 
     @property
     @pulumi.getter(name="autoRotatePeriod")
-    def auto_rotate_period(self) -> Optional[pulumi.Input[int]]:
+    def auto_rotate_period(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Amount of seconds the key should live before being automatically rotated.
         A value of 0 disables automatic rotation for the key.
@@ -115,108 +131,134 @@ class SecretBackendKeyArgs:
         return pulumi.get(self, "auto_rotate_period")
 
     @auto_rotate_period.setter
-    def auto_rotate_period(self, value: Optional[pulumi.Input[int]]):
+    def auto_rotate_period(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "auto_rotate_period", value)
 
     @property
     @pulumi.getter(name="convergentEncryption")
-    def convergent_encryption(self) -> Optional[pulumi.Input[bool]]:
+    def convergent_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
         """
         return pulumi.get(self, "convergent_encryption")
 
     @convergent_encryption.setter
-    def convergent_encryption(self, value: Optional[pulumi.Input[bool]]):
+    def convergent_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "convergent_encryption", value)
 
     @property
     @pulumi.getter(name="deletionAllowed")
-    def deletion_allowed(self) -> Optional[pulumi.Input[bool]]:
+    def deletion_allowed(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Specifies if the key is allowed to be deleted.
         """
         return pulumi.get(self, "deletion_allowed")
 
     @deletion_allowed.setter
-    def deletion_allowed(self, value: Optional[pulumi.Input[bool]]):
+    def deletion_allowed(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "deletion_allowed", value)
 
     @property
     @pulumi.getter
-    def derived(self) -> Optional[pulumi.Input[bool]]:
+    def derived(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
         """
         return pulumi.get(self, "derived")
 
     @derived.setter
-    def derived(self, value: Optional[pulumi.Input[bool]]):
+    def derived(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "derived", value)
 
     @property
     @pulumi.getter
-    def exportable(self) -> Optional[pulumi.Input[bool]]:
+    def exportable(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
         """
         return pulumi.get(self, "exportable")
 
     @exportable.setter
-    def exportable(self, value: Optional[pulumi.Input[bool]]):
+    def exportable(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "exportable", value)
 
+    @property
+    @pulumi.getter(name="hybridKeyTypeEc")
+    def hybrid_key_type_ec(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The elliptic curve algorithm to use for hybrid signatures.
+        Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        """
+        return pulumi.get(self, "hybrid_key_type_ec")
+
+    @hybrid_key_type_ec.setter
+    def hybrid_key_type_ec(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "hybrid_key_type_ec", value)
+
+    @property
+    @pulumi.getter(name="hybridKeyTypePqc")
+    def hybrid_key_type_pqc(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The post-quantum algorithm to use for hybrid signatures.
+        Currently, ML-DSA is the only supported key type.
+        """
+        return pulumi.get(self, "hybrid_key_type_pqc")
+
+    @hybrid_key_type_pqc.setter
+    def hybrid_key_type_pqc(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "hybrid_key_type_pqc", value)
+
     @property
     @pulumi.getter(name="keySize")
-    def key_size(self) -> Optional[pulumi.Input[int]]:
+    def key_size(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
         """
         return pulumi.get(self, "key_size")
 
     @key_size.setter
-    def key_size(self, value: Optional[pulumi.Input[int]]):
+    def key_size(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "key_size", value)
 
     @property
     @pulumi.getter(name="minDecryptionVersion")
-    def min_decryption_version(self) -> Optional[pulumi.Input[int]]:
+    def min_decryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Minimum key version to use for decryption.
         """
         return pulumi.get(self, "min_decryption_version")
 
     @min_decryption_version.setter
-    def min_decryption_version(self, value: Optional[pulumi.Input[int]]):
+    def min_decryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "min_decryption_version", value)
 
     @property
     @pulumi.getter(name="minEncryptionVersion")
-    def min_encryption_version(self) -> Optional[pulumi.Input[int]]:
+    def min_encryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Minimum key version to use for encryption
         """
         return pulumi.get(self, "min_encryption_version")
 
     @min_encryption_version.setter
-    def min_encryption_version(self, value: Optional[pulumi.Input[int]]):
+    def min_encryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "min_encryption_version", value)
 
     @property
     @pulumi.getter
-    def name(self) -> Optional[pulumi.Input[str]]:
+    def name(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The name to identify this key within the backend. Must be unique within the backend.
         """
         return pulumi.get(self, "name")
 
     @name.setter
-    def name(self, value: Optional[pulumi.Input[str]]):
+    def name(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "name", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -226,12 +268,25 @@ class SecretBackendKeyArgs:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @property
+    @pulumi.getter(name="parameterSet")
+    def parameter_set(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The parameter set to use for ML-DSA. Required for
+        ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        """
+        return pulumi.get(self, "parameter_set")
+
+    @parameter_set.setter
+    def parameter_set(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "parameter_set", value)
+
     @property
     @pulumi.getter
-    def type(self) -> Optional[pulumi.Input[str]]:
+    def type(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
         * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
@@ -239,62 +294,71 @@ class SecretBackendKeyArgs:
         return pulumi.get(self, "type")
 
     @type.setter
-    def type(self, value: Optional[pulumi.Input[str]]):
+    def type(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "type", value)
 
 
 @pulumi.input_type
 class _SecretBackendKeyState:
     def __init__(__self__, *,
-                 allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
-                 auto_rotate_period: Optional[pulumi.Input[int]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 convergent_encryption: Optional[pulumi.Input[bool]] = None,
-                 deletion_allowed: Optional[pulumi.Input[bool]] = None,
-                 derived: Optional[pulumi.Input[bool]] = None,
-                 exportable: Optional[pulumi.Input[bool]] = None,
-                 key_size: Optional[pulumi.Input[int]] = None,
-                 keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]] = None,
-                 latest_version: Optional[pulumi.Input[int]] = None,
-                 min_available_version: Optional[pulumi.Input[int]] = None,
-                 min_decryption_version: Optional[pulumi.Input[int]] = None,
-                 min_encryption_version: Optional[pulumi.Input[int]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 supports_decryption: Optional[pulumi.Input[bool]] = None,
-                 supports_derivation: Optional[pulumi.Input[bool]] = None,
-                 supports_encryption: Optional[pulumi.Input[bool]] = None,
-                 supports_signing: Optional[pulumi.Input[bool]] = None,
-                 type: Optional[pulumi.Input[str]] = None):
+                 allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
+                 auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
+                 derived: Optional[pulumi.Input[builtins.bool]] = None,
+                 exportable: Optional[pulumi.Input[builtins.bool]] = None,
+                 hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
+                 hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
+                 key_size: Optional[pulumi.Input[builtins.int]] = None,
+                 keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]] = None,
+                 latest_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_available_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 parameter_set: Optional[pulumi.Input[builtins.str]] = None,
+                 supports_decryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 supports_derivation: Optional[pulumi.Input[builtins.bool]] = None,
+                 supports_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 supports_signing: Optional[pulumi.Input[builtins.bool]] = None,
+                 type: Optional[pulumi.Input[builtins.str]] = None):
         """
         Input properties used for looking up and filtering SecretBackendKey resources.
-        :param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
                * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
-        :param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
+        :param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
                A value of 0 disables automatic rotation for the key.
-        :param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
-        :param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
-        :param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
-        :param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
-        :param pulumi.Input[int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
-        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
+        :param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
+        :param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
+        :param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+        :param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
+               Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        :param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
+               Currently, ML-DSA is the only supported key type.
+        :param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
                * for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
                * for key types `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:
-        :param pulumi.Input[int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
-        :param pulumi.Input[int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
-        :param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
-        :param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
-        :param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
+        :param pulumi.Input[builtins.int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
+        :param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
+        :param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
+        :param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] supports_decryption: Whether or not the key supports decryption, based on key type.
-        :param pulumi.Input[bool] supports_derivation: Whether or not the key supports derivation, based on key type.
-        :param pulumi.Input[bool] supports_encryption: Whether or not the key supports encryption, based on key type.
-        :param pulumi.Input[bool] supports_signing: Whether or not the key supports signing, based on key type.
-        :param pulumi.Input[str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
+        :param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
+               ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        :param pulumi.Input[builtins.bool] supports_decryption: Whether or not the key supports decryption, based on key type.
+        :param pulumi.Input[builtins.bool] supports_derivation: Whether or not the key supports derivation, based on key type.
+        :param pulumi.Input[builtins.bool] supports_encryption: Whether or not the key supports encryption, based on key type.
+        :param pulumi.Input[builtins.bool] supports_signing: Whether or not the key supports signing, based on key type.
+        :param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
                * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
         """
         if allow_plaintext_backup is not None:
@@ -311,6 +375,10 @@ class _SecretBackendKeyState:
             pulumi.set(__self__, "derived", derived)
         if exportable is not None:
             pulumi.set(__self__, "exportable", exportable)
+        if hybrid_key_type_ec is not None:
+            pulumi.set(__self__, "hybrid_key_type_ec", hybrid_key_type_ec)
+        if hybrid_key_type_pqc is not None:
+            pulumi.set(__self__, "hybrid_key_type_pqc", hybrid_key_type_pqc)
         if key_size is not None:
             pulumi.set(__self__, "key_size", key_size)
         if keys is not None:
@@ -327,6 +395,8 @@ class _SecretBackendKeyState:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if parameter_set is not None:
+            pulumi.set(__self__, "parameter_set", parameter_set)
         if supports_decryption is not None:
             pulumi.set(__self__, "supports_decryption", supports_decryption)
         if supports_derivation is not None:
@@ -340,7 +410,7 @@ class _SecretBackendKeyState:
 
     @property
     @pulumi.getter(name="allowPlaintextBackup")
-    def allow_plaintext_backup(self) -> Optional[pulumi.Input[bool]]:
+    def allow_plaintext_backup(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
         * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
@@ -348,12 +418,12 @@ class _SecretBackendKeyState:
         return pulumi.get(self, "allow_plaintext_backup")
 
     @allow_plaintext_backup.setter
-    def allow_plaintext_backup(self, value: Optional[pulumi.Input[bool]]):
+    def allow_plaintext_backup(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "allow_plaintext_backup", value)
 
     @property
     @pulumi.getter(name="autoRotatePeriod")
-    def auto_rotate_period(self) -> Optional[pulumi.Input[int]]:
+    def auto_rotate_period(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Amount of seconds the key should live before being automatically rotated.
         A value of 0 disables automatic rotation for the key.
@@ -361,84 +431,110 @@ class _SecretBackendKeyState:
         return pulumi.get(self, "auto_rotate_period")
 
     @auto_rotate_period.setter
-    def auto_rotate_period(self, value: Optional[pulumi.Input[int]]):
+    def auto_rotate_period(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "auto_rotate_period", value)
 
     @property
     @pulumi.getter
-    def backend(self) -> Optional[pulumi.Input[str]]:
+    def backend(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The path the transit secret backend is mounted at, with no leading or trailing `/`s.
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: Optional[pulumi.Input[str]]):
+    def backend(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter(name="convergentEncryption")
-    def convergent_encryption(self) -> Optional[pulumi.Input[bool]]:
+    def convergent_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
         """
         return pulumi.get(self, "convergent_encryption")
 
     @convergent_encryption.setter
-    def convergent_encryption(self, value: Optional[pulumi.Input[bool]]):
+    def convergent_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "convergent_encryption", value)
 
     @property
     @pulumi.getter(name="deletionAllowed")
-    def deletion_allowed(self) -> Optional[pulumi.Input[bool]]:
+    def deletion_allowed(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Specifies if the key is allowed to be deleted.
         """
         return pulumi.get(self, "deletion_allowed")
 
     @deletion_allowed.setter
-    def deletion_allowed(self, value: Optional[pulumi.Input[bool]]):
+    def deletion_allowed(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "deletion_allowed", value)
 
     @property
     @pulumi.getter
-    def derived(self) -> Optional[pulumi.Input[bool]]:
+    def derived(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
         """
         return pulumi.get(self, "derived")
 
     @derived.setter
-    def derived(self, value: Optional[pulumi.Input[bool]]):
+    def derived(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "derived", value)
 
     @property
     @pulumi.getter
-    def exportable(self) -> Optional[pulumi.Input[bool]]:
+    def exportable(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
         """
         return pulumi.get(self, "exportable")
 
     @exportable.setter
-    def exportable(self, value: Optional[pulumi.Input[bool]]):
+    def exportable(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "exportable", value)
 
+    @property
+    @pulumi.getter(name="hybridKeyTypeEc")
+    def hybrid_key_type_ec(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The elliptic curve algorithm to use for hybrid signatures.
+        Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        """
+        return pulumi.get(self, "hybrid_key_type_ec")
+
+    @hybrid_key_type_ec.setter
+    def hybrid_key_type_ec(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "hybrid_key_type_ec", value)
+
+    @property
+    @pulumi.getter(name="hybridKeyTypePqc")
+    def hybrid_key_type_pqc(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The post-quantum algorithm to use for hybrid signatures.
+        Currently, ML-DSA is the only supported key type.
+        """
+        return pulumi.get(self, "hybrid_key_type_pqc")
+
+    @hybrid_key_type_pqc.setter
+    def hybrid_key_type_pqc(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "hybrid_key_type_pqc", value)
+
     @property
     @pulumi.getter(name="keySize")
-    def key_size(self) -> Optional[pulumi.Input[int]]:
+    def key_size(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
         """
         return pulumi.get(self, "key_size")
 
     @key_size.setter
-    def key_size(self, value: Optional[pulumi.Input[int]]):
+    def key_size(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "key_size", value)
 
     @property
     @pulumi.getter
-    def keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]]:
+    def keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]]:
         """
         List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
         * for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
@@ -447,72 +543,72 @@ class _SecretBackendKeyState:
         return pulumi.get(self, "keys")
 
     @keys.setter
-    def keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]]):
+    def keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]]):
         pulumi.set(self, "keys", value)
 
     @property
     @pulumi.getter(name="latestVersion")
-    def latest_version(self) -> Optional[pulumi.Input[int]]:
+    def latest_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
         """
         return pulumi.get(self, "latest_version")
 
     @latest_version.setter
-    def latest_version(self, value: Optional[pulumi.Input[int]]):
+    def latest_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "latest_version", value)
 
     @property
     @pulumi.getter(name="minAvailableVersion")
-    def min_available_version(self) -> Optional[pulumi.Input[int]]:
+    def min_available_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
         """
         return pulumi.get(self, "min_available_version")
 
     @min_available_version.setter
-    def min_available_version(self, value: Optional[pulumi.Input[int]]):
+    def min_available_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "min_available_version", value)
 
     @property
     @pulumi.getter(name="minDecryptionVersion")
-    def min_decryption_version(self) -> Optional[pulumi.Input[int]]:
+    def min_decryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Minimum key version to use for decryption.
         """
         return pulumi.get(self, "min_decryption_version")
 
     @min_decryption_version.setter
-    def min_decryption_version(self, value: Optional[pulumi.Input[int]]):
+    def min_decryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "min_decryption_version", value)
 
     @property
     @pulumi.getter(name="minEncryptionVersion")
-    def min_encryption_version(self) -> Optional[pulumi.Input[int]]:
+    def min_encryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
         """
         Minimum key version to use for encryption
         """
         return pulumi.get(self, "min_encryption_version")
 
     @min_encryption_version.setter
-    def min_encryption_version(self, value: Optional[pulumi.Input[int]]):
+    def min_encryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "min_encryption_version", value)
 
     @property
     @pulumi.getter
-    def name(self) -> Optional[pulumi.Input[str]]:
+    def name(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The name to identify this key within the backend. Must be unique within the backend.
         """
         return pulumi.get(self, "name")
 
     @name.setter
-    def name(self, value: Optional[pulumi.Input[str]]):
+    def name(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "name", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -522,60 +618,73 @@ class _SecretBackendKeyState:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @property
+    @pulumi.getter(name="parameterSet")
+    def parameter_set(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        The parameter set to use for ML-DSA. Required for
+        ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        """
+        return pulumi.get(self, "parameter_set")
+
+    @parameter_set.setter
+    def parameter_set(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "parameter_set", value)
+
     @property
     @pulumi.getter(name="supportsDecryption")
-    def supports_decryption(self) -> Optional[pulumi.Input[bool]]:
+    def supports_decryption(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not the key supports decryption, based on key type.
         """
         return pulumi.get(self, "supports_decryption")
 
     @supports_decryption.setter
-    def supports_decryption(self, value: Optional[pulumi.Input[bool]]):
+    def supports_decryption(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "supports_decryption", value)
 
     @property
     @pulumi.getter(name="supportsDerivation")
-    def supports_derivation(self) -> Optional[pulumi.Input[bool]]:
+    def supports_derivation(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not the key supports derivation, based on key type.
         """
         return pulumi.get(self, "supports_derivation")
 
     @supports_derivation.setter
-    def supports_derivation(self, value: Optional[pulumi.Input[bool]]):
+    def supports_derivation(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "supports_derivation", value)
 
     @property
     @pulumi.getter(name="supportsEncryption")
-    def supports_encryption(self) -> Optional[pulumi.Input[bool]]:
+    def supports_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not the key supports encryption, based on key type.
         """
         return pulumi.get(self, "supports_encryption")
 
     @supports_encryption.setter
-    def supports_encryption(self, value: Optional[pulumi.Input[bool]]):
+    def supports_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "supports_encryption", value)
 
     @property
     @pulumi.getter(name="supportsSigning")
-    def supports_signing(self) -> Optional[pulumi.Input[bool]]:
+    def supports_signing(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Whether or not the key supports signing, based on key type.
         """
         return pulumi.get(self, "supports_signing")
 
     @supports_signing.setter
-    def supports_signing(self, value: Optional[pulumi.Input[bool]]):
+    def supports_signing(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "supports_signing", value)
 
     @property
     @pulumi.getter
-    def type(self) -> Optional[pulumi.Input[str]]:
+    def type(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
         * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
@@ -583,7 +692,7 @@ class _SecretBackendKeyState:
         return pulumi.get(self, "type")
 
     @type.setter
-    def type(self, value: Optional[pulumi.Input[str]]):
+    def type(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "type", value)
 
 
@@ -592,19 +701,22 @@ class SecretBackendKey(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
-                 auto_rotate_period: Optional[pulumi.Input[int]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 convergent_encryption: Optional[pulumi.Input[bool]] = None,
-                 deletion_allowed: Optional[pulumi.Input[bool]] = None,
-                 derived: Optional[pulumi.Input[bool]] = None,
-                 exportable: Optional[pulumi.Input[bool]] = None,
-                 key_size: Optional[pulumi.Input[int]] = None,
-                 min_decryption_version: Optional[pulumi.Input[int]] = None,
-                 min_encryption_version: Optional[pulumi.Input[int]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 type: Optional[pulumi.Input[str]] = None,
+                 allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
+                 auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
+                 derived: Optional[pulumi.Input[builtins.bool]] = None,
+                 exportable: Optional[pulumi.Input[builtins.bool]] = None,
+                 hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
+                 hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
+                 key_size: Optional[pulumi.Input[builtins.int]] = None,
+                 min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 parameter_set: Optional[pulumi.Input[builtins.str]] = None,
+                 type: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         """
         Creates an Encryption Keyring on a Transit Secret Backend for Vault.
@@ -636,24 +748,30 @@ class SecretBackendKey(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
                * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
-        :param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
+        :param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
                A value of 0 disables automatic rotation for the key.
-        :param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
-        :param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
-        :param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
-        :param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
-        :param pulumi.Input[int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
-        :param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
-        :param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
-        :param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
+        :param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
+        :param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+        :param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
+               Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        :param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
+               Currently, ML-DSA is the only supported key type.
+        :param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
+        :param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
+        :param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
+        :param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
+        :param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
+               ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        :param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
                * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
         """
         ...
@@ -705,19 +823,22 @@ class SecretBackendKey(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
-                 auto_rotate_period: Optional[pulumi.Input[int]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 convergent_encryption: Optional[pulumi.Input[bool]] = None,
-                 deletion_allowed: Optional[pulumi.Input[bool]] = None,
-                 derived: Optional[pulumi.Input[bool]] = None,
-                 exportable: Optional[pulumi.Input[bool]] = None,
-                 key_size: Optional[pulumi.Input[int]] = None,
-                 min_decryption_version: Optional[pulumi.Input[int]] = None,
-                 min_encryption_version: Optional[pulumi.Input[int]] = None,
-                 name: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 type: Optional[pulumi.Input[str]] = None,
+                 allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
+                 auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+                 deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
+                 derived: Optional[pulumi.Input[builtins.bool]] = None,
+                 exportable: Optional[pulumi.Input[builtins.bool]] = None,
+                 hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
+                 hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
+                 key_size: Optional[pulumi.Input[builtins.int]] = None,
+                 min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
+                 name: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 parameter_set: Optional[pulumi.Input[builtins.str]] = None,
+                 type: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -736,11 +857,14 @@ class SecretBackendKey(pulumi.CustomResource):
             __props__.__dict__["deletion_allowed"] = deletion_allowed
             __props__.__dict__["derived"] = derived
             __props__.__dict__["exportable"] = exportable
+            __props__.__dict__["hybrid_key_type_ec"] = hybrid_key_type_ec
+            __props__.__dict__["hybrid_key_type_pqc"] = hybrid_key_type_pqc
             __props__.__dict__["key_size"] = key_size
             __props__.__dict__["min_decryption_version"] = min_decryption_version
             __props__.__dict__["min_encryption_version"] = min_encryption_version
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["parameter_set"] = parameter_set
             __props__.__dict__["type"] = type
             __props__.__dict__["keys"] = None
             __props__.__dict__["latest_version"] = None
@@ -759,26 +883,29 @@ class SecretBackendKey(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
-            auto_rotate_period: Optional[pulumi.Input[int]] = None,
-            backend: Optional[pulumi.Input[str]] = None,
-            convergent_encryption: Optional[pulumi.Input[bool]] = None,
-            deletion_allowed: Optional[pulumi.Input[bool]] = None,
-            derived: Optional[pulumi.Input[bool]] = None,
-            exportable: Optional[pulumi.Input[bool]] = None,
-            key_size: Optional[pulumi.Input[int]] = None,
-            keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]] = None,
-            latest_version: Optional[pulumi.Input[int]] = None,
-            min_available_version: Optional[pulumi.Input[int]] = None,
-            min_decryption_version: Optional[pulumi.Input[int]] = None,
-            min_encryption_version: Optional[pulumi.Input[int]] = None,
-            name: Optional[pulumi.Input[str]] = None,
-            namespace: Optional[pulumi.Input[str]] = None,
-            supports_decryption: Optional[pulumi.Input[bool]] = None,
-            supports_derivation: Optional[pulumi.Input[bool]] = None,
-            supports_encryption: Optional[pulumi.Input[bool]] = None,
-            supports_signing: Optional[pulumi.Input[bool]] = None,
-            type: Optional[pulumi.Input[str]] = None) -> 'SecretBackendKey':
+            allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
+            auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
+            backend: Optional[pulumi.Input[builtins.str]] = None,
+            convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+            deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
+            derived: Optional[pulumi.Input[builtins.bool]] = None,
+            exportable: Optional[pulumi.Input[builtins.bool]] = None,
+            hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
+            hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
+            key_size: Optional[pulumi.Input[builtins.int]] = None,
+            keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]] = None,
+            latest_version: Optional[pulumi.Input[builtins.int]] = None,
+            min_available_version: Optional[pulumi.Input[builtins.int]] = None,
+            min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
+            min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
+            name: Optional[pulumi.Input[builtins.str]] = None,
+            namespace: Optional[pulumi.Input[builtins.str]] = None,
+            parameter_set: Optional[pulumi.Input[builtins.str]] = None,
+            supports_decryption: Optional[pulumi.Input[builtins.bool]] = None,
+            supports_derivation: Optional[pulumi.Input[builtins.bool]] = None,
+            supports_encryption: Optional[pulumi.Input[builtins.bool]] = None,
+            supports_signing: Optional[pulumi.Input[builtins.bool]] = None,
+            type: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackendKey':
         """
         Get an existing SecretBackendKey resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -786,33 +913,39 @@ class SecretBackendKey(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
                * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
-        :param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
+        :param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
                A value of 0 disables automatic rotation for the key.
-        :param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
-        :param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
-        :param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
-        :param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
-        :param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
-        :param pulumi.Input[int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
-        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
+        :param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
+        :param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
+        :param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
+        :param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
+        :param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
+        :param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
+               Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        :param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
+               Currently, ML-DSA is the only supported key type.
+        :param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
                * for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
                * for key types `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:
-        :param pulumi.Input[int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
-        :param pulumi.Input[int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
-        :param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
-        :param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
-        :param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
+        :param pulumi.Input[builtins.int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
+        :param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
+        :param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
+        :param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] supports_decryption: Whether or not the key supports decryption, based on key type.
-        :param pulumi.Input[bool] supports_derivation: Whether or not the key supports derivation, based on key type.
-        :param pulumi.Input[bool] supports_encryption: Whether or not the key supports encryption, based on key type.
-        :param pulumi.Input[bool] supports_signing: Whether or not the key supports signing, based on key type.
-        :param pulumi.Input[str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
+        :param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
+               ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        :param pulumi.Input[builtins.bool] supports_decryption: Whether or not the key supports decryption, based on key type.
+        :param pulumi.Input[builtins.bool] supports_derivation: Whether or not the key supports derivation, based on key type.
+        :param pulumi.Input[builtins.bool] supports_encryption: Whether or not the key supports encryption, based on key type.
+        :param pulumi.Input[builtins.bool] supports_signing: Whether or not the key supports signing, based on key type.
+        :param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
                * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -826,6 +959,8 @@ class SecretBackendKey(pulumi.CustomResource):
         __props__.__dict__["deletion_allowed"] = deletion_allowed
         __props__.__dict__["derived"] = derived
         __props__.__dict__["exportable"] = exportable
+        __props__.__dict__["hybrid_key_type_ec"] = hybrid_key_type_ec
+        __props__.__dict__["hybrid_key_type_pqc"] = hybrid_key_type_pqc
         __props__.__dict__["key_size"] = key_size
         __props__.__dict__["keys"] = keys
         __props__.__dict__["latest_version"] = latest_version
@@ -834,6 +969,7 @@ class SecretBackendKey(pulumi.CustomResource):
         __props__.__dict__["min_encryption_version"] = min_encryption_version
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["parameter_set"] = parameter_set
         __props__.__dict__["supports_decryption"] = supports_decryption
         __props__.__dict__["supports_derivation"] = supports_derivation
         __props__.__dict__["supports_encryption"] = supports_encryption
@@ -843,7 +979,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="allowPlaintextBackup")
-    def allow_plaintext_backup(self) -> pulumi.Output[Optional[bool]]:
+    def allow_plaintext_backup(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
         * Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
@@ -852,7 +988,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="autoRotatePeriod")
-    def auto_rotate_period(self) -> pulumi.Output[int]:
+    def auto_rotate_period(self) -> pulumi.Output[builtins.int]:
         """
         Amount of seconds the key should live before being automatically rotated.
         A value of 0 disables automatic rotation for the key.
@@ -861,7 +997,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def backend(self) -> pulumi.Output[str]:
+    def backend(self) -> pulumi.Output[builtins.str]:
         """
         The path the transit secret backend is mounted at, with no leading or trailing `/`s.
         """
@@ -869,7 +1005,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="convergentEncryption")
-    def convergent_encryption(self) -> pulumi.Output[Optional[bool]]:
+    def convergent_encryption(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
         """
@@ -877,7 +1013,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="deletionAllowed")
-    def deletion_allowed(self) -> pulumi.Output[Optional[bool]]:
+    def deletion_allowed(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Specifies if the key is allowed to be deleted.
         """
@@ -885,7 +1021,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def derived(self) -> pulumi.Output[Optional[bool]]:
+    def derived(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
         """
@@ -893,15 +1029,33 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def exportable(self) -> pulumi.Output[Optional[bool]]:
+    def exportable(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
         """
         return pulumi.get(self, "exportable")
 
+    @property
+    @pulumi.getter(name="hybridKeyTypeEc")
+    def hybrid_key_type_ec(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        The elliptic curve algorithm to use for hybrid signatures.
+        Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
+        """
+        return pulumi.get(self, "hybrid_key_type_ec")
+
+    @property
+    @pulumi.getter(name="hybridKeyTypePqc")
+    def hybrid_key_type_pqc(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        The post-quantum algorithm to use for hybrid signatures.
+        Currently, ML-DSA is the only supported key type.
+        """
+        return pulumi.get(self, "hybrid_key_type_pqc")
+
     @property
     @pulumi.getter(name="keySize")
-    def key_size(self) -> pulumi.Output[Optional[int]]:
+    def key_size(self) -> pulumi.Output[Optional[builtins.int]]:
         """
         The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
         """
@@ -909,7 +1063,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def keys(self) -> pulumi.Output[Sequence[Mapping[str, str]]]:
+    def keys(self) -> pulumi.Output[Sequence[Mapping[str, builtins.str]]]:
         """
         List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
         * for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
@@ -919,7 +1073,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="latestVersion")
-    def latest_version(self) -> pulumi.Output[int]:
+    def latest_version(self) -> pulumi.Output[builtins.int]:
         """
         Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
         """
@@ -927,7 +1081,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="minAvailableVersion")
-    def min_available_version(self) -> pulumi.Output[int]:
+    def min_available_version(self) -> pulumi.Output[builtins.int]:
         """
         Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
         """
@@ -935,7 +1089,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="minDecryptionVersion")
-    def min_decryption_version(self) -> pulumi.Output[Optional[int]]:
+    def min_decryption_version(self) -> pulumi.Output[Optional[builtins.int]]:
         """
         Minimum key version to use for decryption.
         """
@@ -943,7 +1097,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="minEncryptionVersion")
-    def min_encryption_version(self) -> pulumi.Output[Optional[int]]:
+    def min_encryption_version(self) -> pulumi.Output[Optional[builtins.int]]:
         """
         Minimum key version to use for encryption
         """
@@ -951,7 +1105,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def name(self) -> pulumi.Output[str]:
+    def name(self) -> pulumi.Output[builtins.str]:
         """
         The name to identify this key within the backend. Must be unique within the backend.
         """
@@ -959,7 +1113,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def namespace(self) -> pulumi.Output[Optional[str]]:
+    def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -968,9 +1122,18 @@ class SecretBackendKey(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace")
 
+    @property
+    @pulumi.getter(name="parameterSet")
+    def parameter_set(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        The parameter set to use for ML-DSA. Required for
+        ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+        """
+        return pulumi.get(self, "parameter_set")
+
     @property
     @pulumi.getter(name="supportsDecryption")
-    def supports_decryption(self) -> pulumi.Output[bool]:
+    def supports_decryption(self) -> pulumi.Output[builtins.bool]:
         """
         Whether or not the key supports decryption, based on key type.
         """
@@ -978,7 +1141,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="supportsDerivation")
-    def supports_derivation(self) -> pulumi.Output[bool]:
+    def supports_derivation(self) -> pulumi.Output[builtins.bool]:
         """
         Whether or not the key supports derivation, based on key type.
         """
@@ -986,7 +1149,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="supportsEncryption")
-    def supports_encryption(self) -> pulumi.Output[bool]:
+    def supports_encryption(self) -> pulumi.Output[builtins.bool]:
         """
         Whether or not the key supports encryption, based on key type.
         """
@@ -994,7 +1157,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="supportsSigning")
-    def supports_signing(self) -> pulumi.Output[bool]:
+    def supports_signing(self) -> pulumi.Output[builtins.bool]:
         """
         Whether or not the key supports signing, based on key type.
         """
@@ -1002,7 +1165,7 @@ class SecretBackendKey(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def type(self) -> pulumi.Output[Optional[str]]:
+    def type(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
         * Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)