pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +9 -0
- pulumi_vault/_inputs.py +583 -562
- pulumi_vault/ad/__init__.py +1 -0
- pulumi_vault/ad/get_access_credentials.py +20 -19
- pulumi_vault/ad/secret_backend.py +477 -476
- pulumi_vault/ad/secret_library.py +99 -98
- pulumi_vault/ad/secret_role.py +85 -84
- pulumi_vault/alicloud/__init__.py +1 -0
- pulumi_vault/alicloud/auth_backend_role.py +183 -182
- pulumi_vault/approle/__init__.py +1 -0
- pulumi_vault/approle/auth_backend_login.py +106 -105
- pulumi_vault/approle/auth_backend_role.py +239 -238
- pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
- pulumi_vault/audit.py +85 -84
- pulumi_vault/audit_request_header.py +43 -42
- pulumi_vault/auth_backend.py +106 -105
- pulumi_vault/aws/__init__.py +1 -0
- pulumi_vault/aws/auth_backend_cert.py +71 -70
- pulumi_vault/aws/auth_backend_client.py +425 -200
- pulumi_vault/aws/auth_backend_config_identity.py +85 -84
- pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
- pulumi_vault/aws/auth_backend_login.py +209 -208
- pulumi_vault/aws/auth_backend_role.py +400 -399
- pulumi_vault/aws/auth_backend_role_tag.py +127 -126
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
- pulumi_vault/aws/auth_backend_sts_role.py +71 -70
- pulumi_vault/aws/get_access_credentials.py +44 -43
- pulumi_vault/aws/get_static_access_credentials.py +13 -12
- pulumi_vault/aws/secret_backend.py +523 -306
- pulumi_vault/aws/secret_backend_role.py +211 -210
- pulumi_vault/aws/secret_backend_static_role.py +288 -70
- pulumi_vault/azure/__init__.py +1 -0
- pulumi_vault/azure/_inputs.py +21 -20
- pulumi_vault/azure/auth_backend_config.py +383 -130
- pulumi_vault/azure/auth_backend_role.py +253 -252
- pulumi_vault/azure/backend.py +432 -186
- pulumi_vault/azure/backend_role.py +188 -140
- pulumi_vault/azure/get_access_credentials.py +58 -57
- pulumi_vault/azure/outputs.py +11 -10
- pulumi_vault/cert_auth_backend_role.py +365 -364
- pulumi_vault/config/__init__.py +1 -0
- pulumi_vault/config/__init__.pyi +1 -0
- pulumi_vault/config/_inputs.py +11 -10
- pulumi_vault/config/outputs.py +287 -286
- pulumi_vault/config/ui_custom_message.py +113 -112
- pulumi_vault/config/vars.py +1 -0
- pulumi_vault/consul/__init__.py +1 -0
- pulumi_vault/consul/secret_backend.py +197 -196
- pulumi_vault/consul/secret_backend_role.py +183 -182
- pulumi_vault/database/__init__.py +1 -0
- pulumi_vault/database/_inputs.py +3857 -2200
- pulumi_vault/database/outputs.py +2483 -1330
- pulumi_vault/database/secret_backend_connection.py +333 -112
- pulumi_vault/database/secret_backend_role.py +169 -168
- pulumi_vault/database/secret_backend_static_role.py +283 -140
- pulumi_vault/database/secrets_mount.py +275 -266
- pulumi_vault/egp_policy.py +71 -70
- pulumi_vault/gcp/__init__.py +1 -0
- pulumi_vault/gcp/_inputs.py +82 -81
- pulumi_vault/gcp/auth_backend.py +426 -205
- pulumi_vault/gcp/auth_backend_role.py +281 -280
- pulumi_vault/gcp/get_auth_backend_role.py +70 -69
- pulumi_vault/gcp/outputs.py +50 -49
- pulumi_vault/gcp/secret_backend.py +420 -179
- pulumi_vault/gcp/secret_impersonated_account.py +92 -91
- pulumi_vault/gcp/secret_roleset.py +92 -91
- pulumi_vault/gcp/secret_static_account.py +92 -91
- pulumi_vault/generic/__init__.py +1 -0
- pulumi_vault/generic/endpoint.py +113 -112
- pulumi_vault/generic/get_secret.py +28 -27
- pulumi_vault/generic/secret.py +78 -77
- pulumi_vault/get_auth_backend.py +19 -18
- pulumi_vault/get_auth_backends.py +14 -13
- pulumi_vault/get_namespace.py +15 -14
- pulumi_vault/get_namespaces.py +68 -18
- pulumi_vault/get_nomad_access_token.py +19 -18
- pulumi_vault/get_policy_document.py +6 -5
- pulumi_vault/get_raft_autopilot_state.py +18 -17
- pulumi_vault/github/__init__.py +1 -0
- pulumi_vault/github/_inputs.py +42 -41
- pulumi_vault/github/auth_backend.py +232 -231
- pulumi_vault/github/outputs.py +26 -25
- pulumi_vault/github/team.py +57 -56
- pulumi_vault/github/user.py +57 -56
- pulumi_vault/identity/__init__.py +1 -0
- pulumi_vault/identity/entity.py +85 -84
- pulumi_vault/identity/entity_alias.py +71 -70
- pulumi_vault/identity/entity_policies.py +64 -63
- pulumi_vault/identity/get_entity.py +43 -42
- pulumi_vault/identity/get_group.py +50 -49
- pulumi_vault/identity/get_oidc_client_creds.py +14 -13
- pulumi_vault/identity/get_oidc_openid_config.py +24 -23
- pulumi_vault/identity/get_oidc_public_keys.py +13 -12
- pulumi_vault/identity/group.py +141 -140
- pulumi_vault/identity/group_alias.py +57 -56
- pulumi_vault/identity/group_member_entity_ids.py +57 -56
- pulumi_vault/identity/group_member_group_ids.py +57 -56
- pulumi_vault/identity/group_policies.py +64 -63
- pulumi_vault/identity/mfa_duo.py +148 -147
- pulumi_vault/identity/mfa_login_enforcement.py +120 -119
- pulumi_vault/identity/mfa_okta.py +134 -133
- pulumi_vault/identity/mfa_pingid.py +127 -126
- pulumi_vault/identity/mfa_totp.py +176 -175
- pulumi_vault/identity/oidc.py +29 -28
- pulumi_vault/identity/oidc_assignment.py +57 -56
- pulumi_vault/identity/oidc_client.py +127 -126
- pulumi_vault/identity/oidc_key.py +85 -84
- pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
- pulumi_vault/identity/oidc_provider.py +92 -91
- pulumi_vault/identity/oidc_role.py +85 -84
- pulumi_vault/identity/oidc_scope.py +57 -56
- pulumi_vault/identity/outputs.py +32 -31
- pulumi_vault/jwt/__init__.py +1 -0
- pulumi_vault/jwt/_inputs.py +42 -41
- pulumi_vault/jwt/auth_backend.py +288 -287
- pulumi_vault/jwt/auth_backend_role.py +407 -406
- pulumi_vault/jwt/outputs.py +26 -25
- pulumi_vault/kmip/__init__.py +1 -0
- pulumi_vault/kmip/secret_backend.py +183 -182
- pulumi_vault/kmip/secret_role.py +295 -294
- pulumi_vault/kmip/secret_scope.py +57 -56
- pulumi_vault/kubernetes/__init__.py +1 -0
- pulumi_vault/kubernetes/auth_backend_config.py +141 -140
- pulumi_vault/kubernetes/auth_backend_role.py +225 -224
- pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
- pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
- pulumi_vault/kubernetes/get_service_account_token.py +38 -37
- pulumi_vault/kubernetes/secret_backend.py +316 -315
- pulumi_vault/kubernetes/secret_backend_role.py +197 -196
- pulumi_vault/kv/__init__.py +1 -0
- pulumi_vault/kv/_inputs.py +21 -20
- pulumi_vault/kv/get_secret.py +17 -16
- pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
- pulumi_vault/kv/get_secret_v2.py +29 -28
- pulumi_vault/kv/get_secrets_list.py +13 -12
- pulumi_vault/kv/get_secrets_list_v2.py +19 -18
- pulumi_vault/kv/outputs.py +13 -12
- pulumi_vault/kv/secret.py +50 -49
- pulumi_vault/kv/secret_backend_v2.py +71 -70
- pulumi_vault/kv/secret_v2.py +134 -133
- pulumi_vault/ldap/__init__.py +1 -0
- pulumi_vault/ldap/auth_backend.py +754 -533
- pulumi_vault/ldap/auth_backend_group.py +57 -56
- pulumi_vault/ldap/auth_backend_user.py +71 -70
- pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
- pulumi_vault/ldap/get_static_credentials.py +18 -17
- pulumi_vault/ldap/secret_backend.py +720 -499
- pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
- pulumi_vault/ldap/secret_backend_library_set.py +99 -98
- pulumi_vault/ldap/secret_backend_static_role.py +99 -98
- pulumi_vault/managed/__init__.py +1 -0
- pulumi_vault/managed/_inputs.py +229 -228
- pulumi_vault/managed/keys.py +15 -14
- pulumi_vault/managed/outputs.py +139 -138
- pulumi_vault/mfa_duo.py +113 -112
- pulumi_vault/mfa_okta.py +113 -112
- pulumi_vault/mfa_pingid.py +120 -119
- pulumi_vault/mfa_totp.py +127 -126
- pulumi_vault/mongodbatlas/__init__.py +1 -0
- pulumi_vault/mongodbatlas/secret_backend.py +64 -63
- pulumi_vault/mongodbatlas/secret_role.py +155 -154
- pulumi_vault/mount.py +274 -273
- pulumi_vault/namespace.py +64 -63
- pulumi_vault/nomad_secret_backend.py +211 -210
- pulumi_vault/nomad_secret_role.py +85 -84
- pulumi_vault/okta/__init__.py +1 -0
- pulumi_vault/okta/_inputs.py +26 -25
- pulumi_vault/okta/auth_backend.py +274 -273
- pulumi_vault/okta/auth_backend_group.py +57 -56
- pulumi_vault/okta/auth_backend_user.py +71 -70
- pulumi_vault/okta/outputs.py +16 -15
- pulumi_vault/outputs.py +73 -60
- pulumi_vault/password_policy.py +43 -42
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +31 -36
- pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
- pulumi_vault/pkisecret/backend_config_acme.py +174 -126
- pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
- pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
- pulumi_vault/pkisecret/backend_config_est.py +120 -119
- pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
- pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
- pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
- pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
- pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
- pulumi_vault/pkisecret/get_backend_key.py +20 -19
- pulumi_vault/pkisecret/get_backend_keys.py +15 -14
- pulumi_vault/pkisecret/outputs.py +28 -31
- pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
- pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
- pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
- pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
- pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
- pulumi_vault/pkisecret/secret_backend_key.py +120 -119
- pulumi_vault/pkisecret/secret_backend_role.py +894 -644
- pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
- pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
- pulumi_vault/plugin.py +127 -126
- pulumi_vault/plugin_pinned_version.py +43 -42
- pulumi_vault/policy.py +43 -42
- pulumi_vault/provider.py +120 -119
- pulumi_vault/pulumi-plugin.json +1 -1
- pulumi_vault/quota_lease_count.py +85 -84
- pulumi_vault/quota_rate_limit.py +113 -112
- pulumi_vault/rabbitmq/__init__.py +1 -0
- pulumi_vault/rabbitmq/_inputs.py +41 -40
- pulumi_vault/rabbitmq/outputs.py +25 -24
- pulumi_vault/rabbitmq/secret_backend.py +169 -168
- pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
- pulumi_vault/raft_autopilot.py +113 -112
- pulumi_vault/raft_snapshot_agent_config.py +393 -392
- pulumi_vault/rgp_policy.py +57 -56
- pulumi_vault/saml/__init__.py +1 -0
- pulumi_vault/saml/auth_backend.py +155 -154
- pulumi_vault/saml/auth_backend_role.py +239 -238
- pulumi_vault/secrets/__init__.py +1 -0
- pulumi_vault/secrets/_inputs.py +16 -15
- pulumi_vault/secrets/outputs.py +10 -9
- pulumi_vault/secrets/sync_association.py +71 -70
- pulumi_vault/secrets/sync_aws_destination.py +148 -147
- pulumi_vault/secrets/sync_azure_destination.py +148 -147
- pulumi_vault/secrets/sync_config.py +43 -42
- pulumi_vault/secrets/sync_gcp_destination.py +106 -105
- pulumi_vault/secrets/sync_gh_destination.py +134 -133
- pulumi_vault/secrets/sync_github_apps.py +64 -63
- pulumi_vault/secrets/sync_vercel_destination.py +120 -119
- pulumi_vault/ssh/__init__.py +2 -0
- pulumi_vault/ssh/_inputs.py +11 -10
- pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
- pulumi_vault/ssh/outputs.py +7 -6
- pulumi_vault/ssh/secret_backend_ca.py +99 -98
- pulumi_vault/ssh/secret_backend_role.py +365 -364
- pulumi_vault/terraformcloud/__init__.py +1 -0
- pulumi_vault/terraformcloud/secret_backend.py +111 -110
- pulumi_vault/terraformcloud/secret_creds.py +74 -73
- pulumi_vault/terraformcloud/secret_role.py +96 -95
- pulumi_vault/token.py +246 -245
- pulumi_vault/tokenauth/__init__.py +1 -0
- pulumi_vault/tokenauth/auth_backend_role.py +267 -266
- pulumi_vault/transform/__init__.py +1 -0
- pulumi_vault/transform/alphabet.py +57 -56
- pulumi_vault/transform/get_decode.py +47 -46
- pulumi_vault/transform/get_encode.py +47 -46
- pulumi_vault/transform/role.py +57 -56
- pulumi_vault/transform/template.py +113 -112
- pulumi_vault/transform/transformation.py +141 -140
- pulumi_vault/transit/__init__.py +3 -0
- pulumi_vault/transit/get_decrypt.py +18 -17
- pulumi_vault/transit/get_encrypt.py +21 -20
- pulumi_vault/transit/get_sign.py +325 -0
- pulumi_vault/transit/get_verify.py +355 -0
- pulumi_vault/transit/secret_backend_key.py +394 -231
- pulumi_vault/transit/secret_cache_config.py +43 -42
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
- pulumi_vault-6.7.0.dist-info/RECORD +265 -0
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
- pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
|
|
2
2
|
# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
|
3
3
|
# *** Do not edit by hand unless you're certain you know what you are doing! ***
|
4
4
|
|
5
|
+
import builtins
|
5
6
|
import copy
|
6
7
|
import warnings
|
7
8
|
import sys
|
@@ -19,39 +20,48 @@ __all__ = ['SecretBackendKeyArgs', 'SecretBackendKey']
|
|
19
20
|
@pulumi.input_type
|
20
21
|
class SecretBackendKeyArgs:
|
21
22
|
def __init__(__self__, *,
|
22
|
-
backend: pulumi.Input[str],
|
23
|
-
allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
|
24
|
-
auto_rotate_period: Optional[pulumi.Input[int]] = None,
|
25
|
-
convergent_encryption: Optional[pulumi.Input[bool]] = None,
|
26
|
-
deletion_allowed: Optional[pulumi.Input[bool]] = None,
|
27
|
-
derived: Optional[pulumi.Input[bool]] = None,
|
28
|
-
exportable: Optional[pulumi.Input[bool]] = None,
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
23
|
+
backend: pulumi.Input[builtins.str],
|
24
|
+
allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
|
25
|
+
auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
|
26
|
+
convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
27
|
+
deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
|
28
|
+
derived: Optional[pulumi.Input[builtins.bool]] = None,
|
29
|
+
exportable: Optional[pulumi.Input[builtins.bool]] = None,
|
30
|
+
hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
|
31
|
+
hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
|
32
|
+
key_size: Optional[pulumi.Input[builtins.int]] = None,
|
33
|
+
min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
34
|
+
min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
35
|
+
name: Optional[pulumi.Input[builtins.str]] = None,
|
36
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
37
|
+
parameter_set: Optional[pulumi.Input[builtins.str]] = None,
|
38
|
+
type: Optional[pulumi.Input[builtins.str]] = None):
|
35
39
|
"""
|
36
40
|
The set of arguments for constructing a SecretBackendKey resource.
|
37
|
-
:param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
38
|
-
:param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
41
|
+
:param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
42
|
+
:param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
39
43
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
40
|
-
:param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
44
|
+
:param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
41
45
|
A value of 0 disables automatic rotation for the key.
|
42
|
-
:param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
43
|
-
:param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
44
|
-
:param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
45
|
-
:param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
46
|
-
:param pulumi.Input[
|
47
|
-
|
48
|
-
:param pulumi.Input[
|
49
|
-
|
50
|
-
:param pulumi.Input[
|
46
|
+
:param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
47
|
+
:param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
48
|
+
:param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
49
|
+
:param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
50
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
|
51
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
52
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
|
53
|
+
Currently, ML-DSA is the only supported key type.
|
54
|
+
:param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
55
|
+
:param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
|
56
|
+
:param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
|
57
|
+
:param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
|
58
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
51
59
|
The value should not contain leading or trailing forward slashes.
|
52
60
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
53
61
|
*Available only for Vault Enterprise*.
|
54
|
-
:param pulumi.Input[str]
|
62
|
+
:param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
|
63
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
64
|
+
:param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
55
65
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
56
66
|
"""
|
57
67
|
pulumi.set(__self__, "backend", backend)
|
@@ -67,6 +77,10 @@ class SecretBackendKeyArgs:
|
|
67
77
|
pulumi.set(__self__, "derived", derived)
|
68
78
|
if exportable is not None:
|
69
79
|
pulumi.set(__self__, "exportable", exportable)
|
80
|
+
if hybrid_key_type_ec is not None:
|
81
|
+
pulumi.set(__self__, "hybrid_key_type_ec", hybrid_key_type_ec)
|
82
|
+
if hybrid_key_type_pqc is not None:
|
83
|
+
pulumi.set(__self__, "hybrid_key_type_pqc", hybrid_key_type_pqc)
|
70
84
|
if key_size is not None:
|
71
85
|
pulumi.set(__self__, "key_size", key_size)
|
72
86
|
if min_decryption_version is not None:
|
@@ -77,24 +91,26 @@ class SecretBackendKeyArgs:
|
|
77
91
|
pulumi.set(__self__, "name", name)
|
78
92
|
if namespace is not None:
|
79
93
|
pulumi.set(__self__, "namespace", namespace)
|
94
|
+
if parameter_set is not None:
|
95
|
+
pulumi.set(__self__, "parameter_set", parameter_set)
|
80
96
|
if type is not None:
|
81
97
|
pulumi.set(__self__, "type", type)
|
82
98
|
|
83
99
|
@property
|
84
100
|
@pulumi.getter
|
85
|
-
def backend(self) -> pulumi.Input[str]:
|
101
|
+
def backend(self) -> pulumi.Input[builtins.str]:
|
86
102
|
"""
|
87
103
|
The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
88
104
|
"""
|
89
105
|
return pulumi.get(self, "backend")
|
90
106
|
|
91
107
|
@backend.setter
|
92
|
-
def backend(self, value: pulumi.Input[str]):
|
108
|
+
def backend(self, value: pulumi.Input[builtins.str]):
|
93
109
|
pulumi.set(self, "backend", value)
|
94
110
|
|
95
111
|
@property
|
96
112
|
@pulumi.getter(name="allowPlaintextBackup")
|
97
|
-
def allow_plaintext_backup(self) -> Optional[pulumi.Input[bool]]:
|
113
|
+
def allow_plaintext_backup(self) -> Optional[pulumi.Input[builtins.bool]]:
|
98
114
|
"""
|
99
115
|
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
100
116
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
@@ -102,12 +118,12 @@ class SecretBackendKeyArgs:
|
|
102
118
|
return pulumi.get(self, "allow_plaintext_backup")
|
103
119
|
|
104
120
|
@allow_plaintext_backup.setter
|
105
|
-
def allow_plaintext_backup(self, value: Optional[pulumi.Input[bool]]):
|
121
|
+
def allow_plaintext_backup(self, value: Optional[pulumi.Input[builtins.bool]]):
|
106
122
|
pulumi.set(self, "allow_plaintext_backup", value)
|
107
123
|
|
108
124
|
@property
|
109
125
|
@pulumi.getter(name="autoRotatePeriod")
|
110
|
-
def auto_rotate_period(self) -> Optional[pulumi.Input[int]]:
|
126
|
+
def auto_rotate_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
111
127
|
"""
|
112
128
|
Amount of seconds the key should live before being automatically rotated.
|
113
129
|
A value of 0 disables automatic rotation for the key.
|
@@ -115,108 +131,134 @@ class SecretBackendKeyArgs:
|
|
115
131
|
return pulumi.get(self, "auto_rotate_period")
|
116
132
|
|
117
133
|
@auto_rotate_period.setter
|
118
|
-
def auto_rotate_period(self, value: Optional[pulumi.Input[int]]):
|
134
|
+
def auto_rotate_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
119
135
|
pulumi.set(self, "auto_rotate_period", value)
|
120
136
|
|
121
137
|
@property
|
122
138
|
@pulumi.getter(name="convergentEncryption")
|
123
|
-
def convergent_encryption(self) -> Optional[pulumi.Input[bool]]:
|
139
|
+
def convergent_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
|
124
140
|
"""
|
125
141
|
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
126
142
|
"""
|
127
143
|
return pulumi.get(self, "convergent_encryption")
|
128
144
|
|
129
145
|
@convergent_encryption.setter
|
130
|
-
def convergent_encryption(self, value: Optional[pulumi.Input[bool]]):
|
146
|
+
def convergent_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
|
131
147
|
pulumi.set(self, "convergent_encryption", value)
|
132
148
|
|
133
149
|
@property
|
134
150
|
@pulumi.getter(name="deletionAllowed")
|
135
|
-
def deletion_allowed(self) -> Optional[pulumi.Input[bool]]:
|
151
|
+
def deletion_allowed(self) -> Optional[pulumi.Input[builtins.bool]]:
|
136
152
|
"""
|
137
153
|
Specifies if the key is allowed to be deleted.
|
138
154
|
"""
|
139
155
|
return pulumi.get(self, "deletion_allowed")
|
140
156
|
|
141
157
|
@deletion_allowed.setter
|
142
|
-
def deletion_allowed(self, value: Optional[pulumi.Input[bool]]):
|
158
|
+
def deletion_allowed(self, value: Optional[pulumi.Input[builtins.bool]]):
|
143
159
|
pulumi.set(self, "deletion_allowed", value)
|
144
160
|
|
145
161
|
@property
|
146
162
|
@pulumi.getter
|
147
|
-
def derived(self) -> Optional[pulumi.Input[bool]]:
|
163
|
+
def derived(self) -> Optional[pulumi.Input[builtins.bool]]:
|
148
164
|
"""
|
149
165
|
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
150
166
|
"""
|
151
167
|
return pulumi.get(self, "derived")
|
152
168
|
|
153
169
|
@derived.setter
|
154
|
-
def derived(self, value: Optional[pulumi.Input[bool]]):
|
170
|
+
def derived(self, value: Optional[pulumi.Input[builtins.bool]]):
|
155
171
|
pulumi.set(self, "derived", value)
|
156
172
|
|
157
173
|
@property
|
158
174
|
@pulumi.getter
|
159
|
-
def exportable(self) -> Optional[pulumi.Input[bool]]:
|
175
|
+
def exportable(self) -> Optional[pulumi.Input[builtins.bool]]:
|
160
176
|
"""
|
161
177
|
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
162
178
|
"""
|
163
179
|
return pulumi.get(self, "exportable")
|
164
180
|
|
165
181
|
@exportable.setter
|
166
|
-
def exportable(self, value: Optional[pulumi.Input[bool]]):
|
182
|
+
def exportable(self, value: Optional[pulumi.Input[builtins.bool]]):
|
167
183
|
pulumi.set(self, "exportable", value)
|
168
184
|
|
185
|
+
@property
|
186
|
+
@pulumi.getter(name="hybridKeyTypeEc")
|
187
|
+
def hybrid_key_type_ec(self) -> Optional[pulumi.Input[builtins.str]]:
|
188
|
+
"""
|
189
|
+
The elliptic curve algorithm to use for hybrid signatures.
|
190
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
191
|
+
"""
|
192
|
+
return pulumi.get(self, "hybrid_key_type_ec")
|
193
|
+
|
194
|
+
@hybrid_key_type_ec.setter
|
195
|
+
def hybrid_key_type_ec(self, value: Optional[pulumi.Input[builtins.str]]):
|
196
|
+
pulumi.set(self, "hybrid_key_type_ec", value)
|
197
|
+
|
198
|
+
@property
|
199
|
+
@pulumi.getter(name="hybridKeyTypePqc")
|
200
|
+
def hybrid_key_type_pqc(self) -> Optional[pulumi.Input[builtins.str]]:
|
201
|
+
"""
|
202
|
+
The post-quantum algorithm to use for hybrid signatures.
|
203
|
+
Currently, ML-DSA is the only supported key type.
|
204
|
+
"""
|
205
|
+
return pulumi.get(self, "hybrid_key_type_pqc")
|
206
|
+
|
207
|
+
@hybrid_key_type_pqc.setter
|
208
|
+
def hybrid_key_type_pqc(self, value: Optional[pulumi.Input[builtins.str]]):
|
209
|
+
pulumi.set(self, "hybrid_key_type_pqc", value)
|
210
|
+
|
169
211
|
@property
|
170
212
|
@pulumi.getter(name="keySize")
|
171
|
-
def key_size(self) -> Optional[pulumi.Input[int]]:
|
213
|
+
def key_size(self) -> Optional[pulumi.Input[builtins.int]]:
|
172
214
|
"""
|
173
215
|
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
174
216
|
"""
|
175
217
|
return pulumi.get(self, "key_size")
|
176
218
|
|
177
219
|
@key_size.setter
|
178
|
-
def key_size(self, value: Optional[pulumi.Input[int]]):
|
220
|
+
def key_size(self, value: Optional[pulumi.Input[builtins.int]]):
|
179
221
|
pulumi.set(self, "key_size", value)
|
180
222
|
|
181
223
|
@property
|
182
224
|
@pulumi.getter(name="minDecryptionVersion")
|
183
|
-
def min_decryption_version(self) -> Optional[pulumi.Input[int]]:
|
225
|
+
def min_decryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
184
226
|
"""
|
185
227
|
Minimum key version to use for decryption.
|
186
228
|
"""
|
187
229
|
return pulumi.get(self, "min_decryption_version")
|
188
230
|
|
189
231
|
@min_decryption_version.setter
|
190
|
-
def min_decryption_version(self, value: Optional[pulumi.Input[int]]):
|
232
|
+
def min_decryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
191
233
|
pulumi.set(self, "min_decryption_version", value)
|
192
234
|
|
193
235
|
@property
|
194
236
|
@pulumi.getter(name="minEncryptionVersion")
|
195
|
-
def min_encryption_version(self) -> Optional[pulumi.Input[int]]:
|
237
|
+
def min_encryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
196
238
|
"""
|
197
239
|
Minimum key version to use for encryption
|
198
240
|
"""
|
199
241
|
return pulumi.get(self, "min_encryption_version")
|
200
242
|
|
201
243
|
@min_encryption_version.setter
|
202
|
-
def min_encryption_version(self, value: Optional[pulumi.Input[int]]):
|
244
|
+
def min_encryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
203
245
|
pulumi.set(self, "min_encryption_version", value)
|
204
246
|
|
205
247
|
@property
|
206
248
|
@pulumi.getter
|
207
|
-
def name(self) -> Optional[pulumi.Input[str]]:
|
249
|
+
def name(self) -> Optional[pulumi.Input[builtins.str]]:
|
208
250
|
"""
|
209
251
|
The name to identify this key within the backend. Must be unique within the backend.
|
210
252
|
"""
|
211
253
|
return pulumi.get(self, "name")
|
212
254
|
|
213
255
|
@name.setter
|
214
|
-
def name(self, value: Optional[pulumi.Input[str]]):
|
256
|
+
def name(self, value: Optional[pulumi.Input[builtins.str]]):
|
215
257
|
pulumi.set(self, "name", value)
|
216
258
|
|
217
259
|
@property
|
218
260
|
@pulumi.getter
|
219
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
261
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
220
262
|
"""
|
221
263
|
The namespace to provision the resource in.
|
222
264
|
The value should not contain leading or trailing forward slashes.
|
@@ -226,12 +268,25 @@ class SecretBackendKeyArgs:
|
|
226
268
|
return pulumi.get(self, "namespace")
|
227
269
|
|
228
270
|
@namespace.setter
|
229
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
271
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
230
272
|
pulumi.set(self, "namespace", value)
|
231
273
|
|
274
|
+
@property
|
275
|
+
@pulumi.getter(name="parameterSet")
|
276
|
+
def parameter_set(self) -> Optional[pulumi.Input[builtins.str]]:
|
277
|
+
"""
|
278
|
+
The parameter set to use for ML-DSA. Required for
|
279
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
280
|
+
"""
|
281
|
+
return pulumi.get(self, "parameter_set")
|
282
|
+
|
283
|
+
@parameter_set.setter
|
284
|
+
def parameter_set(self, value: Optional[pulumi.Input[builtins.str]]):
|
285
|
+
pulumi.set(self, "parameter_set", value)
|
286
|
+
|
232
287
|
@property
|
233
288
|
@pulumi.getter
|
234
|
-
def type(self) -> Optional[pulumi.Input[str]]:
|
289
|
+
def type(self) -> Optional[pulumi.Input[builtins.str]]:
|
235
290
|
"""
|
236
291
|
Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
237
292
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
@@ -239,62 +294,71 @@ class SecretBackendKeyArgs:
|
|
239
294
|
return pulumi.get(self, "type")
|
240
295
|
|
241
296
|
@type.setter
|
242
|
-
def type(self, value: Optional[pulumi.Input[str]]):
|
297
|
+
def type(self, value: Optional[pulumi.Input[builtins.str]]):
|
243
298
|
pulumi.set(self, "type", value)
|
244
299
|
|
245
300
|
|
246
301
|
@pulumi.input_type
|
247
302
|
class _SecretBackendKeyState:
|
248
303
|
def __init__(__self__, *,
|
249
|
-
allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
|
250
|
-
auto_rotate_period: Optional[pulumi.Input[int]] = None,
|
251
|
-
backend: Optional[pulumi.Input[str]] = None,
|
252
|
-
convergent_encryption: Optional[pulumi.Input[bool]] = None,
|
253
|
-
deletion_allowed: Optional[pulumi.Input[bool]] = None,
|
254
|
-
derived: Optional[pulumi.Input[bool]] = None,
|
255
|
-
exportable: Optional[pulumi.Input[bool]] = None,
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
262
|
-
|
263
|
-
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
304
|
+
allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
|
305
|
+
auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
|
306
|
+
backend: Optional[pulumi.Input[builtins.str]] = None,
|
307
|
+
convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
308
|
+
deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
|
309
|
+
derived: Optional[pulumi.Input[builtins.bool]] = None,
|
310
|
+
exportable: Optional[pulumi.Input[builtins.bool]] = None,
|
311
|
+
hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
|
312
|
+
hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
|
313
|
+
key_size: Optional[pulumi.Input[builtins.int]] = None,
|
314
|
+
keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]] = None,
|
315
|
+
latest_version: Optional[pulumi.Input[builtins.int]] = None,
|
316
|
+
min_available_version: Optional[pulumi.Input[builtins.int]] = None,
|
317
|
+
min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
318
|
+
min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
319
|
+
name: Optional[pulumi.Input[builtins.str]] = None,
|
320
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
321
|
+
parameter_set: Optional[pulumi.Input[builtins.str]] = None,
|
322
|
+
supports_decryption: Optional[pulumi.Input[builtins.bool]] = None,
|
323
|
+
supports_derivation: Optional[pulumi.Input[builtins.bool]] = None,
|
324
|
+
supports_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
325
|
+
supports_signing: Optional[pulumi.Input[builtins.bool]] = None,
|
326
|
+
type: Optional[pulumi.Input[builtins.str]] = None):
|
269
327
|
"""
|
270
328
|
Input properties used for looking up and filtering SecretBackendKey resources.
|
271
|
-
:param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
329
|
+
:param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
272
330
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
273
|
-
:param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
331
|
+
:param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
274
332
|
A value of 0 disables automatic rotation for the key.
|
275
|
-
:param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
276
|
-
:param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
277
|
-
:param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
278
|
-
:param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
279
|
-
:param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
280
|
-
:param pulumi.Input[
|
281
|
-
|
333
|
+
:param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
334
|
+
:param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
335
|
+
:param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
336
|
+
:param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
337
|
+
:param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
338
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
|
339
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
340
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
|
341
|
+
Currently, ML-DSA is the only supported key type.
|
342
|
+
:param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
343
|
+
:param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
|
282
344
|
* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
|
283
345
|
* for key types `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:
|
284
|
-
:param pulumi.Input[int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
285
|
-
:param pulumi.Input[int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
286
|
-
:param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
|
287
|
-
:param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
|
288
|
-
:param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
|
289
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
346
|
+
:param pulumi.Input[builtins.int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
347
|
+
:param pulumi.Input[builtins.int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
348
|
+
:param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
|
349
|
+
:param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
|
350
|
+
:param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
|
351
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
290
352
|
The value should not contain leading or trailing forward slashes.
|
291
353
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
292
354
|
*Available only for Vault Enterprise*.
|
293
|
-
:param pulumi.Input[
|
294
|
-
|
295
|
-
:param pulumi.Input[bool]
|
296
|
-
:param pulumi.Input[bool]
|
297
|
-
:param pulumi.Input[
|
355
|
+
:param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
|
356
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
357
|
+
:param pulumi.Input[builtins.bool] supports_decryption: Whether or not the key supports decryption, based on key type.
|
358
|
+
:param pulumi.Input[builtins.bool] supports_derivation: Whether or not the key supports derivation, based on key type.
|
359
|
+
:param pulumi.Input[builtins.bool] supports_encryption: Whether or not the key supports encryption, based on key type.
|
360
|
+
:param pulumi.Input[builtins.bool] supports_signing: Whether or not the key supports signing, based on key type.
|
361
|
+
:param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
298
362
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
299
363
|
"""
|
300
364
|
if allow_plaintext_backup is not None:
|
@@ -311,6 +375,10 @@ class _SecretBackendKeyState:
|
|
311
375
|
pulumi.set(__self__, "derived", derived)
|
312
376
|
if exportable is not None:
|
313
377
|
pulumi.set(__self__, "exportable", exportable)
|
378
|
+
if hybrid_key_type_ec is not None:
|
379
|
+
pulumi.set(__self__, "hybrid_key_type_ec", hybrid_key_type_ec)
|
380
|
+
if hybrid_key_type_pqc is not None:
|
381
|
+
pulumi.set(__self__, "hybrid_key_type_pqc", hybrid_key_type_pqc)
|
314
382
|
if key_size is not None:
|
315
383
|
pulumi.set(__self__, "key_size", key_size)
|
316
384
|
if keys is not None:
|
@@ -327,6 +395,8 @@ class _SecretBackendKeyState:
|
|
327
395
|
pulumi.set(__self__, "name", name)
|
328
396
|
if namespace is not None:
|
329
397
|
pulumi.set(__self__, "namespace", namespace)
|
398
|
+
if parameter_set is not None:
|
399
|
+
pulumi.set(__self__, "parameter_set", parameter_set)
|
330
400
|
if supports_decryption is not None:
|
331
401
|
pulumi.set(__self__, "supports_decryption", supports_decryption)
|
332
402
|
if supports_derivation is not None:
|
@@ -340,7 +410,7 @@ class _SecretBackendKeyState:
|
|
340
410
|
|
341
411
|
@property
|
342
412
|
@pulumi.getter(name="allowPlaintextBackup")
|
343
|
-
def allow_plaintext_backup(self) -> Optional[pulumi.Input[bool]]:
|
413
|
+
def allow_plaintext_backup(self) -> Optional[pulumi.Input[builtins.bool]]:
|
344
414
|
"""
|
345
415
|
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
346
416
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
@@ -348,12 +418,12 @@ class _SecretBackendKeyState:
|
|
348
418
|
return pulumi.get(self, "allow_plaintext_backup")
|
349
419
|
|
350
420
|
@allow_plaintext_backup.setter
|
351
|
-
def allow_plaintext_backup(self, value: Optional[pulumi.Input[bool]]):
|
421
|
+
def allow_plaintext_backup(self, value: Optional[pulumi.Input[builtins.bool]]):
|
352
422
|
pulumi.set(self, "allow_plaintext_backup", value)
|
353
423
|
|
354
424
|
@property
|
355
425
|
@pulumi.getter(name="autoRotatePeriod")
|
356
|
-
def auto_rotate_period(self) -> Optional[pulumi.Input[int]]:
|
426
|
+
def auto_rotate_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
357
427
|
"""
|
358
428
|
Amount of seconds the key should live before being automatically rotated.
|
359
429
|
A value of 0 disables automatic rotation for the key.
|
@@ -361,84 +431,110 @@ class _SecretBackendKeyState:
|
|
361
431
|
return pulumi.get(self, "auto_rotate_period")
|
362
432
|
|
363
433
|
@auto_rotate_period.setter
|
364
|
-
def auto_rotate_period(self, value: Optional[pulumi.Input[int]]):
|
434
|
+
def auto_rotate_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
365
435
|
pulumi.set(self, "auto_rotate_period", value)
|
366
436
|
|
367
437
|
@property
|
368
438
|
@pulumi.getter
|
369
|
-
def backend(self) -> Optional[pulumi.Input[str]]:
|
439
|
+
def backend(self) -> Optional[pulumi.Input[builtins.str]]:
|
370
440
|
"""
|
371
441
|
The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
372
442
|
"""
|
373
443
|
return pulumi.get(self, "backend")
|
374
444
|
|
375
445
|
@backend.setter
|
376
|
-
def backend(self, value: Optional[pulumi.Input[str]]):
|
446
|
+
def backend(self, value: Optional[pulumi.Input[builtins.str]]):
|
377
447
|
pulumi.set(self, "backend", value)
|
378
448
|
|
379
449
|
@property
|
380
450
|
@pulumi.getter(name="convergentEncryption")
|
381
|
-
def convergent_encryption(self) -> Optional[pulumi.Input[bool]]:
|
451
|
+
def convergent_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
|
382
452
|
"""
|
383
453
|
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
384
454
|
"""
|
385
455
|
return pulumi.get(self, "convergent_encryption")
|
386
456
|
|
387
457
|
@convergent_encryption.setter
|
388
|
-
def convergent_encryption(self, value: Optional[pulumi.Input[bool]]):
|
458
|
+
def convergent_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
|
389
459
|
pulumi.set(self, "convergent_encryption", value)
|
390
460
|
|
391
461
|
@property
|
392
462
|
@pulumi.getter(name="deletionAllowed")
|
393
|
-
def deletion_allowed(self) -> Optional[pulumi.Input[bool]]:
|
463
|
+
def deletion_allowed(self) -> Optional[pulumi.Input[builtins.bool]]:
|
394
464
|
"""
|
395
465
|
Specifies if the key is allowed to be deleted.
|
396
466
|
"""
|
397
467
|
return pulumi.get(self, "deletion_allowed")
|
398
468
|
|
399
469
|
@deletion_allowed.setter
|
400
|
-
def deletion_allowed(self, value: Optional[pulumi.Input[bool]]):
|
470
|
+
def deletion_allowed(self, value: Optional[pulumi.Input[builtins.bool]]):
|
401
471
|
pulumi.set(self, "deletion_allowed", value)
|
402
472
|
|
403
473
|
@property
|
404
474
|
@pulumi.getter
|
405
|
-
def derived(self) -> Optional[pulumi.Input[bool]]:
|
475
|
+
def derived(self) -> Optional[pulumi.Input[builtins.bool]]:
|
406
476
|
"""
|
407
477
|
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
408
478
|
"""
|
409
479
|
return pulumi.get(self, "derived")
|
410
480
|
|
411
481
|
@derived.setter
|
412
|
-
def derived(self, value: Optional[pulumi.Input[bool]]):
|
482
|
+
def derived(self, value: Optional[pulumi.Input[builtins.bool]]):
|
413
483
|
pulumi.set(self, "derived", value)
|
414
484
|
|
415
485
|
@property
|
416
486
|
@pulumi.getter
|
417
|
-
def exportable(self) -> Optional[pulumi.Input[bool]]:
|
487
|
+
def exportable(self) -> Optional[pulumi.Input[builtins.bool]]:
|
418
488
|
"""
|
419
489
|
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
420
490
|
"""
|
421
491
|
return pulumi.get(self, "exportable")
|
422
492
|
|
423
493
|
@exportable.setter
|
424
|
-
def exportable(self, value: Optional[pulumi.Input[bool]]):
|
494
|
+
def exportable(self, value: Optional[pulumi.Input[builtins.bool]]):
|
425
495
|
pulumi.set(self, "exportable", value)
|
426
496
|
|
497
|
+
@property
|
498
|
+
@pulumi.getter(name="hybridKeyTypeEc")
|
499
|
+
def hybrid_key_type_ec(self) -> Optional[pulumi.Input[builtins.str]]:
|
500
|
+
"""
|
501
|
+
The elliptic curve algorithm to use for hybrid signatures.
|
502
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
503
|
+
"""
|
504
|
+
return pulumi.get(self, "hybrid_key_type_ec")
|
505
|
+
|
506
|
+
@hybrid_key_type_ec.setter
|
507
|
+
def hybrid_key_type_ec(self, value: Optional[pulumi.Input[builtins.str]]):
|
508
|
+
pulumi.set(self, "hybrid_key_type_ec", value)
|
509
|
+
|
510
|
+
@property
|
511
|
+
@pulumi.getter(name="hybridKeyTypePqc")
|
512
|
+
def hybrid_key_type_pqc(self) -> Optional[pulumi.Input[builtins.str]]:
|
513
|
+
"""
|
514
|
+
The post-quantum algorithm to use for hybrid signatures.
|
515
|
+
Currently, ML-DSA is the only supported key type.
|
516
|
+
"""
|
517
|
+
return pulumi.get(self, "hybrid_key_type_pqc")
|
518
|
+
|
519
|
+
@hybrid_key_type_pqc.setter
|
520
|
+
def hybrid_key_type_pqc(self, value: Optional[pulumi.Input[builtins.str]]):
|
521
|
+
pulumi.set(self, "hybrid_key_type_pqc", value)
|
522
|
+
|
427
523
|
@property
|
428
524
|
@pulumi.getter(name="keySize")
|
429
|
-
def key_size(self) -> Optional[pulumi.Input[int]]:
|
525
|
+
def key_size(self) -> Optional[pulumi.Input[builtins.int]]:
|
430
526
|
"""
|
431
527
|
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
432
528
|
"""
|
433
529
|
return pulumi.get(self, "key_size")
|
434
530
|
|
435
531
|
@key_size.setter
|
436
|
-
def key_size(self, value: Optional[pulumi.Input[int]]):
|
532
|
+
def key_size(self, value: Optional[pulumi.Input[builtins.int]]):
|
437
533
|
pulumi.set(self, "key_size", value)
|
438
534
|
|
439
535
|
@property
|
440
536
|
@pulumi.getter
|
441
|
-
def keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]]:
|
537
|
+
def keys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]]:
|
442
538
|
"""
|
443
539
|
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
|
444
540
|
* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
|
@@ -447,72 +543,72 @@ class _SecretBackendKeyState:
|
|
447
543
|
return pulumi.get(self, "keys")
|
448
544
|
|
449
545
|
@keys.setter
|
450
|
-
def keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[str]]]]]]):
|
546
|
+
def keys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]]):
|
451
547
|
pulumi.set(self, "keys", value)
|
452
548
|
|
453
549
|
@property
|
454
550
|
@pulumi.getter(name="latestVersion")
|
455
|
-
def latest_version(self) -> Optional[pulumi.Input[int]]:
|
551
|
+
def latest_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
456
552
|
"""
|
457
553
|
Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
458
554
|
"""
|
459
555
|
return pulumi.get(self, "latest_version")
|
460
556
|
|
461
557
|
@latest_version.setter
|
462
|
-
def latest_version(self, value: Optional[pulumi.Input[int]]):
|
558
|
+
def latest_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
463
559
|
pulumi.set(self, "latest_version", value)
|
464
560
|
|
465
561
|
@property
|
466
562
|
@pulumi.getter(name="minAvailableVersion")
|
467
|
-
def min_available_version(self) -> Optional[pulumi.Input[int]]:
|
563
|
+
def min_available_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
468
564
|
"""
|
469
565
|
Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
470
566
|
"""
|
471
567
|
return pulumi.get(self, "min_available_version")
|
472
568
|
|
473
569
|
@min_available_version.setter
|
474
|
-
def min_available_version(self, value: Optional[pulumi.Input[int]]):
|
570
|
+
def min_available_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
475
571
|
pulumi.set(self, "min_available_version", value)
|
476
572
|
|
477
573
|
@property
|
478
574
|
@pulumi.getter(name="minDecryptionVersion")
|
479
|
-
def min_decryption_version(self) -> Optional[pulumi.Input[int]]:
|
575
|
+
def min_decryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
480
576
|
"""
|
481
577
|
Minimum key version to use for decryption.
|
482
578
|
"""
|
483
579
|
return pulumi.get(self, "min_decryption_version")
|
484
580
|
|
485
581
|
@min_decryption_version.setter
|
486
|
-
def min_decryption_version(self, value: Optional[pulumi.Input[int]]):
|
582
|
+
def min_decryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
487
583
|
pulumi.set(self, "min_decryption_version", value)
|
488
584
|
|
489
585
|
@property
|
490
586
|
@pulumi.getter(name="minEncryptionVersion")
|
491
|
-
def min_encryption_version(self) -> Optional[pulumi.Input[int]]:
|
587
|
+
def min_encryption_version(self) -> Optional[pulumi.Input[builtins.int]]:
|
492
588
|
"""
|
493
589
|
Minimum key version to use for encryption
|
494
590
|
"""
|
495
591
|
return pulumi.get(self, "min_encryption_version")
|
496
592
|
|
497
593
|
@min_encryption_version.setter
|
498
|
-
def min_encryption_version(self, value: Optional[pulumi.Input[int]]):
|
594
|
+
def min_encryption_version(self, value: Optional[pulumi.Input[builtins.int]]):
|
499
595
|
pulumi.set(self, "min_encryption_version", value)
|
500
596
|
|
501
597
|
@property
|
502
598
|
@pulumi.getter
|
503
|
-
def name(self) -> Optional[pulumi.Input[str]]:
|
599
|
+
def name(self) -> Optional[pulumi.Input[builtins.str]]:
|
504
600
|
"""
|
505
601
|
The name to identify this key within the backend. Must be unique within the backend.
|
506
602
|
"""
|
507
603
|
return pulumi.get(self, "name")
|
508
604
|
|
509
605
|
@name.setter
|
510
|
-
def name(self, value: Optional[pulumi.Input[str]]):
|
606
|
+
def name(self, value: Optional[pulumi.Input[builtins.str]]):
|
511
607
|
pulumi.set(self, "name", value)
|
512
608
|
|
513
609
|
@property
|
514
610
|
@pulumi.getter
|
515
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
611
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
516
612
|
"""
|
517
613
|
The namespace to provision the resource in.
|
518
614
|
The value should not contain leading or trailing forward slashes.
|
@@ -522,60 +618,73 @@ class _SecretBackendKeyState:
|
|
522
618
|
return pulumi.get(self, "namespace")
|
523
619
|
|
524
620
|
@namespace.setter
|
525
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
621
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
526
622
|
pulumi.set(self, "namespace", value)
|
527
623
|
|
624
|
+
@property
|
625
|
+
@pulumi.getter(name="parameterSet")
|
626
|
+
def parameter_set(self) -> Optional[pulumi.Input[builtins.str]]:
|
627
|
+
"""
|
628
|
+
The parameter set to use for ML-DSA. Required for
|
629
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
630
|
+
"""
|
631
|
+
return pulumi.get(self, "parameter_set")
|
632
|
+
|
633
|
+
@parameter_set.setter
|
634
|
+
def parameter_set(self, value: Optional[pulumi.Input[builtins.str]]):
|
635
|
+
pulumi.set(self, "parameter_set", value)
|
636
|
+
|
528
637
|
@property
|
529
638
|
@pulumi.getter(name="supportsDecryption")
|
530
|
-
def supports_decryption(self) -> Optional[pulumi.Input[bool]]:
|
639
|
+
def supports_decryption(self) -> Optional[pulumi.Input[builtins.bool]]:
|
531
640
|
"""
|
532
641
|
Whether or not the key supports decryption, based on key type.
|
533
642
|
"""
|
534
643
|
return pulumi.get(self, "supports_decryption")
|
535
644
|
|
536
645
|
@supports_decryption.setter
|
537
|
-
def supports_decryption(self, value: Optional[pulumi.Input[bool]]):
|
646
|
+
def supports_decryption(self, value: Optional[pulumi.Input[builtins.bool]]):
|
538
647
|
pulumi.set(self, "supports_decryption", value)
|
539
648
|
|
540
649
|
@property
|
541
650
|
@pulumi.getter(name="supportsDerivation")
|
542
|
-
def supports_derivation(self) -> Optional[pulumi.Input[bool]]:
|
651
|
+
def supports_derivation(self) -> Optional[pulumi.Input[builtins.bool]]:
|
543
652
|
"""
|
544
653
|
Whether or not the key supports derivation, based on key type.
|
545
654
|
"""
|
546
655
|
return pulumi.get(self, "supports_derivation")
|
547
656
|
|
548
657
|
@supports_derivation.setter
|
549
|
-
def supports_derivation(self, value: Optional[pulumi.Input[bool]]):
|
658
|
+
def supports_derivation(self, value: Optional[pulumi.Input[builtins.bool]]):
|
550
659
|
pulumi.set(self, "supports_derivation", value)
|
551
660
|
|
552
661
|
@property
|
553
662
|
@pulumi.getter(name="supportsEncryption")
|
554
|
-
def supports_encryption(self) -> Optional[pulumi.Input[bool]]:
|
663
|
+
def supports_encryption(self) -> Optional[pulumi.Input[builtins.bool]]:
|
555
664
|
"""
|
556
665
|
Whether or not the key supports encryption, based on key type.
|
557
666
|
"""
|
558
667
|
return pulumi.get(self, "supports_encryption")
|
559
668
|
|
560
669
|
@supports_encryption.setter
|
561
|
-
def supports_encryption(self, value: Optional[pulumi.Input[bool]]):
|
670
|
+
def supports_encryption(self, value: Optional[pulumi.Input[builtins.bool]]):
|
562
671
|
pulumi.set(self, "supports_encryption", value)
|
563
672
|
|
564
673
|
@property
|
565
674
|
@pulumi.getter(name="supportsSigning")
|
566
|
-
def supports_signing(self) -> Optional[pulumi.Input[bool]]:
|
675
|
+
def supports_signing(self) -> Optional[pulumi.Input[builtins.bool]]:
|
567
676
|
"""
|
568
677
|
Whether or not the key supports signing, based on key type.
|
569
678
|
"""
|
570
679
|
return pulumi.get(self, "supports_signing")
|
571
680
|
|
572
681
|
@supports_signing.setter
|
573
|
-
def supports_signing(self, value: Optional[pulumi.Input[bool]]):
|
682
|
+
def supports_signing(self, value: Optional[pulumi.Input[builtins.bool]]):
|
574
683
|
pulumi.set(self, "supports_signing", value)
|
575
684
|
|
576
685
|
@property
|
577
686
|
@pulumi.getter
|
578
|
-
def type(self) -> Optional[pulumi.Input[str]]:
|
687
|
+
def type(self) -> Optional[pulumi.Input[builtins.str]]:
|
579
688
|
"""
|
580
689
|
Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
581
690
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
@@ -583,7 +692,7 @@ class _SecretBackendKeyState:
|
|
583
692
|
return pulumi.get(self, "type")
|
584
693
|
|
585
694
|
@type.setter
|
586
|
-
def type(self, value: Optional[pulumi.Input[str]]):
|
695
|
+
def type(self, value: Optional[pulumi.Input[builtins.str]]):
|
587
696
|
pulumi.set(self, "type", value)
|
588
697
|
|
589
698
|
|
@@ -592,19 +701,22 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
592
701
|
def __init__(__self__,
|
593
702
|
resource_name: str,
|
594
703
|
opts: Optional[pulumi.ResourceOptions] = None,
|
595
|
-
allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
|
596
|
-
auto_rotate_period: Optional[pulumi.Input[int]] = None,
|
597
|
-
backend: Optional[pulumi.Input[str]] = None,
|
598
|
-
convergent_encryption: Optional[pulumi.Input[bool]] = None,
|
599
|
-
deletion_allowed: Optional[pulumi.Input[bool]] = None,
|
600
|
-
derived: Optional[pulumi.Input[bool]] = None,
|
601
|
-
exportable: Optional[pulumi.Input[bool]] = None,
|
602
|
-
|
603
|
-
|
604
|
-
|
605
|
-
|
606
|
-
|
607
|
-
|
704
|
+
allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
|
705
|
+
auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
|
706
|
+
backend: Optional[pulumi.Input[builtins.str]] = None,
|
707
|
+
convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
708
|
+
deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
|
709
|
+
derived: Optional[pulumi.Input[builtins.bool]] = None,
|
710
|
+
exportable: Optional[pulumi.Input[builtins.bool]] = None,
|
711
|
+
hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
|
712
|
+
hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
|
713
|
+
key_size: Optional[pulumi.Input[builtins.int]] = None,
|
714
|
+
min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
715
|
+
min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
716
|
+
name: Optional[pulumi.Input[builtins.str]] = None,
|
717
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
718
|
+
parameter_set: Optional[pulumi.Input[builtins.str]] = None,
|
719
|
+
type: Optional[pulumi.Input[builtins.str]] = None,
|
608
720
|
__props__=None):
|
609
721
|
"""
|
610
722
|
Creates an Encryption Keyring on a Transit Secret Backend for Vault.
|
@@ -636,24 +748,30 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
636
748
|
|
637
749
|
:param str resource_name: The name of the resource.
|
638
750
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
639
|
-
:param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
751
|
+
:param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
640
752
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
641
|
-
:param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
753
|
+
:param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
642
754
|
A value of 0 disables automatic rotation for the key.
|
643
|
-
:param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
644
|
-
:param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
645
|
-
:param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
646
|
-
:param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
647
|
-
:param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
648
|
-
:param pulumi.Input[
|
649
|
-
|
650
|
-
:param pulumi.Input[
|
651
|
-
|
652
|
-
:param pulumi.Input[
|
755
|
+
:param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
756
|
+
:param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
757
|
+
:param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
758
|
+
:param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
759
|
+
:param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
760
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
|
761
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
762
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
|
763
|
+
Currently, ML-DSA is the only supported key type.
|
764
|
+
:param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
765
|
+
:param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
|
766
|
+
:param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
|
767
|
+
:param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
|
768
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
653
769
|
The value should not contain leading or trailing forward slashes.
|
654
770
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
655
771
|
*Available only for Vault Enterprise*.
|
656
|
-
:param pulumi.Input[str]
|
772
|
+
:param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
|
773
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
774
|
+
:param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
657
775
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
658
776
|
"""
|
659
777
|
...
|
@@ -705,19 +823,22 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
705
823
|
def _internal_init(__self__,
|
706
824
|
resource_name: str,
|
707
825
|
opts: Optional[pulumi.ResourceOptions] = None,
|
708
|
-
allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
|
709
|
-
auto_rotate_period: Optional[pulumi.Input[int]] = None,
|
710
|
-
backend: Optional[pulumi.Input[str]] = None,
|
711
|
-
convergent_encryption: Optional[pulumi.Input[bool]] = None,
|
712
|
-
deletion_allowed: Optional[pulumi.Input[bool]] = None,
|
713
|
-
derived: Optional[pulumi.Input[bool]] = None,
|
714
|
-
exportable: Optional[pulumi.Input[bool]] = None,
|
715
|
-
|
716
|
-
|
717
|
-
|
718
|
-
|
719
|
-
|
720
|
-
|
826
|
+
allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
|
827
|
+
auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
|
828
|
+
backend: Optional[pulumi.Input[builtins.str]] = None,
|
829
|
+
convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
830
|
+
deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
|
831
|
+
derived: Optional[pulumi.Input[builtins.bool]] = None,
|
832
|
+
exportable: Optional[pulumi.Input[builtins.bool]] = None,
|
833
|
+
hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
|
834
|
+
hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
|
835
|
+
key_size: Optional[pulumi.Input[builtins.int]] = None,
|
836
|
+
min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
837
|
+
min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
838
|
+
name: Optional[pulumi.Input[builtins.str]] = None,
|
839
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
840
|
+
parameter_set: Optional[pulumi.Input[builtins.str]] = None,
|
841
|
+
type: Optional[pulumi.Input[builtins.str]] = None,
|
721
842
|
__props__=None):
|
722
843
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
723
844
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -736,11 +857,14 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
736
857
|
__props__.__dict__["deletion_allowed"] = deletion_allowed
|
737
858
|
__props__.__dict__["derived"] = derived
|
738
859
|
__props__.__dict__["exportable"] = exportable
|
860
|
+
__props__.__dict__["hybrid_key_type_ec"] = hybrid_key_type_ec
|
861
|
+
__props__.__dict__["hybrid_key_type_pqc"] = hybrid_key_type_pqc
|
739
862
|
__props__.__dict__["key_size"] = key_size
|
740
863
|
__props__.__dict__["min_decryption_version"] = min_decryption_version
|
741
864
|
__props__.__dict__["min_encryption_version"] = min_encryption_version
|
742
865
|
__props__.__dict__["name"] = name
|
743
866
|
__props__.__dict__["namespace"] = namespace
|
867
|
+
__props__.__dict__["parameter_set"] = parameter_set
|
744
868
|
__props__.__dict__["type"] = type
|
745
869
|
__props__.__dict__["keys"] = None
|
746
870
|
__props__.__dict__["latest_version"] = None
|
@@ -759,26 +883,29 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
759
883
|
def get(resource_name: str,
|
760
884
|
id: pulumi.Input[str],
|
761
885
|
opts: Optional[pulumi.ResourceOptions] = None,
|
762
|
-
allow_plaintext_backup: Optional[pulumi.Input[bool]] = None,
|
763
|
-
auto_rotate_period: Optional[pulumi.Input[int]] = None,
|
764
|
-
backend: Optional[pulumi.Input[str]] = None,
|
765
|
-
convergent_encryption: Optional[pulumi.Input[bool]] = None,
|
766
|
-
deletion_allowed: Optional[pulumi.Input[bool]] = None,
|
767
|
-
derived: Optional[pulumi.Input[bool]] = None,
|
768
|
-
exportable: Optional[pulumi.Input[bool]] = None,
|
769
|
-
|
770
|
-
|
771
|
-
|
772
|
-
|
773
|
-
|
774
|
-
|
775
|
-
|
776
|
-
|
777
|
-
|
778
|
-
|
779
|
-
|
780
|
-
|
781
|
-
|
886
|
+
allow_plaintext_backup: Optional[pulumi.Input[builtins.bool]] = None,
|
887
|
+
auto_rotate_period: Optional[pulumi.Input[builtins.int]] = None,
|
888
|
+
backend: Optional[pulumi.Input[builtins.str]] = None,
|
889
|
+
convergent_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
890
|
+
deletion_allowed: Optional[pulumi.Input[builtins.bool]] = None,
|
891
|
+
derived: Optional[pulumi.Input[builtins.bool]] = None,
|
892
|
+
exportable: Optional[pulumi.Input[builtins.bool]] = None,
|
893
|
+
hybrid_key_type_ec: Optional[pulumi.Input[builtins.str]] = None,
|
894
|
+
hybrid_key_type_pqc: Optional[pulumi.Input[builtins.str]] = None,
|
895
|
+
key_size: Optional[pulumi.Input[builtins.int]] = None,
|
896
|
+
keys: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]]] = None,
|
897
|
+
latest_version: Optional[pulumi.Input[builtins.int]] = None,
|
898
|
+
min_available_version: Optional[pulumi.Input[builtins.int]] = None,
|
899
|
+
min_decryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
900
|
+
min_encryption_version: Optional[pulumi.Input[builtins.int]] = None,
|
901
|
+
name: Optional[pulumi.Input[builtins.str]] = None,
|
902
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
903
|
+
parameter_set: Optional[pulumi.Input[builtins.str]] = None,
|
904
|
+
supports_decryption: Optional[pulumi.Input[builtins.bool]] = None,
|
905
|
+
supports_derivation: Optional[pulumi.Input[builtins.bool]] = None,
|
906
|
+
supports_encryption: Optional[pulumi.Input[builtins.bool]] = None,
|
907
|
+
supports_signing: Optional[pulumi.Input[builtins.bool]] = None,
|
908
|
+
type: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackendKey':
|
782
909
|
"""
|
783
910
|
Get an existing SecretBackendKey resource's state with the given name, id, and optional extra
|
784
911
|
properties used to qualify the lookup.
|
@@ -786,33 +913,39 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
786
913
|
:param str resource_name: The unique name of the resulting resource.
|
787
914
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
788
915
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
789
|
-
:param pulumi.Input[bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
916
|
+
:param pulumi.Input[builtins.bool] allow_plaintext_backup: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
790
917
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
791
|
-
:param pulumi.Input[int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
918
|
+
:param pulumi.Input[builtins.int] auto_rotate_period: Amount of seconds the key should live before being automatically rotated.
|
792
919
|
A value of 0 disables automatic rotation for the key.
|
793
|
-
:param pulumi.Input[str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
794
|
-
:param pulumi.Input[bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
795
|
-
:param pulumi.Input[bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
796
|
-
:param pulumi.Input[bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
797
|
-
:param pulumi.Input[bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
798
|
-
:param pulumi.Input[
|
799
|
-
|
920
|
+
:param pulumi.Input[builtins.str] backend: The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
921
|
+
:param pulumi.Input[builtins.bool] convergent_encryption: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
922
|
+
:param pulumi.Input[builtins.bool] deletion_allowed: Specifies if the key is allowed to be deleted.
|
923
|
+
:param pulumi.Input[builtins.bool] derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
924
|
+
:param pulumi.Input[builtins.bool] exportable: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
925
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_ec: The elliptic curve algorithm to use for hybrid signatures.
|
926
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
927
|
+
:param pulumi.Input[builtins.str] hybrid_key_type_pqc: The post-quantum algorithm to use for hybrid signatures.
|
928
|
+
Currently, ML-DSA is the only supported key type.
|
929
|
+
:param pulumi.Input[builtins.int] key_size: The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
930
|
+
:param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]] keys: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
|
800
931
|
* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
|
801
932
|
* for key types `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:
|
802
|
-
:param pulumi.Input[int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
803
|
-
:param pulumi.Input[int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
804
|
-
:param pulumi.Input[int] min_decryption_version: Minimum key version to use for decryption.
|
805
|
-
:param pulumi.Input[int] min_encryption_version: Minimum key version to use for encryption
|
806
|
-
:param pulumi.Input[str] name: The name to identify this key within the backend. Must be unique within the backend.
|
807
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
933
|
+
:param pulumi.Input[builtins.int] latest_version: Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
934
|
+
:param pulumi.Input[builtins.int] min_available_version: Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
935
|
+
:param pulumi.Input[builtins.int] min_decryption_version: Minimum key version to use for decryption.
|
936
|
+
:param pulumi.Input[builtins.int] min_encryption_version: Minimum key version to use for encryption
|
937
|
+
:param pulumi.Input[builtins.str] name: The name to identify this key within the backend. Must be unique within the backend.
|
938
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
808
939
|
The value should not contain leading or trailing forward slashes.
|
809
940
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
810
941
|
*Available only for Vault Enterprise*.
|
811
|
-
:param pulumi.Input[
|
812
|
-
|
813
|
-
:param pulumi.Input[bool]
|
814
|
-
:param pulumi.Input[bool]
|
815
|
-
:param pulumi.Input[
|
942
|
+
:param pulumi.Input[builtins.str] parameter_set: The parameter set to use for ML-DSA. Required for
|
943
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
944
|
+
:param pulumi.Input[builtins.bool] supports_decryption: Whether or not the key supports decryption, based on key type.
|
945
|
+
:param pulumi.Input[builtins.bool] supports_derivation: Whether or not the key supports derivation, based on key type.
|
946
|
+
:param pulumi.Input[builtins.bool] supports_encryption: Whether or not the key supports encryption, based on key type.
|
947
|
+
:param pulumi.Input[builtins.bool] supports_signing: Whether or not the key supports signing, based on key type.
|
948
|
+
:param pulumi.Input[builtins.str] type: Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
816
949
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|
817
950
|
"""
|
818
951
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
@@ -826,6 +959,8 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
826
959
|
__props__.__dict__["deletion_allowed"] = deletion_allowed
|
827
960
|
__props__.__dict__["derived"] = derived
|
828
961
|
__props__.__dict__["exportable"] = exportable
|
962
|
+
__props__.__dict__["hybrid_key_type_ec"] = hybrid_key_type_ec
|
963
|
+
__props__.__dict__["hybrid_key_type_pqc"] = hybrid_key_type_pqc
|
829
964
|
__props__.__dict__["key_size"] = key_size
|
830
965
|
__props__.__dict__["keys"] = keys
|
831
966
|
__props__.__dict__["latest_version"] = latest_version
|
@@ -834,6 +969,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
834
969
|
__props__.__dict__["min_encryption_version"] = min_encryption_version
|
835
970
|
__props__.__dict__["name"] = name
|
836
971
|
__props__.__dict__["namespace"] = namespace
|
972
|
+
__props__.__dict__["parameter_set"] = parameter_set
|
837
973
|
__props__.__dict__["supports_decryption"] = supports_decryption
|
838
974
|
__props__.__dict__["supports_derivation"] = supports_derivation
|
839
975
|
__props__.__dict__["supports_encryption"] = supports_encryption
|
@@ -843,7 +979,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
843
979
|
|
844
980
|
@property
|
845
981
|
@pulumi.getter(name="allowPlaintextBackup")
|
846
|
-
def allow_plaintext_backup(self) -> pulumi.Output[Optional[bool]]:
|
982
|
+
def allow_plaintext_backup(self) -> pulumi.Output[Optional[builtins.bool]]:
|
847
983
|
"""
|
848
984
|
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
|
849
985
|
* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
|
@@ -852,7 +988,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
852
988
|
|
853
989
|
@property
|
854
990
|
@pulumi.getter(name="autoRotatePeriod")
|
855
|
-
def auto_rotate_period(self) -> pulumi.Output[int]:
|
991
|
+
def auto_rotate_period(self) -> pulumi.Output[builtins.int]:
|
856
992
|
"""
|
857
993
|
Amount of seconds the key should live before being automatically rotated.
|
858
994
|
A value of 0 disables automatic rotation for the key.
|
@@ -861,7 +997,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
861
997
|
|
862
998
|
@property
|
863
999
|
@pulumi.getter
|
864
|
-
def backend(self) -> pulumi.Output[str]:
|
1000
|
+
def backend(self) -> pulumi.Output[builtins.str]:
|
865
1001
|
"""
|
866
1002
|
The path the transit secret backend is mounted at, with no leading or trailing `/`s.
|
867
1003
|
"""
|
@@ -869,7 +1005,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
869
1005
|
|
870
1006
|
@property
|
871
1007
|
@pulumi.getter(name="convergentEncryption")
|
872
|
-
def convergent_encryption(self) -> pulumi.Output[Optional[bool]]:
|
1008
|
+
def convergent_encryption(self) -> pulumi.Output[Optional[builtins.bool]]:
|
873
1009
|
"""
|
874
1010
|
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires `derived` to be set to `true`.
|
875
1011
|
"""
|
@@ -877,7 +1013,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
877
1013
|
|
878
1014
|
@property
|
879
1015
|
@pulumi.getter(name="deletionAllowed")
|
880
|
-
def deletion_allowed(self) -> pulumi.Output[Optional[bool]]:
|
1016
|
+
def deletion_allowed(self) -> pulumi.Output[Optional[builtins.bool]]:
|
881
1017
|
"""
|
882
1018
|
Specifies if the key is allowed to be deleted.
|
883
1019
|
"""
|
@@ -885,7 +1021,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
885
1021
|
|
886
1022
|
@property
|
887
1023
|
@pulumi.getter
|
888
|
-
def derived(self) -> pulumi.Output[Optional[bool]]:
|
1024
|
+
def derived(self) -> pulumi.Output[Optional[builtins.bool]]:
|
889
1025
|
"""
|
890
1026
|
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
|
891
1027
|
"""
|
@@ -893,15 +1029,33 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
893
1029
|
|
894
1030
|
@property
|
895
1031
|
@pulumi.getter
|
896
|
-
def exportable(self) -> pulumi.Output[Optional[bool]]:
|
1032
|
+
def exportable(self) -> pulumi.Output[Optional[builtins.bool]]:
|
897
1033
|
"""
|
898
1034
|
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
|
899
1035
|
"""
|
900
1036
|
return pulumi.get(self, "exportable")
|
901
1037
|
|
1038
|
+
@property
|
1039
|
+
@pulumi.getter(name="hybridKeyTypeEc")
|
1040
|
+
def hybrid_key_type_ec(self) -> pulumi.Output[Optional[builtins.str]]:
|
1041
|
+
"""
|
1042
|
+
The elliptic curve algorithm to use for hybrid signatures.
|
1043
|
+
Supported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and `ed25519`.
|
1044
|
+
"""
|
1045
|
+
return pulumi.get(self, "hybrid_key_type_ec")
|
1046
|
+
|
1047
|
+
@property
|
1048
|
+
@pulumi.getter(name="hybridKeyTypePqc")
|
1049
|
+
def hybrid_key_type_pqc(self) -> pulumi.Output[Optional[builtins.str]]:
|
1050
|
+
"""
|
1051
|
+
The post-quantum algorithm to use for hybrid signatures.
|
1052
|
+
Currently, ML-DSA is the only supported key type.
|
1053
|
+
"""
|
1054
|
+
return pulumi.get(self, "hybrid_key_type_pqc")
|
1055
|
+
|
902
1056
|
@property
|
903
1057
|
@pulumi.getter(name="keySize")
|
904
|
-
def key_size(self) -> pulumi.Output[Optional[int]]:
|
1058
|
+
def key_size(self) -> pulumi.Output[Optional[builtins.int]]:
|
905
1059
|
"""
|
906
1060
|
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
|
907
1061
|
"""
|
@@ -909,7 +1063,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
909
1063
|
|
910
1064
|
@property
|
911
1065
|
@pulumi.getter
|
912
|
-
def keys(self) -> pulumi.Output[Sequence[Mapping[str, str]]]:
|
1066
|
+
def keys(self) -> pulumi.Output[Sequence[Mapping[str, builtins.str]]]:
|
913
1067
|
"""
|
914
1068
|
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the `type` of the encryption key.
|
915
1069
|
* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
|
@@ -919,7 +1073,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
919
1073
|
|
920
1074
|
@property
|
921
1075
|
@pulumi.getter(name="latestVersion")
|
922
|
-
def latest_version(self) -> pulumi.Output[int]:
|
1076
|
+
def latest_version(self) -> pulumi.Output[builtins.int]:
|
923
1077
|
"""
|
924
1078
|
Latest key version available. This value is 1-indexed, so if `latest_version` is `1`, then the key's information can be referenced from `keys` by selecting element `0`
|
925
1079
|
"""
|
@@ -927,7 +1081,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
927
1081
|
|
928
1082
|
@property
|
929
1083
|
@pulumi.getter(name="minAvailableVersion")
|
930
|
-
def min_available_version(self) -> pulumi.Output[int]:
|
1084
|
+
def min_available_version(self) -> pulumi.Output[builtins.int]:
|
931
1085
|
"""
|
932
1086
|
Minimum key version available for use. If keys have been archived by increasing `min_decryption_version`, this attribute will reflect that change.
|
933
1087
|
"""
|
@@ -935,7 +1089,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
935
1089
|
|
936
1090
|
@property
|
937
1091
|
@pulumi.getter(name="minDecryptionVersion")
|
938
|
-
def min_decryption_version(self) -> pulumi.Output[Optional[int]]:
|
1092
|
+
def min_decryption_version(self) -> pulumi.Output[Optional[builtins.int]]:
|
939
1093
|
"""
|
940
1094
|
Minimum key version to use for decryption.
|
941
1095
|
"""
|
@@ -943,7 +1097,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
943
1097
|
|
944
1098
|
@property
|
945
1099
|
@pulumi.getter(name="minEncryptionVersion")
|
946
|
-
def min_encryption_version(self) -> pulumi.Output[Optional[int]]:
|
1100
|
+
def min_encryption_version(self) -> pulumi.Output[Optional[builtins.int]]:
|
947
1101
|
"""
|
948
1102
|
Minimum key version to use for encryption
|
949
1103
|
"""
|
@@ -951,7 +1105,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
951
1105
|
|
952
1106
|
@property
|
953
1107
|
@pulumi.getter
|
954
|
-
def name(self) -> pulumi.Output[str]:
|
1108
|
+
def name(self) -> pulumi.Output[builtins.str]:
|
955
1109
|
"""
|
956
1110
|
The name to identify this key within the backend. Must be unique within the backend.
|
957
1111
|
"""
|
@@ -959,7 +1113,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
959
1113
|
|
960
1114
|
@property
|
961
1115
|
@pulumi.getter
|
962
|
-
def namespace(self) -> pulumi.Output[Optional[str]]:
|
1116
|
+
def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
|
963
1117
|
"""
|
964
1118
|
The namespace to provision the resource in.
|
965
1119
|
The value should not contain leading or trailing forward slashes.
|
@@ -968,9 +1122,18 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
968
1122
|
"""
|
969
1123
|
return pulumi.get(self, "namespace")
|
970
1124
|
|
1125
|
+
@property
|
1126
|
+
@pulumi.getter(name="parameterSet")
|
1127
|
+
def parameter_set(self) -> pulumi.Output[Optional[builtins.str]]:
|
1128
|
+
"""
|
1129
|
+
The parameter set to use for ML-DSA. Required for
|
1130
|
+
ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
|
1131
|
+
"""
|
1132
|
+
return pulumi.get(self, "parameter_set")
|
1133
|
+
|
971
1134
|
@property
|
972
1135
|
@pulumi.getter(name="supportsDecryption")
|
973
|
-
def supports_decryption(self) -> pulumi.Output[bool]:
|
1136
|
+
def supports_decryption(self) -> pulumi.Output[builtins.bool]:
|
974
1137
|
"""
|
975
1138
|
Whether or not the key supports decryption, based on key type.
|
976
1139
|
"""
|
@@ -978,7 +1141,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
978
1141
|
|
979
1142
|
@property
|
980
1143
|
@pulumi.getter(name="supportsDerivation")
|
981
|
-
def supports_derivation(self) -> pulumi.Output[bool]:
|
1144
|
+
def supports_derivation(self) -> pulumi.Output[builtins.bool]:
|
982
1145
|
"""
|
983
1146
|
Whether or not the key supports derivation, based on key type.
|
984
1147
|
"""
|
@@ -986,7 +1149,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
986
1149
|
|
987
1150
|
@property
|
988
1151
|
@pulumi.getter(name="supportsEncryption")
|
989
|
-
def supports_encryption(self) -> pulumi.Output[bool]:
|
1152
|
+
def supports_encryption(self) -> pulumi.Output[builtins.bool]:
|
990
1153
|
"""
|
991
1154
|
Whether or not the key supports encryption, based on key type.
|
992
1155
|
"""
|
@@ -994,7 +1157,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
994
1157
|
|
995
1158
|
@property
|
996
1159
|
@pulumi.getter(name="supportsSigning")
|
997
|
-
def supports_signing(self) -> pulumi.Output[bool]:
|
1160
|
+
def supports_signing(self) -> pulumi.Output[builtins.bool]:
|
998
1161
|
"""
|
999
1162
|
Whether or not the key supports signing, based on key type.
|
1000
1163
|
"""
|
@@ -1002,7 +1165,7 @@ class SecretBackendKey(pulumi.CustomResource):
|
|
1002
1165
|
|
1003
1166
|
@property
|
1004
1167
|
@pulumi.getter
|
1005
|
-
def type(self) -> pulumi.Output[Optional[str]]:
|
1168
|
+
def type(self) -> pulumi.Output[Optional[builtins.str]]:
|
1006
1169
|
"""
|
1007
1170
|
Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, `ed25519`, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `hmac`, `rsa-2048`, `rsa-3072` and `rsa-4096`.
|
1008
1171
|
* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
|