pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. pulumi_vault/__init__.py +9 -0
  2. pulumi_vault/_inputs.py +583 -562
  3. pulumi_vault/ad/__init__.py +1 -0
  4. pulumi_vault/ad/get_access_credentials.py +20 -19
  5. pulumi_vault/ad/secret_backend.py +477 -476
  6. pulumi_vault/ad/secret_library.py +99 -98
  7. pulumi_vault/ad/secret_role.py +85 -84
  8. pulumi_vault/alicloud/__init__.py +1 -0
  9. pulumi_vault/alicloud/auth_backend_role.py +183 -182
  10. pulumi_vault/approle/__init__.py +1 -0
  11. pulumi_vault/approle/auth_backend_login.py +106 -105
  12. pulumi_vault/approle/auth_backend_role.py +239 -238
  13. pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
  14. pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
  15. pulumi_vault/audit.py +85 -84
  16. pulumi_vault/audit_request_header.py +43 -42
  17. pulumi_vault/auth_backend.py +106 -105
  18. pulumi_vault/aws/__init__.py +1 -0
  19. pulumi_vault/aws/auth_backend_cert.py +71 -70
  20. pulumi_vault/aws/auth_backend_client.py +425 -200
  21. pulumi_vault/aws/auth_backend_config_identity.py +85 -84
  22. pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
  23. pulumi_vault/aws/auth_backend_login.py +209 -208
  24. pulumi_vault/aws/auth_backend_role.py +400 -399
  25. pulumi_vault/aws/auth_backend_role_tag.py +127 -126
  26. pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
  27. pulumi_vault/aws/auth_backend_sts_role.py +71 -70
  28. pulumi_vault/aws/get_access_credentials.py +44 -43
  29. pulumi_vault/aws/get_static_access_credentials.py +13 -12
  30. pulumi_vault/aws/secret_backend.py +523 -306
  31. pulumi_vault/aws/secret_backend_role.py +211 -210
  32. pulumi_vault/aws/secret_backend_static_role.py +288 -70
  33. pulumi_vault/azure/__init__.py +1 -0
  34. pulumi_vault/azure/_inputs.py +21 -20
  35. pulumi_vault/azure/auth_backend_config.py +383 -130
  36. pulumi_vault/azure/auth_backend_role.py +253 -252
  37. pulumi_vault/azure/backend.py +432 -186
  38. pulumi_vault/azure/backend_role.py +188 -140
  39. pulumi_vault/azure/get_access_credentials.py +58 -57
  40. pulumi_vault/azure/outputs.py +11 -10
  41. pulumi_vault/cert_auth_backend_role.py +365 -364
  42. pulumi_vault/config/__init__.py +1 -0
  43. pulumi_vault/config/__init__.pyi +1 -0
  44. pulumi_vault/config/_inputs.py +11 -10
  45. pulumi_vault/config/outputs.py +287 -286
  46. pulumi_vault/config/ui_custom_message.py +113 -112
  47. pulumi_vault/config/vars.py +1 -0
  48. pulumi_vault/consul/__init__.py +1 -0
  49. pulumi_vault/consul/secret_backend.py +197 -196
  50. pulumi_vault/consul/secret_backend_role.py +183 -182
  51. pulumi_vault/database/__init__.py +1 -0
  52. pulumi_vault/database/_inputs.py +3857 -2200
  53. pulumi_vault/database/outputs.py +2483 -1330
  54. pulumi_vault/database/secret_backend_connection.py +333 -112
  55. pulumi_vault/database/secret_backend_role.py +169 -168
  56. pulumi_vault/database/secret_backend_static_role.py +283 -140
  57. pulumi_vault/database/secrets_mount.py +275 -266
  58. pulumi_vault/egp_policy.py +71 -70
  59. pulumi_vault/gcp/__init__.py +1 -0
  60. pulumi_vault/gcp/_inputs.py +82 -81
  61. pulumi_vault/gcp/auth_backend.py +426 -205
  62. pulumi_vault/gcp/auth_backend_role.py +281 -280
  63. pulumi_vault/gcp/get_auth_backend_role.py +70 -69
  64. pulumi_vault/gcp/outputs.py +50 -49
  65. pulumi_vault/gcp/secret_backend.py +420 -179
  66. pulumi_vault/gcp/secret_impersonated_account.py +92 -91
  67. pulumi_vault/gcp/secret_roleset.py +92 -91
  68. pulumi_vault/gcp/secret_static_account.py +92 -91
  69. pulumi_vault/generic/__init__.py +1 -0
  70. pulumi_vault/generic/endpoint.py +113 -112
  71. pulumi_vault/generic/get_secret.py +28 -27
  72. pulumi_vault/generic/secret.py +78 -77
  73. pulumi_vault/get_auth_backend.py +19 -18
  74. pulumi_vault/get_auth_backends.py +14 -13
  75. pulumi_vault/get_namespace.py +15 -14
  76. pulumi_vault/get_namespaces.py +68 -18
  77. pulumi_vault/get_nomad_access_token.py +19 -18
  78. pulumi_vault/get_policy_document.py +6 -5
  79. pulumi_vault/get_raft_autopilot_state.py +18 -17
  80. pulumi_vault/github/__init__.py +1 -0
  81. pulumi_vault/github/_inputs.py +42 -41
  82. pulumi_vault/github/auth_backend.py +232 -231
  83. pulumi_vault/github/outputs.py +26 -25
  84. pulumi_vault/github/team.py +57 -56
  85. pulumi_vault/github/user.py +57 -56
  86. pulumi_vault/identity/__init__.py +1 -0
  87. pulumi_vault/identity/entity.py +85 -84
  88. pulumi_vault/identity/entity_alias.py +71 -70
  89. pulumi_vault/identity/entity_policies.py +64 -63
  90. pulumi_vault/identity/get_entity.py +43 -42
  91. pulumi_vault/identity/get_group.py +50 -49
  92. pulumi_vault/identity/get_oidc_client_creds.py +14 -13
  93. pulumi_vault/identity/get_oidc_openid_config.py +24 -23
  94. pulumi_vault/identity/get_oidc_public_keys.py +13 -12
  95. pulumi_vault/identity/group.py +141 -140
  96. pulumi_vault/identity/group_alias.py +57 -56
  97. pulumi_vault/identity/group_member_entity_ids.py +57 -56
  98. pulumi_vault/identity/group_member_group_ids.py +57 -56
  99. pulumi_vault/identity/group_policies.py +64 -63
  100. pulumi_vault/identity/mfa_duo.py +148 -147
  101. pulumi_vault/identity/mfa_login_enforcement.py +120 -119
  102. pulumi_vault/identity/mfa_okta.py +134 -133
  103. pulumi_vault/identity/mfa_pingid.py +127 -126
  104. pulumi_vault/identity/mfa_totp.py +176 -175
  105. pulumi_vault/identity/oidc.py +29 -28
  106. pulumi_vault/identity/oidc_assignment.py +57 -56
  107. pulumi_vault/identity/oidc_client.py +127 -126
  108. pulumi_vault/identity/oidc_key.py +85 -84
  109. pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
  110. pulumi_vault/identity/oidc_provider.py +92 -91
  111. pulumi_vault/identity/oidc_role.py +85 -84
  112. pulumi_vault/identity/oidc_scope.py +57 -56
  113. pulumi_vault/identity/outputs.py +32 -31
  114. pulumi_vault/jwt/__init__.py +1 -0
  115. pulumi_vault/jwt/_inputs.py +42 -41
  116. pulumi_vault/jwt/auth_backend.py +288 -287
  117. pulumi_vault/jwt/auth_backend_role.py +407 -406
  118. pulumi_vault/jwt/outputs.py +26 -25
  119. pulumi_vault/kmip/__init__.py +1 -0
  120. pulumi_vault/kmip/secret_backend.py +183 -182
  121. pulumi_vault/kmip/secret_role.py +295 -294
  122. pulumi_vault/kmip/secret_scope.py +57 -56
  123. pulumi_vault/kubernetes/__init__.py +1 -0
  124. pulumi_vault/kubernetes/auth_backend_config.py +141 -140
  125. pulumi_vault/kubernetes/auth_backend_role.py +225 -224
  126. pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
  127. pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
  128. pulumi_vault/kubernetes/get_service_account_token.py +38 -37
  129. pulumi_vault/kubernetes/secret_backend.py +316 -315
  130. pulumi_vault/kubernetes/secret_backend_role.py +197 -196
  131. pulumi_vault/kv/__init__.py +1 -0
  132. pulumi_vault/kv/_inputs.py +21 -20
  133. pulumi_vault/kv/get_secret.py +17 -16
  134. pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
  135. pulumi_vault/kv/get_secret_v2.py +29 -28
  136. pulumi_vault/kv/get_secrets_list.py +13 -12
  137. pulumi_vault/kv/get_secrets_list_v2.py +19 -18
  138. pulumi_vault/kv/outputs.py +13 -12
  139. pulumi_vault/kv/secret.py +50 -49
  140. pulumi_vault/kv/secret_backend_v2.py +71 -70
  141. pulumi_vault/kv/secret_v2.py +134 -133
  142. pulumi_vault/ldap/__init__.py +1 -0
  143. pulumi_vault/ldap/auth_backend.py +754 -533
  144. pulumi_vault/ldap/auth_backend_group.py +57 -56
  145. pulumi_vault/ldap/auth_backend_user.py +71 -70
  146. pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
  147. pulumi_vault/ldap/get_static_credentials.py +18 -17
  148. pulumi_vault/ldap/secret_backend.py +720 -499
  149. pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
  150. pulumi_vault/ldap/secret_backend_library_set.py +99 -98
  151. pulumi_vault/ldap/secret_backend_static_role.py +99 -98
  152. pulumi_vault/managed/__init__.py +1 -0
  153. pulumi_vault/managed/_inputs.py +229 -228
  154. pulumi_vault/managed/keys.py +15 -14
  155. pulumi_vault/managed/outputs.py +139 -138
  156. pulumi_vault/mfa_duo.py +113 -112
  157. pulumi_vault/mfa_okta.py +113 -112
  158. pulumi_vault/mfa_pingid.py +120 -119
  159. pulumi_vault/mfa_totp.py +127 -126
  160. pulumi_vault/mongodbatlas/__init__.py +1 -0
  161. pulumi_vault/mongodbatlas/secret_backend.py +64 -63
  162. pulumi_vault/mongodbatlas/secret_role.py +155 -154
  163. pulumi_vault/mount.py +274 -273
  164. pulumi_vault/namespace.py +64 -63
  165. pulumi_vault/nomad_secret_backend.py +211 -210
  166. pulumi_vault/nomad_secret_role.py +85 -84
  167. pulumi_vault/okta/__init__.py +1 -0
  168. pulumi_vault/okta/_inputs.py +26 -25
  169. pulumi_vault/okta/auth_backend.py +274 -273
  170. pulumi_vault/okta/auth_backend_group.py +57 -56
  171. pulumi_vault/okta/auth_backend_user.py +71 -70
  172. pulumi_vault/okta/outputs.py +16 -15
  173. pulumi_vault/outputs.py +73 -60
  174. pulumi_vault/password_policy.py +43 -42
  175. pulumi_vault/pkisecret/__init__.py +3 -0
  176. pulumi_vault/pkisecret/_inputs.py +31 -36
  177. pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
  178. pulumi_vault/pkisecret/backend_config_acme.py +174 -126
  179. pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
  180. pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
  181. pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
  182. pulumi_vault/pkisecret/backend_config_est.py +120 -119
  183. pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
  184. pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
  185. pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
  186. pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
  187. pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
  188. pulumi_vault/pkisecret/get_backend_key.py +20 -19
  189. pulumi_vault/pkisecret/get_backend_keys.py +15 -14
  190. pulumi_vault/pkisecret/outputs.py +28 -31
  191. pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
  192. pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
  193. pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
  194. pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
  195. pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
  196. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
  197. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
  198. pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
  199. pulumi_vault/pkisecret/secret_backend_key.py +120 -119
  200. pulumi_vault/pkisecret/secret_backend_role.py +894 -644
  201. pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
  202. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
  203. pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
  204. pulumi_vault/plugin.py +127 -126
  205. pulumi_vault/plugin_pinned_version.py +43 -42
  206. pulumi_vault/policy.py +43 -42
  207. pulumi_vault/provider.py +120 -119
  208. pulumi_vault/pulumi-plugin.json +1 -1
  209. pulumi_vault/quota_lease_count.py +85 -84
  210. pulumi_vault/quota_rate_limit.py +113 -112
  211. pulumi_vault/rabbitmq/__init__.py +1 -0
  212. pulumi_vault/rabbitmq/_inputs.py +41 -40
  213. pulumi_vault/rabbitmq/outputs.py +25 -24
  214. pulumi_vault/rabbitmq/secret_backend.py +169 -168
  215. pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
  216. pulumi_vault/raft_autopilot.py +113 -112
  217. pulumi_vault/raft_snapshot_agent_config.py +393 -392
  218. pulumi_vault/rgp_policy.py +57 -56
  219. pulumi_vault/saml/__init__.py +1 -0
  220. pulumi_vault/saml/auth_backend.py +155 -154
  221. pulumi_vault/saml/auth_backend_role.py +239 -238
  222. pulumi_vault/secrets/__init__.py +1 -0
  223. pulumi_vault/secrets/_inputs.py +16 -15
  224. pulumi_vault/secrets/outputs.py +10 -9
  225. pulumi_vault/secrets/sync_association.py +71 -70
  226. pulumi_vault/secrets/sync_aws_destination.py +148 -147
  227. pulumi_vault/secrets/sync_azure_destination.py +148 -147
  228. pulumi_vault/secrets/sync_config.py +43 -42
  229. pulumi_vault/secrets/sync_gcp_destination.py +106 -105
  230. pulumi_vault/secrets/sync_gh_destination.py +134 -133
  231. pulumi_vault/secrets/sync_github_apps.py +64 -63
  232. pulumi_vault/secrets/sync_vercel_destination.py +120 -119
  233. pulumi_vault/ssh/__init__.py +2 -0
  234. pulumi_vault/ssh/_inputs.py +11 -10
  235. pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
  236. pulumi_vault/ssh/outputs.py +7 -6
  237. pulumi_vault/ssh/secret_backend_ca.py +99 -98
  238. pulumi_vault/ssh/secret_backend_role.py +365 -364
  239. pulumi_vault/terraformcloud/__init__.py +1 -0
  240. pulumi_vault/terraformcloud/secret_backend.py +111 -110
  241. pulumi_vault/terraformcloud/secret_creds.py +74 -73
  242. pulumi_vault/terraformcloud/secret_role.py +96 -95
  243. pulumi_vault/token.py +246 -245
  244. pulumi_vault/tokenauth/__init__.py +1 -0
  245. pulumi_vault/tokenauth/auth_backend_role.py +267 -266
  246. pulumi_vault/transform/__init__.py +1 -0
  247. pulumi_vault/transform/alphabet.py +57 -56
  248. pulumi_vault/transform/get_decode.py +47 -46
  249. pulumi_vault/transform/get_encode.py +47 -46
  250. pulumi_vault/transform/role.py +57 -56
  251. pulumi_vault/transform/template.py +113 -112
  252. pulumi_vault/transform/transformation.py +141 -140
  253. pulumi_vault/transit/__init__.py +3 -0
  254. pulumi_vault/transit/get_decrypt.py +18 -17
  255. pulumi_vault/transit/get_encrypt.py +21 -20
  256. pulumi_vault/transit/get_sign.py +325 -0
  257. pulumi_vault/transit/get_verify.py +355 -0
  258. pulumi_vault/transit/secret_backend_key.py +394 -231
  259. pulumi_vault/transit/secret_cache_config.py +43 -42
  260. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
  261. pulumi_vault-6.7.0.dist-info/RECORD +265 -0
  262. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
  263. pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
  264. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
2
2
  # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
3
3
  # *** Do not edit by hand unless you're certain you know what you are doing! ***
4
4
 
5
+ import builtins
5
6
  import copy
6
7
  import warnings
7
8
  import sys
@@ -19,50 +20,68 @@ __all__ = ['SecretBackendArgs', 'SecretBackend']
19
20
  @pulumi.input_type
20
21
  class SecretBackendArgs:
21
22
  def __init__(__self__, *,
22
- access_key: Optional[pulumi.Input[str]] = None,
23
- default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
24
- description: Optional[pulumi.Input[str]] = None,
25
- disable_remount: Optional[pulumi.Input[bool]] = None,
26
- iam_endpoint: Optional[pulumi.Input[str]] = None,
27
- identity_token_audience: Optional[pulumi.Input[str]] = None,
28
- identity_token_key: Optional[pulumi.Input[str]] = None,
29
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
30
- local: Optional[pulumi.Input[bool]] = None,
31
- max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
32
- namespace: Optional[pulumi.Input[str]] = None,
33
- path: Optional[pulumi.Input[str]] = None,
34
- region: Optional[pulumi.Input[str]] = None,
35
- role_arn: Optional[pulumi.Input[str]] = None,
36
- secret_key: Optional[pulumi.Input[str]] = None,
37
- sts_endpoint: Optional[pulumi.Input[str]] = None,
38
- sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
39
- sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
40
- sts_region: Optional[pulumi.Input[str]] = None,
41
- username_template: Optional[pulumi.Input[str]] = None):
23
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
24
+ default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
25
+ description: Optional[pulumi.Input[builtins.str]] = None,
26
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
27
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
28
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
29
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
30
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
31
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
32
+ local: Optional[pulumi.Input[builtins.bool]] = None,
33
+ max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
34
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
35
+ path: Optional[pulumi.Input[builtins.str]] = None,
36
+ region: Optional[pulumi.Input[builtins.str]] = None,
37
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
38
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
39
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
40
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
41
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
42
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
43
+ sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
44
+ sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
45
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
46
+ username_template: Optional[pulumi.Input[builtins.str]] = None):
42
47
  """
43
48
  The set of arguments for constructing a SecretBackend resource.
44
- :param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
49
+ :param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
45
50
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
46
- :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
51
+ :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
47
52
  issued by this backend.
48
- :param pulumi.Input[str] description: A human-friendly description for this backend.
49
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
53
+ :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
54
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
55
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
50
56
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
51
- :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
52
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
53
- :param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
54
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
55
- :param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
56
- :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
57
+ :param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
58
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
59
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
60
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
61
+ :param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
62
+ :param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
57
63
  for credentials issued by this backend.
58
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
64
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
59
65
  The value should not contain leading or trailing forward slashes.
60
66
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
61
67
  *Available only for Vault Enterprise*.
62
- :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
68
+ :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
63
69
  not begin or end with a `/`. Defaults to `aws`.
64
- :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
65
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
70
+ :param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
71
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
72
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
73
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
74
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
75
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
76
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
77
+ a rotation when a scheduled token rotation occurs. The default rotation window is
78
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
79
+ :param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
80
+ :param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
81
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
82
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
83
+ :param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
84
+ :param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
66
85
 
67
86
  ```
68
87
  {{ if (eq .Type "STS") }}
@@ -72,12 +91,6 @@ class SecretBackendArgs:
72
91
  {{ end }}
73
92
 
74
93
  ```
75
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
76
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
77
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
78
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
79
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
80
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
81
94
  """
82
95
  if access_key is not None:
83
96
  pulumi.set(__self__, "access_key", access_key)
@@ -85,6 +98,8 @@ class SecretBackendArgs:
85
98
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
86
99
  if description is not None:
87
100
  pulumi.set(__self__, "description", description)
101
+ if disable_automated_rotation is not None:
102
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
88
103
  if disable_remount is not None:
89
104
  pulumi.set(__self__, "disable_remount", disable_remount)
90
105
  if iam_endpoint is not None:
@@ -107,6 +122,12 @@ class SecretBackendArgs:
107
122
  pulumi.set(__self__, "region", region)
108
123
  if role_arn is not None:
109
124
  pulumi.set(__self__, "role_arn", role_arn)
125
+ if rotation_period is not None:
126
+ pulumi.set(__self__, "rotation_period", rotation_period)
127
+ if rotation_schedule is not None:
128
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
129
+ if rotation_window is not None:
130
+ pulumi.set(__self__, "rotation_window", rotation_window)
110
131
  if secret_key is not None:
111
132
  pulumi.set(__self__, "secret_key", secret_key)
112
133
  if sts_endpoint is not None:
@@ -122,7 +143,7 @@ class SecretBackendArgs:
122
143
 
123
144
  @property
124
145
  @pulumi.getter(name="accessKey")
125
- def access_key(self) -> Optional[pulumi.Input[str]]:
146
+ def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
126
147
  """
127
148
  The AWS Access Key ID this backend should use to
128
149
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
@@ -130,12 +151,12 @@ class SecretBackendArgs:
130
151
  return pulumi.get(self, "access_key")
131
152
 
132
153
  @access_key.setter
133
- def access_key(self, value: Optional[pulumi.Input[str]]):
154
+ def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
134
155
  pulumi.set(self, "access_key", value)
135
156
 
136
157
  @property
137
158
  @pulumi.getter(name="defaultLeaseTtlSeconds")
138
- def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
159
+ def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
139
160
  """
140
161
  The default TTL for credentials
141
162
  issued by this backend.
@@ -143,24 +164,36 @@ class SecretBackendArgs:
143
164
  return pulumi.get(self, "default_lease_ttl_seconds")
144
165
 
145
166
  @default_lease_ttl_seconds.setter
146
- def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
167
+ def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
147
168
  pulumi.set(self, "default_lease_ttl_seconds", value)
148
169
 
149
170
  @property
150
171
  @pulumi.getter
151
- def description(self) -> Optional[pulumi.Input[str]]:
172
+ def description(self) -> Optional[pulumi.Input[builtins.str]]:
152
173
  """
153
174
  A human-friendly description for this backend.
154
175
  """
155
176
  return pulumi.get(self, "description")
156
177
 
157
178
  @description.setter
158
- def description(self, value: Optional[pulumi.Input[str]]):
179
+ def description(self, value: Optional[pulumi.Input[builtins.str]]):
159
180
  pulumi.set(self, "description", value)
160
181
 
182
+ @property
183
+ @pulumi.getter(name="disableAutomatedRotation")
184
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
185
+ """
186
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
187
+ """
188
+ return pulumi.get(self, "disable_automated_rotation")
189
+
190
+ @disable_automated_rotation.setter
191
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
192
+ pulumi.set(self, "disable_automated_rotation", value)
193
+
161
194
  @property
162
195
  @pulumi.getter(name="disableRemount")
163
- def disable_remount(self) -> Optional[pulumi.Input[bool]]:
196
+ def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
164
197
  """
165
198
  If set, opts out of mount migration on path updates.
166
199
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -168,72 +201,72 @@ class SecretBackendArgs:
168
201
  return pulumi.get(self, "disable_remount")
169
202
 
170
203
  @disable_remount.setter
171
- def disable_remount(self, value: Optional[pulumi.Input[bool]]):
204
+ def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
172
205
  pulumi.set(self, "disable_remount", value)
173
206
 
174
207
  @property
175
208
  @pulumi.getter(name="iamEndpoint")
176
- def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
209
+ def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
177
210
  """
178
211
  Specifies a custom HTTP IAM endpoint to use.
179
212
  """
180
213
  return pulumi.get(self, "iam_endpoint")
181
214
 
182
215
  @iam_endpoint.setter
183
- def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
216
+ def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
184
217
  pulumi.set(self, "iam_endpoint", value)
185
218
 
186
219
  @property
187
220
  @pulumi.getter(name="identityTokenAudience")
188
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
221
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
189
222
  """
190
223
  The audience claim value. Requires Vault 1.16+.
191
224
  """
192
225
  return pulumi.get(self, "identity_token_audience")
193
226
 
194
227
  @identity_token_audience.setter
195
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
228
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
196
229
  pulumi.set(self, "identity_token_audience", value)
197
230
 
198
231
  @property
199
232
  @pulumi.getter(name="identityTokenKey")
200
- def identity_token_key(self) -> Optional[pulumi.Input[str]]:
233
+ def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
201
234
  """
202
235
  The key to use for signing identity tokens. Requires Vault 1.16+.
203
236
  """
204
237
  return pulumi.get(self, "identity_token_key")
205
238
 
206
239
  @identity_token_key.setter
207
- def identity_token_key(self, value: Optional[pulumi.Input[str]]):
240
+ def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
208
241
  pulumi.set(self, "identity_token_key", value)
209
242
 
210
243
  @property
211
244
  @pulumi.getter(name="identityTokenTtl")
212
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
245
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
213
246
  """
214
247
  The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
215
248
  """
216
249
  return pulumi.get(self, "identity_token_ttl")
217
250
 
218
251
  @identity_token_ttl.setter
219
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
252
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
220
253
  pulumi.set(self, "identity_token_ttl", value)
221
254
 
222
255
  @property
223
256
  @pulumi.getter
224
- def local(self) -> Optional[pulumi.Input[bool]]:
257
+ def local(self) -> Optional[pulumi.Input[builtins.bool]]:
225
258
  """
226
259
  Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
227
260
  """
228
261
  return pulumi.get(self, "local")
229
262
 
230
263
  @local.setter
231
- def local(self, value: Optional[pulumi.Input[bool]]):
264
+ def local(self, value: Optional[pulumi.Input[builtins.bool]]):
232
265
  pulumi.set(self, "local", value)
233
266
 
234
267
  @property
235
268
  @pulumi.getter(name="maxLeaseTtlSeconds")
236
- def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
269
+ def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
237
270
  """
238
271
  The maximum TTL that can be requested
239
272
  for credentials issued by this backend.
@@ -241,12 +274,12 @@ class SecretBackendArgs:
241
274
  return pulumi.get(self, "max_lease_ttl_seconds")
242
275
 
243
276
  @max_lease_ttl_seconds.setter
244
- def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
277
+ def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
245
278
  pulumi.set(self, "max_lease_ttl_seconds", value)
246
279
 
247
280
  @property
248
281
  @pulumi.getter
249
- def namespace(self) -> Optional[pulumi.Input[str]]:
282
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
250
283
  """
251
284
  The namespace to provision the resource in.
252
285
  The value should not contain leading or trailing forward slashes.
@@ -256,12 +289,12 @@ class SecretBackendArgs:
256
289
  return pulumi.get(self, "namespace")
257
290
 
258
291
  @namespace.setter
259
- def namespace(self, value: Optional[pulumi.Input[str]]):
292
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
260
293
  pulumi.set(self, "namespace", value)
261
294
 
262
295
  @property
263
296
  @pulumi.getter
264
- def path(self) -> Optional[pulumi.Input[str]]:
297
+ def path(self) -> Optional[pulumi.Input[builtins.str]]:
265
298
  """
266
299
  The unique path this backend should be mounted at. Must
267
300
  not begin or end with a `/`. Defaults to `aws`.
@@ -269,162 +302,220 @@ class SecretBackendArgs:
269
302
  return pulumi.get(self, "path")
270
303
 
271
304
  @path.setter
272
- def path(self, value: Optional[pulumi.Input[str]]):
305
+ def path(self, value: Optional[pulumi.Input[builtins.str]]):
273
306
  pulumi.set(self, "path", value)
274
307
 
275
308
  @property
276
309
  @pulumi.getter
277
- def region(self) -> Optional[pulumi.Input[str]]:
310
+ def region(self) -> Optional[pulumi.Input[builtins.str]]:
278
311
  """
279
312
  The AWS region to make API calls against. Defaults to us-east-1.
280
313
  """
281
314
  return pulumi.get(self, "region")
282
315
 
283
316
  @region.setter
284
- def region(self, value: Optional[pulumi.Input[str]]):
317
+ def region(self, value: Optional[pulumi.Input[builtins.str]]):
285
318
  pulumi.set(self, "region", value)
286
319
 
287
320
  @property
288
321
  @pulumi.getter(name="roleArn")
289
- def role_arn(self) -> Optional[pulumi.Input[str]]:
322
+ def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
290
323
  """
291
324
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
292
-
293
- ```
294
- {{ if (eq .Type "STS") }}
295
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
296
- {{ else }}
297
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
298
- {{ end }}
299
-
300
- ```
301
325
  """
302
326
  return pulumi.get(self, "role_arn")
303
327
 
304
328
  @role_arn.setter
305
- def role_arn(self, value: Optional[pulumi.Input[str]]):
329
+ def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
306
330
  pulumi.set(self, "role_arn", value)
307
331
 
332
+ @property
333
+ @pulumi.getter(name="rotationPeriod")
334
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
335
+ """
336
+ The amount of time in seconds Vault should wait before rotating the root credential.
337
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
338
+ """
339
+ return pulumi.get(self, "rotation_period")
340
+
341
+ @rotation_period.setter
342
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
343
+ pulumi.set(self, "rotation_period", value)
344
+
345
+ @property
346
+ @pulumi.getter(name="rotationSchedule")
347
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
348
+ """
349
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
350
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
351
+ """
352
+ return pulumi.get(self, "rotation_schedule")
353
+
354
+ @rotation_schedule.setter
355
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
356
+ pulumi.set(self, "rotation_schedule", value)
357
+
358
+ @property
359
+ @pulumi.getter(name="rotationWindow")
360
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
361
+ """
362
+ The maximum amount of time in seconds allowed to complete
363
+ a rotation when a scheduled token rotation occurs. The default rotation window is
364
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
365
+ """
366
+ return pulumi.get(self, "rotation_window")
367
+
368
+ @rotation_window.setter
369
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
370
+ pulumi.set(self, "rotation_window", value)
371
+
308
372
  @property
309
373
  @pulumi.getter(name="secretKey")
310
- def secret_key(self) -> Optional[pulumi.Input[str]]:
374
+ def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
311
375
  """
312
376
  The AWS Secret Access Key to use when generating new credentials.
313
377
  """
314
378
  return pulumi.get(self, "secret_key")
315
379
 
316
380
  @secret_key.setter
317
- def secret_key(self, value: Optional[pulumi.Input[str]]):
381
+ def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
318
382
  pulumi.set(self, "secret_key", value)
319
383
 
320
384
  @property
321
385
  @pulumi.getter(name="stsEndpoint")
322
- def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
386
+ def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
323
387
  """
324
388
  Specifies a custom HTTP STS endpoint to use.
325
389
  """
326
390
  return pulumi.get(self, "sts_endpoint")
327
391
 
328
392
  @sts_endpoint.setter
329
- def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
393
+ def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
330
394
  pulumi.set(self, "sts_endpoint", value)
331
395
 
332
396
  @property
333
397
  @pulumi.getter(name="stsFallbackEndpoints")
334
- def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
398
+ def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
335
399
  """
336
400
  Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
337
401
  """
338
402
  return pulumi.get(self, "sts_fallback_endpoints")
339
403
 
340
404
  @sts_fallback_endpoints.setter
341
- def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
405
+ def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
342
406
  pulumi.set(self, "sts_fallback_endpoints", value)
343
407
 
344
408
  @property
345
409
  @pulumi.getter(name="stsFallbackRegions")
346
- def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
410
+ def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
347
411
  """
348
412
  Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
349
413
  """
350
414
  return pulumi.get(self, "sts_fallback_regions")
351
415
 
352
416
  @sts_fallback_regions.setter
353
- def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
417
+ def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
354
418
  pulumi.set(self, "sts_fallback_regions", value)
355
419
 
356
420
  @property
357
421
  @pulumi.getter(name="stsRegion")
358
- def sts_region(self) -> Optional[pulumi.Input[str]]:
422
+ def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
359
423
  """
360
424
  Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
361
425
  """
362
426
  return pulumi.get(self, "sts_region")
363
427
 
364
428
  @sts_region.setter
365
- def sts_region(self, value: Optional[pulumi.Input[str]]):
429
+ def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
366
430
  pulumi.set(self, "sts_region", value)
367
431
 
368
432
  @property
369
433
  @pulumi.getter(name="usernameTemplate")
370
- def username_template(self) -> Optional[pulumi.Input[str]]:
434
+ def username_template(self) -> Optional[pulumi.Input[builtins.str]]:
371
435
  """
372
436
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
437
+
438
+ ```
439
+ {{ if (eq .Type "STS") }}
440
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
441
+ {{ else }}
442
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
443
+ {{ end }}
444
+
445
+ ```
373
446
  """
374
447
  return pulumi.get(self, "username_template")
375
448
 
376
449
  @username_template.setter
377
- def username_template(self, value: Optional[pulumi.Input[str]]):
450
+ def username_template(self, value: Optional[pulumi.Input[builtins.str]]):
378
451
  pulumi.set(self, "username_template", value)
379
452
 
380
453
 
381
454
  @pulumi.input_type
382
455
  class _SecretBackendState:
383
456
  def __init__(__self__, *,
384
- access_key: Optional[pulumi.Input[str]] = None,
385
- default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
386
- description: Optional[pulumi.Input[str]] = None,
387
- disable_remount: Optional[pulumi.Input[bool]] = None,
388
- iam_endpoint: Optional[pulumi.Input[str]] = None,
389
- identity_token_audience: Optional[pulumi.Input[str]] = None,
390
- identity_token_key: Optional[pulumi.Input[str]] = None,
391
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
392
- local: Optional[pulumi.Input[bool]] = None,
393
- max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
394
- namespace: Optional[pulumi.Input[str]] = None,
395
- path: Optional[pulumi.Input[str]] = None,
396
- region: Optional[pulumi.Input[str]] = None,
397
- role_arn: Optional[pulumi.Input[str]] = None,
398
- secret_key: Optional[pulumi.Input[str]] = None,
399
- sts_endpoint: Optional[pulumi.Input[str]] = None,
400
- sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
401
- sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
402
- sts_region: Optional[pulumi.Input[str]] = None,
403
- username_template: Optional[pulumi.Input[str]] = None):
457
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
458
+ default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
459
+ description: Optional[pulumi.Input[builtins.str]] = None,
460
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
461
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
462
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
463
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
464
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
465
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
466
+ local: Optional[pulumi.Input[builtins.bool]] = None,
467
+ max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
468
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
469
+ path: Optional[pulumi.Input[builtins.str]] = None,
470
+ region: Optional[pulumi.Input[builtins.str]] = None,
471
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
472
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
473
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
474
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
475
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
476
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
477
+ sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
478
+ sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
479
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
480
+ username_template: Optional[pulumi.Input[builtins.str]] = None):
404
481
  """
405
482
  Input properties used for looking up and filtering SecretBackend resources.
406
- :param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
483
+ :param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
407
484
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
408
- :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
485
+ :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
409
486
  issued by this backend.
410
- :param pulumi.Input[str] description: A human-friendly description for this backend.
411
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
487
+ :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
488
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
489
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
412
490
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
413
- :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
414
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
415
- :param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
416
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
417
- :param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
418
- :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
491
+ :param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
492
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
493
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
494
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
495
+ :param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
496
+ :param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
419
497
  for credentials issued by this backend.
420
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
498
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
421
499
  The value should not contain leading or trailing forward slashes.
422
500
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
423
501
  *Available only for Vault Enterprise*.
424
- :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
502
+ :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
425
503
  not begin or end with a `/`. Defaults to `aws`.
426
- :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
427
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
504
+ :param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
505
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
506
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
507
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
508
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
509
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
510
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
511
+ a rotation when a scheduled token rotation occurs. The default rotation window is
512
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
513
+ :param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
514
+ :param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
515
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
516
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
517
+ :param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
518
+ :param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
428
519
 
429
520
  ```
430
521
  {{ if (eq .Type "STS") }}
@@ -434,12 +525,6 @@ class _SecretBackendState:
434
525
  {{ end }}
435
526
 
436
527
  ```
437
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
438
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
439
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
440
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
441
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
442
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
443
528
  """
444
529
  if access_key is not None:
445
530
  pulumi.set(__self__, "access_key", access_key)
@@ -447,6 +532,8 @@ class _SecretBackendState:
447
532
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
448
533
  if description is not None:
449
534
  pulumi.set(__self__, "description", description)
535
+ if disable_automated_rotation is not None:
536
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
450
537
  if disable_remount is not None:
451
538
  pulumi.set(__self__, "disable_remount", disable_remount)
452
539
  if iam_endpoint is not None:
@@ -469,6 +556,12 @@ class _SecretBackendState:
469
556
  pulumi.set(__self__, "region", region)
470
557
  if role_arn is not None:
471
558
  pulumi.set(__self__, "role_arn", role_arn)
559
+ if rotation_period is not None:
560
+ pulumi.set(__self__, "rotation_period", rotation_period)
561
+ if rotation_schedule is not None:
562
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
563
+ if rotation_window is not None:
564
+ pulumi.set(__self__, "rotation_window", rotation_window)
472
565
  if secret_key is not None:
473
566
  pulumi.set(__self__, "secret_key", secret_key)
474
567
  if sts_endpoint is not None:
@@ -484,7 +577,7 @@ class _SecretBackendState:
484
577
 
485
578
  @property
486
579
  @pulumi.getter(name="accessKey")
487
- def access_key(self) -> Optional[pulumi.Input[str]]:
580
+ def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
488
581
  """
489
582
  The AWS Access Key ID this backend should use to
490
583
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
@@ -492,12 +585,12 @@ class _SecretBackendState:
492
585
  return pulumi.get(self, "access_key")
493
586
 
494
587
  @access_key.setter
495
- def access_key(self, value: Optional[pulumi.Input[str]]):
588
+ def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
496
589
  pulumi.set(self, "access_key", value)
497
590
 
498
591
  @property
499
592
  @pulumi.getter(name="defaultLeaseTtlSeconds")
500
- def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
593
+ def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
501
594
  """
502
595
  The default TTL for credentials
503
596
  issued by this backend.
@@ -505,24 +598,36 @@ class _SecretBackendState:
505
598
  return pulumi.get(self, "default_lease_ttl_seconds")
506
599
 
507
600
  @default_lease_ttl_seconds.setter
508
- def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
601
+ def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
509
602
  pulumi.set(self, "default_lease_ttl_seconds", value)
510
603
 
511
604
  @property
512
605
  @pulumi.getter
513
- def description(self) -> Optional[pulumi.Input[str]]:
606
+ def description(self) -> Optional[pulumi.Input[builtins.str]]:
514
607
  """
515
608
  A human-friendly description for this backend.
516
609
  """
517
610
  return pulumi.get(self, "description")
518
611
 
519
612
  @description.setter
520
- def description(self, value: Optional[pulumi.Input[str]]):
613
+ def description(self, value: Optional[pulumi.Input[builtins.str]]):
521
614
  pulumi.set(self, "description", value)
522
615
 
616
+ @property
617
+ @pulumi.getter(name="disableAutomatedRotation")
618
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
619
+ """
620
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
621
+ """
622
+ return pulumi.get(self, "disable_automated_rotation")
623
+
624
+ @disable_automated_rotation.setter
625
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
626
+ pulumi.set(self, "disable_automated_rotation", value)
627
+
523
628
  @property
524
629
  @pulumi.getter(name="disableRemount")
525
- def disable_remount(self) -> Optional[pulumi.Input[bool]]:
630
+ def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
526
631
  """
527
632
  If set, opts out of mount migration on path updates.
528
633
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -530,72 +635,72 @@ class _SecretBackendState:
530
635
  return pulumi.get(self, "disable_remount")
531
636
 
532
637
  @disable_remount.setter
533
- def disable_remount(self, value: Optional[pulumi.Input[bool]]):
638
+ def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
534
639
  pulumi.set(self, "disable_remount", value)
535
640
 
536
641
  @property
537
642
  @pulumi.getter(name="iamEndpoint")
538
- def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
643
+ def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
539
644
  """
540
645
  Specifies a custom HTTP IAM endpoint to use.
541
646
  """
542
647
  return pulumi.get(self, "iam_endpoint")
543
648
 
544
649
  @iam_endpoint.setter
545
- def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
650
+ def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
546
651
  pulumi.set(self, "iam_endpoint", value)
547
652
 
548
653
  @property
549
654
  @pulumi.getter(name="identityTokenAudience")
550
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
655
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
551
656
  """
552
657
  The audience claim value. Requires Vault 1.16+.
553
658
  """
554
659
  return pulumi.get(self, "identity_token_audience")
555
660
 
556
661
  @identity_token_audience.setter
557
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
662
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
558
663
  pulumi.set(self, "identity_token_audience", value)
559
664
 
560
665
  @property
561
666
  @pulumi.getter(name="identityTokenKey")
562
- def identity_token_key(self) -> Optional[pulumi.Input[str]]:
667
+ def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
563
668
  """
564
669
  The key to use for signing identity tokens. Requires Vault 1.16+.
565
670
  """
566
671
  return pulumi.get(self, "identity_token_key")
567
672
 
568
673
  @identity_token_key.setter
569
- def identity_token_key(self, value: Optional[pulumi.Input[str]]):
674
+ def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
570
675
  pulumi.set(self, "identity_token_key", value)
571
676
 
572
677
  @property
573
678
  @pulumi.getter(name="identityTokenTtl")
574
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
679
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
575
680
  """
576
681
  The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
577
682
  """
578
683
  return pulumi.get(self, "identity_token_ttl")
579
684
 
580
685
  @identity_token_ttl.setter
581
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
686
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
582
687
  pulumi.set(self, "identity_token_ttl", value)
583
688
 
584
689
  @property
585
690
  @pulumi.getter
586
- def local(self) -> Optional[pulumi.Input[bool]]:
691
+ def local(self) -> Optional[pulumi.Input[builtins.bool]]:
587
692
  """
588
693
  Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
589
694
  """
590
695
  return pulumi.get(self, "local")
591
696
 
592
697
  @local.setter
593
- def local(self, value: Optional[pulumi.Input[bool]]):
698
+ def local(self, value: Optional[pulumi.Input[builtins.bool]]):
594
699
  pulumi.set(self, "local", value)
595
700
 
596
701
  @property
597
702
  @pulumi.getter(name="maxLeaseTtlSeconds")
598
- def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
703
+ def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
599
704
  """
600
705
  The maximum TTL that can be requested
601
706
  for credentials issued by this backend.
@@ -603,12 +708,12 @@ class _SecretBackendState:
603
708
  return pulumi.get(self, "max_lease_ttl_seconds")
604
709
 
605
710
  @max_lease_ttl_seconds.setter
606
- def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
711
+ def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
607
712
  pulumi.set(self, "max_lease_ttl_seconds", value)
608
713
 
609
714
  @property
610
715
  @pulumi.getter
611
- def namespace(self) -> Optional[pulumi.Input[str]]:
716
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
612
717
  """
613
718
  The namespace to provision the resource in.
614
719
  The value should not contain leading or trailing forward slashes.
@@ -618,12 +723,12 @@ class _SecretBackendState:
618
723
  return pulumi.get(self, "namespace")
619
724
 
620
725
  @namespace.setter
621
- def namespace(self, value: Optional[pulumi.Input[str]]):
726
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
622
727
  pulumi.set(self, "namespace", value)
623
728
 
624
729
  @property
625
730
  @pulumi.getter
626
- def path(self) -> Optional[pulumi.Input[str]]:
731
+ def path(self) -> Optional[pulumi.Input[builtins.str]]:
627
732
  """
628
733
  The unique path this backend should be mounted at. Must
629
734
  not begin or end with a `/`. Defaults to `aws`.
@@ -631,112 +736,152 @@ class _SecretBackendState:
631
736
  return pulumi.get(self, "path")
632
737
 
633
738
  @path.setter
634
- def path(self, value: Optional[pulumi.Input[str]]):
739
+ def path(self, value: Optional[pulumi.Input[builtins.str]]):
635
740
  pulumi.set(self, "path", value)
636
741
 
637
742
  @property
638
743
  @pulumi.getter
639
- def region(self) -> Optional[pulumi.Input[str]]:
744
+ def region(self) -> Optional[pulumi.Input[builtins.str]]:
640
745
  """
641
746
  The AWS region to make API calls against. Defaults to us-east-1.
642
747
  """
643
748
  return pulumi.get(self, "region")
644
749
 
645
750
  @region.setter
646
- def region(self, value: Optional[pulumi.Input[str]]):
751
+ def region(self, value: Optional[pulumi.Input[builtins.str]]):
647
752
  pulumi.set(self, "region", value)
648
753
 
649
754
  @property
650
755
  @pulumi.getter(name="roleArn")
651
- def role_arn(self) -> Optional[pulumi.Input[str]]:
756
+ def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
652
757
  """
653
758
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
654
-
655
- ```
656
- {{ if (eq .Type "STS") }}
657
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
658
- {{ else }}
659
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
660
- {{ end }}
661
-
662
- ```
663
759
  """
664
760
  return pulumi.get(self, "role_arn")
665
761
 
666
762
  @role_arn.setter
667
- def role_arn(self, value: Optional[pulumi.Input[str]]):
763
+ def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
668
764
  pulumi.set(self, "role_arn", value)
669
765
 
766
+ @property
767
+ @pulumi.getter(name="rotationPeriod")
768
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
769
+ """
770
+ The amount of time in seconds Vault should wait before rotating the root credential.
771
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
772
+ """
773
+ return pulumi.get(self, "rotation_period")
774
+
775
+ @rotation_period.setter
776
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
777
+ pulumi.set(self, "rotation_period", value)
778
+
779
+ @property
780
+ @pulumi.getter(name="rotationSchedule")
781
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
782
+ """
783
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
784
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
785
+ """
786
+ return pulumi.get(self, "rotation_schedule")
787
+
788
+ @rotation_schedule.setter
789
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
790
+ pulumi.set(self, "rotation_schedule", value)
791
+
792
+ @property
793
+ @pulumi.getter(name="rotationWindow")
794
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
795
+ """
796
+ The maximum amount of time in seconds allowed to complete
797
+ a rotation when a scheduled token rotation occurs. The default rotation window is
798
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
799
+ """
800
+ return pulumi.get(self, "rotation_window")
801
+
802
+ @rotation_window.setter
803
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
804
+ pulumi.set(self, "rotation_window", value)
805
+
670
806
  @property
671
807
  @pulumi.getter(name="secretKey")
672
- def secret_key(self) -> Optional[pulumi.Input[str]]:
808
+ def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
673
809
  """
674
810
  The AWS Secret Access Key to use when generating new credentials.
675
811
  """
676
812
  return pulumi.get(self, "secret_key")
677
813
 
678
814
  @secret_key.setter
679
- def secret_key(self, value: Optional[pulumi.Input[str]]):
815
+ def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
680
816
  pulumi.set(self, "secret_key", value)
681
817
 
682
818
  @property
683
819
  @pulumi.getter(name="stsEndpoint")
684
- def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
820
+ def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
685
821
  """
686
822
  Specifies a custom HTTP STS endpoint to use.
687
823
  """
688
824
  return pulumi.get(self, "sts_endpoint")
689
825
 
690
826
  @sts_endpoint.setter
691
- def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
827
+ def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
692
828
  pulumi.set(self, "sts_endpoint", value)
693
829
 
694
830
  @property
695
831
  @pulumi.getter(name="stsFallbackEndpoints")
696
- def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
832
+ def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
697
833
  """
698
834
  Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
699
835
  """
700
836
  return pulumi.get(self, "sts_fallback_endpoints")
701
837
 
702
838
  @sts_fallback_endpoints.setter
703
- def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
839
+ def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
704
840
  pulumi.set(self, "sts_fallback_endpoints", value)
705
841
 
706
842
  @property
707
843
  @pulumi.getter(name="stsFallbackRegions")
708
- def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
844
+ def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
709
845
  """
710
846
  Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
711
847
  """
712
848
  return pulumi.get(self, "sts_fallback_regions")
713
849
 
714
850
  @sts_fallback_regions.setter
715
- def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
851
+ def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
716
852
  pulumi.set(self, "sts_fallback_regions", value)
717
853
 
718
854
  @property
719
855
  @pulumi.getter(name="stsRegion")
720
- def sts_region(self) -> Optional[pulumi.Input[str]]:
856
+ def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
721
857
  """
722
858
  Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
723
859
  """
724
860
  return pulumi.get(self, "sts_region")
725
861
 
726
862
  @sts_region.setter
727
- def sts_region(self, value: Optional[pulumi.Input[str]]):
863
+ def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
728
864
  pulumi.set(self, "sts_region", value)
729
865
 
730
866
  @property
731
867
  @pulumi.getter(name="usernameTemplate")
732
- def username_template(self) -> Optional[pulumi.Input[str]]:
868
+ def username_template(self) -> Optional[pulumi.Input[builtins.str]]:
733
869
  """
734
870
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
871
+
872
+ ```
873
+ {{ if (eq .Type "STS") }}
874
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
875
+ {{ else }}
876
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
877
+ {{ end }}
878
+
879
+ ```
735
880
  """
736
881
  return pulumi.get(self, "username_template")
737
882
 
738
883
  @username_template.setter
739
- def username_template(self, value: Optional[pulumi.Input[str]]):
884
+ def username_template(self, value: Optional[pulumi.Input[builtins.str]]):
740
885
  pulumi.set(self, "username_template", value)
741
886
 
742
887
 
@@ -745,26 +890,30 @@ class SecretBackend(pulumi.CustomResource):
745
890
  def __init__(__self__,
746
891
  resource_name: str,
747
892
  opts: Optional[pulumi.ResourceOptions] = None,
748
- access_key: Optional[pulumi.Input[str]] = None,
749
- default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
750
- description: Optional[pulumi.Input[str]] = None,
751
- disable_remount: Optional[pulumi.Input[bool]] = None,
752
- iam_endpoint: Optional[pulumi.Input[str]] = None,
753
- identity_token_audience: Optional[pulumi.Input[str]] = None,
754
- identity_token_key: Optional[pulumi.Input[str]] = None,
755
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
756
- local: Optional[pulumi.Input[bool]] = None,
757
- max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
758
- namespace: Optional[pulumi.Input[str]] = None,
759
- path: Optional[pulumi.Input[str]] = None,
760
- region: Optional[pulumi.Input[str]] = None,
761
- role_arn: Optional[pulumi.Input[str]] = None,
762
- secret_key: Optional[pulumi.Input[str]] = None,
763
- sts_endpoint: Optional[pulumi.Input[str]] = None,
764
- sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
765
- sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
766
- sts_region: Optional[pulumi.Input[str]] = None,
767
- username_template: Optional[pulumi.Input[str]] = None,
893
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
894
+ default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
895
+ description: Optional[pulumi.Input[builtins.str]] = None,
896
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
897
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
898
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
899
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
900
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
901
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
902
+ local: Optional[pulumi.Input[builtins.bool]] = None,
903
+ max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
904
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
905
+ path: Optional[pulumi.Input[builtins.str]] = None,
906
+ region: Optional[pulumi.Input[builtins.str]] = None,
907
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
908
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
909
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
910
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
911
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
912
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
913
+ sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
914
+ sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
915
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
916
+ username_template: Optional[pulumi.Input[builtins.str]] = None,
768
917
  __props__=None):
769
918
  """
770
919
  ## Import
@@ -777,28 +926,42 @@ class SecretBackend(pulumi.CustomResource):
777
926
 
778
927
  :param str resource_name: The name of the resource.
779
928
  :param pulumi.ResourceOptions opts: Options for the resource.
780
- :param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
929
+ :param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
781
930
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
782
- :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
931
+ :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
783
932
  issued by this backend.
784
- :param pulumi.Input[str] description: A human-friendly description for this backend.
785
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
933
+ :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
934
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
935
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
786
936
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
787
- :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
788
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
789
- :param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
790
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
791
- :param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
792
- :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
937
+ :param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
938
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
939
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
940
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
941
+ :param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
942
+ :param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
793
943
  for credentials issued by this backend.
794
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
944
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
795
945
  The value should not contain leading or trailing forward slashes.
796
946
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
797
947
  *Available only for Vault Enterprise*.
798
- :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
948
+ :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
799
949
  not begin or end with a `/`. Defaults to `aws`.
800
- :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
801
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
950
+ :param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
951
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
952
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
953
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
954
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
955
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
956
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
957
+ a rotation when a scheduled token rotation occurs. The default rotation window is
958
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
959
+ :param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
960
+ :param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
961
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
962
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
963
+ :param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
964
+ :param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
802
965
 
803
966
  ```
804
967
  {{ if (eq .Type "STS") }}
@@ -808,12 +971,6 @@ class SecretBackend(pulumi.CustomResource):
808
971
  {{ end }}
809
972
 
810
973
  ```
811
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
812
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
813
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
814
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
815
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
816
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
817
974
  """
818
975
  ...
819
976
  @overload
@@ -845,26 +1002,30 @@ class SecretBackend(pulumi.CustomResource):
845
1002
  def _internal_init(__self__,
846
1003
  resource_name: str,
847
1004
  opts: Optional[pulumi.ResourceOptions] = None,
848
- access_key: Optional[pulumi.Input[str]] = None,
849
- default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
850
- description: Optional[pulumi.Input[str]] = None,
851
- disable_remount: Optional[pulumi.Input[bool]] = None,
852
- iam_endpoint: Optional[pulumi.Input[str]] = None,
853
- identity_token_audience: Optional[pulumi.Input[str]] = None,
854
- identity_token_key: Optional[pulumi.Input[str]] = None,
855
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
856
- local: Optional[pulumi.Input[bool]] = None,
857
- max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
858
- namespace: Optional[pulumi.Input[str]] = None,
859
- path: Optional[pulumi.Input[str]] = None,
860
- region: Optional[pulumi.Input[str]] = None,
861
- role_arn: Optional[pulumi.Input[str]] = None,
862
- secret_key: Optional[pulumi.Input[str]] = None,
863
- sts_endpoint: Optional[pulumi.Input[str]] = None,
864
- sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
865
- sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
866
- sts_region: Optional[pulumi.Input[str]] = None,
867
- username_template: Optional[pulumi.Input[str]] = None,
1005
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
1006
+ default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
1007
+ description: Optional[pulumi.Input[builtins.str]] = None,
1008
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
1009
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
1010
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
1011
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
1012
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
1013
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
1014
+ local: Optional[pulumi.Input[builtins.bool]] = None,
1015
+ max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
1016
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
1017
+ path: Optional[pulumi.Input[builtins.str]] = None,
1018
+ region: Optional[pulumi.Input[builtins.str]] = None,
1019
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
1020
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
1021
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
1022
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
1023
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
1024
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
1025
+ sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
1026
+ sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
1027
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
1028
+ username_template: Optional[pulumi.Input[builtins.str]] = None,
868
1029
  __props__=None):
869
1030
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
870
1031
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -877,6 +1038,7 @@ class SecretBackend(pulumi.CustomResource):
877
1038
  __props__.__dict__["access_key"] = None if access_key is None else pulumi.Output.secret(access_key)
878
1039
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
879
1040
  __props__.__dict__["description"] = description
1041
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
880
1042
  __props__.__dict__["disable_remount"] = disable_remount
881
1043
  __props__.__dict__["iam_endpoint"] = iam_endpoint
882
1044
  __props__.__dict__["identity_token_audience"] = identity_token_audience
@@ -888,6 +1050,9 @@ class SecretBackend(pulumi.CustomResource):
888
1050
  __props__.__dict__["path"] = path
889
1051
  __props__.__dict__["region"] = region
890
1052
  __props__.__dict__["role_arn"] = role_arn
1053
+ __props__.__dict__["rotation_period"] = rotation_period
1054
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1055
+ __props__.__dict__["rotation_window"] = rotation_window
891
1056
  __props__.__dict__["secret_key"] = None if secret_key is None else pulumi.Output.secret(secret_key)
892
1057
  __props__.__dict__["sts_endpoint"] = sts_endpoint
893
1058
  __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
@@ -906,26 +1071,30 @@ class SecretBackend(pulumi.CustomResource):
906
1071
  def get(resource_name: str,
907
1072
  id: pulumi.Input[str],
908
1073
  opts: Optional[pulumi.ResourceOptions] = None,
909
- access_key: Optional[pulumi.Input[str]] = None,
910
- default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
911
- description: Optional[pulumi.Input[str]] = None,
912
- disable_remount: Optional[pulumi.Input[bool]] = None,
913
- iam_endpoint: Optional[pulumi.Input[str]] = None,
914
- identity_token_audience: Optional[pulumi.Input[str]] = None,
915
- identity_token_key: Optional[pulumi.Input[str]] = None,
916
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
917
- local: Optional[pulumi.Input[bool]] = None,
918
- max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
919
- namespace: Optional[pulumi.Input[str]] = None,
920
- path: Optional[pulumi.Input[str]] = None,
921
- region: Optional[pulumi.Input[str]] = None,
922
- role_arn: Optional[pulumi.Input[str]] = None,
923
- secret_key: Optional[pulumi.Input[str]] = None,
924
- sts_endpoint: Optional[pulumi.Input[str]] = None,
925
- sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
926
- sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
927
- sts_region: Optional[pulumi.Input[str]] = None,
928
- username_template: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
1074
+ access_key: Optional[pulumi.Input[builtins.str]] = None,
1075
+ default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
1076
+ description: Optional[pulumi.Input[builtins.str]] = None,
1077
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
1078
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
1079
+ iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
1080
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
1081
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
1082
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
1083
+ local: Optional[pulumi.Input[builtins.bool]] = None,
1084
+ max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
1085
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
1086
+ path: Optional[pulumi.Input[builtins.str]] = None,
1087
+ region: Optional[pulumi.Input[builtins.str]] = None,
1088
+ role_arn: Optional[pulumi.Input[builtins.str]] = None,
1089
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
1090
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
1091
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
1092
+ secret_key: Optional[pulumi.Input[builtins.str]] = None,
1093
+ sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
1094
+ sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
1095
+ sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
1096
+ sts_region: Optional[pulumi.Input[builtins.str]] = None,
1097
+ username_template: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackend':
929
1098
  """
930
1099
  Get an existing SecretBackend resource's state with the given name, id, and optional extra
931
1100
  properties used to qualify the lookup.
@@ -933,28 +1102,42 @@ class SecretBackend(pulumi.CustomResource):
933
1102
  :param str resource_name: The unique name of the resulting resource.
934
1103
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
935
1104
  :param pulumi.ResourceOptions opts: Options for the resource.
936
- :param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
1105
+ :param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
937
1106
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
938
- :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
1107
+ :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
939
1108
  issued by this backend.
940
- :param pulumi.Input[str] description: A human-friendly description for this backend.
941
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
1109
+ :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
1110
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1111
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
942
1112
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
943
- :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
944
- :param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
945
- :param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
946
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
947
- :param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
948
- :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
1113
+ :param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
1114
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
1115
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
1116
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
1117
+ :param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
1118
+ :param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
949
1119
  for credentials issued by this backend.
950
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1120
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
951
1121
  The value should not contain leading or trailing forward slashes.
952
1122
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
953
1123
  *Available only for Vault Enterprise*.
954
- :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
1124
+ :param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
955
1125
  not begin or end with a `/`. Defaults to `aws`.
956
- :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
957
- :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
1126
+ :param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
1127
+ :param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
1128
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
1129
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1130
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1131
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1132
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
1133
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1134
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1135
+ :param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
1136
+ :param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
1137
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
1138
+ :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
1139
+ :param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
1140
+ :param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
958
1141
 
959
1142
  ```
960
1143
  {{ if (eq .Type "STS") }}
@@ -964,12 +1147,6 @@ class SecretBackend(pulumi.CustomResource):
964
1147
  {{ end }}
965
1148
 
966
1149
  ```
967
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
968
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
969
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
970
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
971
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
972
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
973
1150
  """
974
1151
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
975
1152
 
@@ -978,6 +1155,7 @@ class SecretBackend(pulumi.CustomResource):
978
1155
  __props__.__dict__["access_key"] = access_key
979
1156
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
980
1157
  __props__.__dict__["description"] = description
1158
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
981
1159
  __props__.__dict__["disable_remount"] = disable_remount
982
1160
  __props__.__dict__["iam_endpoint"] = iam_endpoint
983
1161
  __props__.__dict__["identity_token_audience"] = identity_token_audience
@@ -989,6 +1167,9 @@ class SecretBackend(pulumi.CustomResource):
989
1167
  __props__.__dict__["path"] = path
990
1168
  __props__.__dict__["region"] = region
991
1169
  __props__.__dict__["role_arn"] = role_arn
1170
+ __props__.__dict__["rotation_period"] = rotation_period
1171
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1172
+ __props__.__dict__["rotation_window"] = rotation_window
992
1173
  __props__.__dict__["secret_key"] = secret_key
993
1174
  __props__.__dict__["sts_endpoint"] = sts_endpoint
994
1175
  __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
@@ -999,7 +1180,7 @@ class SecretBackend(pulumi.CustomResource):
999
1180
 
1000
1181
  @property
1001
1182
  @pulumi.getter(name="accessKey")
1002
- def access_key(self) -> pulumi.Output[Optional[str]]:
1183
+ def access_key(self) -> pulumi.Output[Optional[builtins.str]]:
1003
1184
  """
1004
1185
  The AWS Access Key ID this backend should use to
1005
1186
  issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
@@ -1008,7 +1189,7 @@ class SecretBackend(pulumi.CustomResource):
1008
1189
 
1009
1190
  @property
1010
1191
  @pulumi.getter(name="defaultLeaseTtlSeconds")
1011
- def default_lease_ttl_seconds(self) -> pulumi.Output[int]:
1192
+ def default_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
1012
1193
  """
1013
1194
  The default TTL for credentials
1014
1195
  issued by this backend.
@@ -1017,15 +1198,23 @@ class SecretBackend(pulumi.CustomResource):
1017
1198
 
1018
1199
  @property
1019
1200
  @pulumi.getter
1020
- def description(self) -> pulumi.Output[Optional[str]]:
1201
+ def description(self) -> pulumi.Output[Optional[builtins.str]]:
1021
1202
  """
1022
1203
  A human-friendly description for this backend.
1023
1204
  """
1024
1205
  return pulumi.get(self, "description")
1025
1206
 
1207
+ @property
1208
+ @pulumi.getter(name="disableAutomatedRotation")
1209
+ def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
1210
+ """
1211
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1212
+ """
1213
+ return pulumi.get(self, "disable_automated_rotation")
1214
+
1026
1215
  @property
1027
1216
  @pulumi.getter(name="disableRemount")
1028
- def disable_remount(self) -> pulumi.Output[Optional[bool]]:
1217
+ def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
1029
1218
  """
1030
1219
  If set, opts out of mount migration on path updates.
1031
1220
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -1034,7 +1223,7 @@ class SecretBackend(pulumi.CustomResource):
1034
1223
 
1035
1224
  @property
1036
1225
  @pulumi.getter(name="iamEndpoint")
1037
- def iam_endpoint(self) -> pulumi.Output[Optional[str]]:
1226
+ def iam_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
1038
1227
  """
1039
1228
  Specifies a custom HTTP IAM endpoint to use.
1040
1229
  """
@@ -1042,7 +1231,7 @@ class SecretBackend(pulumi.CustomResource):
1042
1231
 
1043
1232
  @property
1044
1233
  @pulumi.getter(name="identityTokenAudience")
1045
- def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
1234
+ def identity_token_audience(self) -> pulumi.Output[Optional[builtins.str]]:
1046
1235
  """
1047
1236
  The audience claim value. Requires Vault 1.16+.
1048
1237
  """
@@ -1050,7 +1239,7 @@ class SecretBackend(pulumi.CustomResource):
1050
1239
 
1051
1240
  @property
1052
1241
  @pulumi.getter(name="identityTokenKey")
1053
- def identity_token_key(self) -> pulumi.Output[Optional[str]]:
1242
+ def identity_token_key(self) -> pulumi.Output[Optional[builtins.str]]:
1054
1243
  """
1055
1244
  The key to use for signing identity tokens. Requires Vault 1.16+.
1056
1245
  """
@@ -1058,7 +1247,7 @@ class SecretBackend(pulumi.CustomResource):
1058
1247
 
1059
1248
  @property
1060
1249
  @pulumi.getter(name="identityTokenTtl")
1061
- def identity_token_ttl(self) -> pulumi.Output[int]:
1250
+ def identity_token_ttl(self) -> pulumi.Output[builtins.int]:
1062
1251
  """
1063
1252
  The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
1064
1253
  """
@@ -1066,7 +1255,7 @@ class SecretBackend(pulumi.CustomResource):
1066
1255
 
1067
1256
  @property
1068
1257
  @pulumi.getter
1069
- def local(self) -> pulumi.Output[Optional[bool]]:
1258
+ def local(self) -> pulumi.Output[Optional[builtins.bool]]:
1070
1259
  """
1071
1260
  Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
1072
1261
  """
@@ -1074,7 +1263,7 @@ class SecretBackend(pulumi.CustomResource):
1074
1263
 
1075
1264
  @property
1076
1265
  @pulumi.getter(name="maxLeaseTtlSeconds")
1077
- def max_lease_ttl_seconds(self) -> pulumi.Output[int]:
1266
+ def max_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
1078
1267
  """
1079
1268
  The maximum TTL that can be requested
1080
1269
  for credentials issued by this backend.
@@ -1083,7 +1272,7 @@ class SecretBackend(pulumi.CustomResource):
1083
1272
 
1084
1273
  @property
1085
1274
  @pulumi.getter
1086
- def namespace(self) -> pulumi.Output[Optional[str]]:
1275
+ def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
1087
1276
  """
1088
1277
  The namespace to provision the resource in.
1089
1278
  The value should not contain leading or trailing forward slashes.
@@ -1094,7 +1283,7 @@ class SecretBackend(pulumi.CustomResource):
1094
1283
 
1095
1284
  @property
1096
1285
  @pulumi.getter
1097
- def path(self) -> pulumi.Output[Optional[str]]:
1286
+ def path(self) -> pulumi.Output[Optional[builtins.str]]:
1098
1287
  """
1099
1288
  The unique path this backend should be mounted at. Must
1100
1289
  not begin or end with a `/`. Defaults to `aws`.
@@ -1103,7 +1292,7 @@ class SecretBackend(pulumi.CustomResource):
1103
1292
 
1104
1293
  @property
1105
1294
  @pulumi.getter
1106
- def region(self) -> pulumi.Output[str]:
1295
+ def region(self) -> pulumi.Output[builtins.str]:
1107
1296
  """
1108
1297
  The AWS region to make API calls against. Defaults to us-east-1.
1109
1298
  """
@@ -1111,24 +1300,43 @@ class SecretBackend(pulumi.CustomResource):
1111
1300
 
1112
1301
  @property
1113
1302
  @pulumi.getter(name="roleArn")
1114
- def role_arn(self) -> pulumi.Output[Optional[str]]:
1303
+ def role_arn(self) -> pulumi.Output[Optional[builtins.str]]:
1115
1304
  """
1116
1305
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
1306
+ """
1307
+ return pulumi.get(self, "role_arn")
1117
1308
 
1118
- ```
1119
- {{ if (eq .Type "STS") }}
1120
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
1121
- {{ else }}
1122
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
1123
- {{ end }}
1309
+ @property
1310
+ @pulumi.getter(name="rotationPeriod")
1311
+ def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
1312
+ """
1313
+ The amount of time in seconds Vault should wait before rotating the root credential.
1314
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1315
+ """
1316
+ return pulumi.get(self, "rotation_period")
1124
1317
 
1125
- ```
1318
+ @property
1319
+ @pulumi.getter(name="rotationSchedule")
1320
+ def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
1126
1321
  """
1127
- return pulumi.get(self, "role_arn")
1322
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1323
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1324
+ """
1325
+ return pulumi.get(self, "rotation_schedule")
1326
+
1327
+ @property
1328
+ @pulumi.getter(name="rotationWindow")
1329
+ def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
1330
+ """
1331
+ The maximum amount of time in seconds allowed to complete
1332
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1333
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1334
+ """
1335
+ return pulumi.get(self, "rotation_window")
1128
1336
 
1129
1337
  @property
1130
1338
  @pulumi.getter(name="secretKey")
1131
- def secret_key(self) -> pulumi.Output[Optional[str]]:
1339
+ def secret_key(self) -> pulumi.Output[Optional[builtins.str]]:
1132
1340
  """
1133
1341
  The AWS Secret Access Key to use when generating new credentials.
1134
1342
  """
@@ -1136,7 +1344,7 @@ class SecretBackend(pulumi.CustomResource):
1136
1344
 
1137
1345
  @property
1138
1346
  @pulumi.getter(name="stsEndpoint")
1139
- def sts_endpoint(self) -> pulumi.Output[Optional[str]]:
1347
+ def sts_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
1140
1348
  """
1141
1349
  Specifies a custom HTTP STS endpoint to use.
1142
1350
  """
@@ -1144,7 +1352,7 @@ class SecretBackend(pulumi.CustomResource):
1144
1352
 
1145
1353
  @property
1146
1354
  @pulumi.getter(name="stsFallbackEndpoints")
1147
- def sts_fallback_endpoints(self) -> pulumi.Output[Optional[Sequence[str]]]:
1355
+ def sts_fallback_endpoints(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
1148
1356
  """
1149
1357
  Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
1150
1358
  """
@@ -1152,7 +1360,7 @@ class SecretBackend(pulumi.CustomResource):
1152
1360
 
1153
1361
  @property
1154
1362
  @pulumi.getter(name="stsFallbackRegions")
1155
- def sts_fallback_regions(self) -> pulumi.Output[Optional[Sequence[str]]]:
1363
+ def sts_fallback_regions(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
1156
1364
  """
1157
1365
  Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
1158
1366
  """
@@ -1160,7 +1368,7 @@ class SecretBackend(pulumi.CustomResource):
1160
1368
 
1161
1369
  @property
1162
1370
  @pulumi.getter(name="stsRegion")
1163
- def sts_region(self) -> pulumi.Output[Optional[str]]:
1371
+ def sts_region(self) -> pulumi.Output[Optional[builtins.str]]:
1164
1372
  """
1165
1373
  Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
1166
1374
  """
@@ -1168,9 +1376,18 @@ class SecretBackend(pulumi.CustomResource):
1168
1376
 
1169
1377
  @property
1170
1378
  @pulumi.getter(name="usernameTemplate")
1171
- def username_template(self) -> pulumi.Output[str]:
1379
+ def username_template(self) -> pulumi.Output[builtins.str]:
1172
1380
  """
1173
1381
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
1382
+
1383
+ ```
1384
+ {{ if (eq .Type "STS") }}
1385
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
1386
+ {{ else }}
1387
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
1388
+ {{ end }}
1389
+
1390
+ ```
1174
1391
  """
1175
1392
  return pulumi.get(self, "username_template")
1176
1393