pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +9 -0
- pulumi_vault/_inputs.py +583 -562
- pulumi_vault/ad/__init__.py +1 -0
- pulumi_vault/ad/get_access_credentials.py +20 -19
- pulumi_vault/ad/secret_backend.py +477 -476
- pulumi_vault/ad/secret_library.py +99 -98
- pulumi_vault/ad/secret_role.py +85 -84
- pulumi_vault/alicloud/__init__.py +1 -0
- pulumi_vault/alicloud/auth_backend_role.py +183 -182
- pulumi_vault/approle/__init__.py +1 -0
- pulumi_vault/approle/auth_backend_login.py +106 -105
- pulumi_vault/approle/auth_backend_role.py +239 -238
- pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
- pulumi_vault/audit.py +85 -84
- pulumi_vault/audit_request_header.py +43 -42
- pulumi_vault/auth_backend.py +106 -105
- pulumi_vault/aws/__init__.py +1 -0
- pulumi_vault/aws/auth_backend_cert.py +71 -70
- pulumi_vault/aws/auth_backend_client.py +425 -200
- pulumi_vault/aws/auth_backend_config_identity.py +85 -84
- pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
- pulumi_vault/aws/auth_backend_login.py +209 -208
- pulumi_vault/aws/auth_backend_role.py +400 -399
- pulumi_vault/aws/auth_backend_role_tag.py +127 -126
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
- pulumi_vault/aws/auth_backend_sts_role.py +71 -70
- pulumi_vault/aws/get_access_credentials.py +44 -43
- pulumi_vault/aws/get_static_access_credentials.py +13 -12
- pulumi_vault/aws/secret_backend.py +523 -306
- pulumi_vault/aws/secret_backend_role.py +211 -210
- pulumi_vault/aws/secret_backend_static_role.py +288 -70
- pulumi_vault/azure/__init__.py +1 -0
- pulumi_vault/azure/_inputs.py +21 -20
- pulumi_vault/azure/auth_backend_config.py +383 -130
- pulumi_vault/azure/auth_backend_role.py +253 -252
- pulumi_vault/azure/backend.py +432 -186
- pulumi_vault/azure/backend_role.py +188 -140
- pulumi_vault/azure/get_access_credentials.py +58 -57
- pulumi_vault/azure/outputs.py +11 -10
- pulumi_vault/cert_auth_backend_role.py +365 -364
- pulumi_vault/config/__init__.py +1 -0
- pulumi_vault/config/__init__.pyi +1 -0
- pulumi_vault/config/_inputs.py +11 -10
- pulumi_vault/config/outputs.py +287 -286
- pulumi_vault/config/ui_custom_message.py +113 -112
- pulumi_vault/config/vars.py +1 -0
- pulumi_vault/consul/__init__.py +1 -0
- pulumi_vault/consul/secret_backend.py +197 -196
- pulumi_vault/consul/secret_backend_role.py +183 -182
- pulumi_vault/database/__init__.py +1 -0
- pulumi_vault/database/_inputs.py +3857 -2200
- pulumi_vault/database/outputs.py +2483 -1330
- pulumi_vault/database/secret_backend_connection.py +333 -112
- pulumi_vault/database/secret_backend_role.py +169 -168
- pulumi_vault/database/secret_backend_static_role.py +283 -140
- pulumi_vault/database/secrets_mount.py +275 -266
- pulumi_vault/egp_policy.py +71 -70
- pulumi_vault/gcp/__init__.py +1 -0
- pulumi_vault/gcp/_inputs.py +82 -81
- pulumi_vault/gcp/auth_backend.py +426 -205
- pulumi_vault/gcp/auth_backend_role.py +281 -280
- pulumi_vault/gcp/get_auth_backend_role.py +70 -69
- pulumi_vault/gcp/outputs.py +50 -49
- pulumi_vault/gcp/secret_backend.py +420 -179
- pulumi_vault/gcp/secret_impersonated_account.py +92 -91
- pulumi_vault/gcp/secret_roleset.py +92 -91
- pulumi_vault/gcp/secret_static_account.py +92 -91
- pulumi_vault/generic/__init__.py +1 -0
- pulumi_vault/generic/endpoint.py +113 -112
- pulumi_vault/generic/get_secret.py +28 -27
- pulumi_vault/generic/secret.py +78 -77
- pulumi_vault/get_auth_backend.py +19 -18
- pulumi_vault/get_auth_backends.py +14 -13
- pulumi_vault/get_namespace.py +15 -14
- pulumi_vault/get_namespaces.py +68 -18
- pulumi_vault/get_nomad_access_token.py +19 -18
- pulumi_vault/get_policy_document.py +6 -5
- pulumi_vault/get_raft_autopilot_state.py +18 -17
- pulumi_vault/github/__init__.py +1 -0
- pulumi_vault/github/_inputs.py +42 -41
- pulumi_vault/github/auth_backend.py +232 -231
- pulumi_vault/github/outputs.py +26 -25
- pulumi_vault/github/team.py +57 -56
- pulumi_vault/github/user.py +57 -56
- pulumi_vault/identity/__init__.py +1 -0
- pulumi_vault/identity/entity.py +85 -84
- pulumi_vault/identity/entity_alias.py +71 -70
- pulumi_vault/identity/entity_policies.py +64 -63
- pulumi_vault/identity/get_entity.py +43 -42
- pulumi_vault/identity/get_group.py +50 -49
- pulumi_vault/identity/get_oidc_client_creds.py +14 -13
- pulumi_vault/identity/get_oidc_openid_config.py +24 -23
- pulumi_vault/identity/get_oidc_public_keys.py +13 -12
- pulumi_vault/identity/group.py +141 -140
- pulumi_vault/identity/group_alias.py +57 -56
- pulumi_vault/identity/group_member_entity_ids.py +57 -56
- pulumi_vault/identity/group_member_group_ids.py +57 -56
- pulumi_vault/identity/group_policies.py +64 -63
- pulumi_vault/identity/mfa_duo.py +148 -147
- pulumi_vault/identity/mfa_login_enforcement.py +120 -119
- pulumi_vault/identity/mfa_okta.py +134 -133
- pulumi_vault/identity/mfa_pingid.py +127 -126
- pulumi_vault/identity/mfa_totp.py +176 -175
- pulumi_vault/identity/oidc.py +29 -28
- pulumi_vault/identity/oidc_assignment.py +57 -56
- pulumi_vault/identity/oidc_client.py +127 -126
- pulumi_vault/identity/oidc_key.py +85 -84
- pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
- pulumi_vault/identity/oidc_provider.py +92 -91
- pulumi_vault/identity/oidc_role.py +85 -84
- pulumi_vault/identity/oidc_scope.py +57 -56
- pulumi_vault/identity/outputs.py +32 -31
- pulumi_vault/jwt/__init__.py +1 -0
- pulumi_vault/jwt/_inputs.py +42 -41
- pulumi_vault/jwt/auth_backend.py +288 -287
- pulumi_vault/jwt/auth_backend_role.py +407 -406
- pulumi_vault/jwt/outputs.py +26 -25
- pulumi_vault/kmip/__init__.py +1 -0
- pulumi_vault/kmip/secret_backend.py +183 -182
- pulumi_vault/kmip/secret_role.py +295 -294
- pulumi_vault/kmip/secret_scope.py +57 -56
- pulumi_vault/kubernetes/__init__.py +1 -0
- pulumi_vault/kubernetes/auth_backend_config.py +141 -140
- pulumi_vault/kubernetes/auth_backend_role.py +225 -224
- pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
- pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
- pulumi_vault/kubernetes/get_service_account_token.py +38 -37
- pulumi_vault/kubernetes/secret_backend.py +316 -315
- pulumi_vault/kubernetes/secret_backend_role.py +197 -196
- pulumi_vault/kv/__init__.py +1 -0
- pulumi_vault/kv/_inputs.py +21 -20
- pulumi_vault/kv/get_secret.py +17 -16
- pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
- pulumi_vault/kv/get_secret_v2.py +29 -28
- pulumi_vault/kv/get_secrets_list.py +13 -12
- pulumi_vault/kv/get_secrets_list_v2.py +19 -18
- pulumi_vault/kv/outputs.py +13 -12
- pulumi_vault/kv/secret.py +50 -49
- pulumi_vault/kv/secret_backend_v2.py +71 -70
- pulumi_vault/kv/secret_v2.py +134 -133
- pulumi_vault/ldap/__init__.py +1 -0
- pulumi_vault/ldap/auth_backend.py +754 -533
- pulumi_vault/ldap/auth_backend_group.py +57 -56
- pulumi_vault/ldap/auth_backend_user.py +71 -70
- pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
- pulumi_vault/ldap/get_static_credentials.py +18 -17
- pulumi_vault/ldap/secret_backend.py +720 -499
- pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
- pulumi_vault/ldap/secret_backend_library_set.py +99 -98
- pulumi_vault/ldap/secret_backend_static_role.py +99 -98
- pulumi_vault/managed/__init__.py +1 -0
- pulumi_vault/managed/_inputs.py +229 -228
- pulumi_vault/managed/keys.py +15 -14
- pulumi_vault/managed/outputs.py +139 -138
- pulumi_vault/mfa_duo.py +113 -112
- pulumi_vault/mfa_okta.py +113 -112
- pulumi_vault/mfa_pingid.py +120 -119
- pulumi_vault/mfa_totp.py +127 -126
- pulumi_vault/mongodbatlas/__init__.py +1 -0
- pulumi_vault/mongodbatlas/secret_backend.py +64 -63
- pulumi_vault/mongodbatlas/secret_role.py +155 -154
- pulumi_vault/mount.py +274 -273
- pulumi_vault/namespace.py +64 -63
- pulumi_vault/nomad_secret_backend.py +211 -210
- pulumi_vault/nomad_secret_role.py +85 -84
- pulumi_vault/okta/__init__.py +1 -0
- pulumi_vault/okta/_inputs.py +26 -25
- pulumi_vault/okta/auth_backend.py +274 -273
- pulumi_vault/okta/auth_backend_group.py +57 -56
- pulumi_vault/okta/auth_backend_user.py +71 -70
- pulumi_vault/okta/outputs.py +16 -15
- pulumi_vault/outputs.py +73 -60
- pulumi_vault/password_policy.py +43 -42
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +31 -36
- pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
- pulumi_vault/pkisecret/backend_config_acme.py +174 -126
- pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
- pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
- pulumi_vault/pkisecret/backend_config_est.py +120 -119
- pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
- pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
- pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
- pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
- pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
- pulumi_vault/pkisecret/get_backend_key.py +20 -19
- pulumi_vault/pkisecret/get_backend_keys.py +15 -14
- pulumi_vault/pkisecret/outputs.py +28 -31
- pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
- pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
- pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
- pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
- pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
- pulumi_vault/pkisecret/secret_backend_key.py +120 -119
- pulumi_vault/pkisecret/secret_backend_role.py +894 -644
- pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
- pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
- pulumi_vault/plugin.py +127 -126
- pulumi_vault/plugin_pinned_version.py +43 -42
- pulumi_vault/policy.py +43 -42
- pulumi_vault/provider.py +120 -119
- pulumi_vault/pulumi-plugin.json +1 -1
- pulumi_vault/quota_lease_count.py +85 -84
- pulumi_vault/quota_rate_limit.py +113 -112
- pulumi_vault/rabbitmq/__init__.py +1 -0
- pulumi_vault/rabbitmq/_inputs.py +41 -40
- pulumi_vault/rabbitmq/outputs.py +25 -24
- pulumi_vault/rabbitmq/secret_backend.py +169 -168
- pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
- pulumi_vault/raft_autopilot.py +113 -112
- pulumi_vault/raft_snapshot_agent_config.py +393 -392
- pulumi_vault/rgp_policy.py +57 -56
- pulumi_vault/saml/__init__.py +1 -0
- pulumi_vault/saml/auth_backend.py +155 -154
- pulumi_vault/saml/auth_backend_role.py +239 -238
- pulumi_vault/secrets/__init__.py +1 -0
- pulumi_vault/secrets/_inputs.py +16 -15
- pulumi_vault/secrets/outputs.py +10 -9
- pulumi_vault/secrets/sync_association.py +71 -70
- pulumi_vault/secrets/sync_aws_destination.py +148 -147
- pulumi_vault/secrets/sync_azure_destination.py +148 -147
- pulumi_vault/secrets/sync_config.py +43 -42
- pulumi_vault/secrets/sync_gcp_destination.py +106 -105
- pulumi_vault/secrets/sync_gh_destination.py +134 -133
- pulumi_vault/secrets/sync_github_apps.py +64 -63
- pulumi_vault/secrets/sync_vercel_destination.py +120 -119
- pulumi_vault/ssh/__init__.py +2 -0
- pulumi_vault/ssh/_inputs.py +11 -10
- pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
- pulumi_vault/ssh/outputs.py +7 -6
- pulumi_vault/ssh/secret_backend_ca.py +99 -98
- pulumi_vault/ssh/secret_backend_role.py +365 -364
- pulumi_vault/terraformcloud/__init__.py +1 -0
- pulumi_vault/terraformcloud/secret_backend.py +111 -110
- pulumi_vault/terraformcloud/secret_creds.py +74 -73
- pulumi_vault/terraformcloud/secret_role.py +96 -95
- pulumi_vault/token.py +246 -245
- pulumi_vault/tokenauth/__init__.py +1 -0
- pulumi_vault/tokenauth/auth_backend_role.py +267 -266
- pulumi_vault/transform/__init__.py +1 -0
- pulumi_vault/transform/alphabet.py +57 -56
- pulumi_vault/transform/get_decode.py +47 -46
- pulumi_vault/transform/get_encode.py +47 -46
- pulumi_vault/transform/role.py +57 -56
- pulumi_vault/transform/template.py +113 -112
- pulumi_vault/transform/transformation.py +141 -140
- pulumi_vault/transit/__init__.py +3 -0
- pulumi_vault/transit/get_decrypt.py +18 -17
- pulumi_vault/transit/get_encrypt.py +21 -20
- pulumi_vault/transit/get_sign.py +325 -0
- pulumi_vault/transit/get_verify.py +355 -0
- pulumi_vault/transit/secret_backend_key.py +394 -231
- pulumi_vault/transit/secret_cache_config.py +43 -42
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
- pulumi_vault-6.7.0.dist-info/RECORD +265 -0
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
- pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
|
|
2
2
|
# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
|
3
3
|
# *** Do not edit by hand unless you're certain you know what you are doing! ***
|
4
4
|
|
5
|
+
import builtins
|
5
6
|
import copy
|
6
7
|
import warnings
|
7
8
|
import sys
|
@@ -19,50 +20,68 @@ __all__ = ['SecretBackendArgs', 'SecretBackend']
|
|
19
20
|
@pulumi.input_type
|
20
21
|
class SecretBackendArgs:
|
21
22
|
def __init__(__self__, *,
|
22
|
-
access_key: Optional[pulumi.Input[str]] = None,
|
23
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
24
|
-
description: Optional[pulumi.Input[str]] = None,
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
23
|
+
access_key: Optional[pulumi.Input[builtins.str]] = None,
|
24
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
25
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
26
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
27
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
28
|
+
iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
29
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
30
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
31
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
32
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
33
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
34
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
35
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
36
|
+
region: Optional[pulumi.Input[builtins.str]] = None,
|
37
|
+
role_arn: Optional[pulumi.Input[builtins.str]] = None,
|
38
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
39
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
40
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
41
|
+
secret_key: Optional[pulumi.Input[builtins.str]] = None,
|
42
|
+
sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
43
|
+
sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
44
|
+
sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
45
|
+
sts_region: Optional[pulumi.Input[builtins.str]] = None,
|
46
|
+
username_template: Optional[pulumi.Input[builtins.str]] = None):
|
42
47
|
"""
|
43
48
|
The set of arguments for constructing a SecretBackend resource.
|
44
|
-
:param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
|
49
|
+
:param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
|
45
50
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
46
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
51
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
47
52
|
issued by this backend.
|
48
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
49
|
-
:param pulumi.Input[bool]
|
53
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
54
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
55
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
50
56
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
51
|
-
:param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
52
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
53
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
54
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
55
|
-
:param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
56
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
57
|
+
:param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
58
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
59
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
60
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
61
|
+
:param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
62
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
57
63
|
for credentials issued by this backend.
|
58
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
64
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
59
65
|
The value should not contain leading or trailing forward slashes.
|
60
66
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
61
67
|
*Available only for Vault Enterprise*.
|
62
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
68
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
63
69
|
not begin or end with a `/`. Defaults to `aws`.
|
64
|
-
:param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
65
|
-
:param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
70
|
+
:param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
71
|
+
:param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
72
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
73
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
74
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
75
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
76
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
77
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
78
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
79
|
+
:param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
80
|
+
:param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
81
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
82
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
83
|
+
:param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
84
|
+
:param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
66
85
|
|
67
86
|
```
|
68
87
|
{{ if (eq .Type "STS") }}
|
@@ -72,12 +91,6 @@ class SecretBackendArgs:
|
|
72
91
|
{{ end }}
|
73
92
|
|
74
93
|
```
|
75
|
-
:param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
76
|
-
:param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
77
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
78
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
79
|
-
:param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
80
|
-
:param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
81
94
|
"""
|
82
95
|
if access_key is not None:
|
83
96
|
pulumi.set(__self__, "access_key", access_key)
|
@@ -85,6 +98,8 @@ class SecretBackendArgs:
|
|
85
98
|
pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
|
86
99
|
if description is not None:
|
87
100
|
pulumi.set(__self__, "description", description)
|
101
|
+
if disable_automated_rotation is not None:
|
102
|
+
pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
|
88
103
|
if disable_remount is not None:
|
89
104
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
90
105
|
if iam_endpoint is not None:
|
@@ -107,6 +122,12 @@ class SecretBackendArgs:
|
|
107
122
|
pulumi.set(__self__, "region", region)
|
108
123
|
if role_arn is not None:
|
109
124
|
pulumi.set(__self__, "role_arn", role_arn)
|
125
|
+
if rotation_period is not None:
|
126
|
+
pulumi.set(__self__, "rotation_period", rotation_period)
|
127
|
+
if rotation_schedule is not None:
|
128
|
+
pulumi.set(__self__, "rotation_schedule", rotation_schedule)
|
129
|
+
if rotation_window is not None:
|
130
|
+
pulumi.set(__self__, "rotation_window", rotation_window)
|
110
131
|
if secret_key is not None:
|
111
132
|
pulumi.set(__self__, "secret_key", secret_key)
|
112
133
|
if sts_endpoint is not None:
|
@@ -122,7 +143,7 @@ class SecretBackendArgs:
|
|
122
143
|
|
123
144
|
@property
|
124
145
|
@pulumi.getter(name="accessKey")
|
125
|
-
def access_key(self) -> Optional[pulumi.Input[str]]:
|
146
|
+
def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
126
147
|
"""
|
127
148
|
The AWS Access Key ID this backend should use to
|
128
149
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
@@ -130,12 +151,12 @@ class SecretBackendArgs:
|
|
130
151
|
return pulumi.get(self, "access_key")
|
131
152
|
|
132
153
|
@access_key.setter
|
133
|
-
def access_key(self, value: Optional[pulumi.Input[str]]):
|
154
|
+
def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
134
155
|
pulumi.set(self, "access_key", value)
|
135
156
|
|
136
157
|
@property
|
137
158
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
138
|
-
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
159
|
+
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
139
160
|
"""
|
140
161
|
The default TTL for credentials
|
141
162
|
issued by this backend.
|
@@ -143,24 +164,36 @@ class SecretBackendArgs:
|
|
143
164
|
return pulumi.get(self, "default_lease_ttl_seconds")
|
144
165
|
|
145
166
|
@default_lease_ttl_seconds.setter
|
146
|
-
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
167
|
+
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
147
168
|
pulumi.set(self, "default_lease_ttl_seconds", value)
|
148
169
|
|
149
170
|
@property
|
150
171
|
@pulumi.getter
|
151
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
172
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
152
173
|
"""
|
153
174
|
A human-friendly description for this backend.
|
154
175
|
"""
|
155
176
|
return pulumi.get(self, "description")
|
156
177
|
|
157
178
|
@description.setter
|
158
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
179
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
159
180
|
pulumi.set(self, "description", value)
|
160
181
|
|
182
|
+
@property
|
183
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
184
|
+
def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
|
185
|
+
"""
|
186
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
187
|
+
"""
|
188
|
+
return pulumi.get(self, "disable_automated_rotation")
|
189
|
+
|
190
|
+
@disable_automated_rotation.setter
|
191
|
+
def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
|
192
|
+
pulumi.set(self, "disable_automated_rotation", value)
|
193
|
+
|
161
194
|
@property
|
162
195
|
@pulumi.getter(name="disableRemount")
|
163
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
196
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
164
197
|
"""
|
165
198
|
If set, opts out of mount migration on path updates.
|
166
199
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -168,72 +201,72 @@ class SecretBackendArgs:
|
|
168
201
|
return pulumi.get(self, "disable_remount")
|
169
202
|
|
170
203
|
@disable_remount.setter
|
171
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
204
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
172
205
|
pulumi.set(self, "disable_remount", value)
|
173
206
|
|
174
207
|
@property
|
175
208
|
@pulumi.getter(name="iamEndpoint")
|
176
|
-
def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
|
209
|
+
def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
|
177
210
|
"""
|
178
211
|
Specifies a custom HTTP IAM endpoint to use.
|
179
212
|
"""
|
180
213
|
return pulumi.get(self, "iam_endpoint")
|
181
214
|
|
182
215
|
@iam_endpoint.setter
|
183
|
-
def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
|
216
|
+
def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
|
184
217
|
pulumi.set(self, "iam_endpoint", value)
|
185
218
|
|
186
219
|
@property
|
187
220
|
@pulumi.getter(name="identityTokenAudience")
|
188
|
-
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
221
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
|
189
222
|
"""
|
190
223
|
The audience claim value. Requires Vault 1.16+.
|
191
224
|
"""
|
192
225
|
return pulumi.get(self, "identity_token_audience")
|
193
226
|
|
194
227
|
@identity_token_audience.setter
|
195
|
-
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
228
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
|
196
229
|
pulumi.set(self, "identity_token_audience", value)
|
197
230
|
|
198
231
|
@property
|
199
232
|
@pulumi.getter(name="identityTokenKey")
|
200
|
-
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
233
|
+
def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
201
234
|
"""
|
202
235
|
The key to use for signing identity tokens. Requires Vault 1.16+.
|
203
236
|
"""
|
204
237
|
return pulumi.get(self, "identity_token_key")
|
205
238
|
|
206
239
|
@identity_token_key.setter
|
207
|
-
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
240
|
+
def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
208
241
|
pulumi.set(self, "identity_token_key", value)
|
209
242
|
|
210
243
|
@property
|
211
244
|
@pulumi.getter(name="identityTokenTtl")
|
212
|
-
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
245
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
|
213
246
|
"""
|
214
247
|
The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
215
248
|
"""
|
216
249
|
return pulumi.get(self, "identity_token_ttl")
|
217
250
|
|
218
251
|
@identity_token_ttl.setter
|
219
|
-
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
252
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
|
220
253
|
pulumi.set(self, "identity_token_ttl", value)
|
221
254
|
|
222
255
|
@property
|
223
256
|
@pulumi.getter
|
224
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
257
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
225
258
|
"""
|
226
259
|
Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
227
260
|
"""
|
228
261
|
return pulumi.get(self, "local")
|
229
262
|
|
230
263
|
@local.setter
|
231
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
264
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
232
265
|
pulumi.set(self, "local", value)
|
233
266
|
|
234
267
|
@property
|
235
268
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
236
|
-
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
269
|
+
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
237
270
|
"""
|
238
271
|
The maximum TTL that can be requested
|
239
272
|
for credentials issued by this backend.
|
@@ -241,12 +274,12 @@ class SecretBackendArgs:
|
|
241
274
|
return pulumi.get(self, "max_lease_ttl_seconds")
|
242
275
|
|
243
276
|
@max_lease_ttl_seconds.setter
|
244
|
-
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
277
|
+
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
245
278
|
pulumi.set(self, "max_lease_ttl_seconds", value)
|
246
279
|
|
247
280
|
@property
|
248
281
|
@pulumi.getter
|
249
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
282
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
250
283
|
"""
|
251
284
|
The namespace to provision the resource in.
|
252
285
|
The value should not contain leading or trailing forward slashes.
|
@@ -256,12 +289,12 @@ class SecretBackendArgs:
|
|
256
289
|
return pulumi.get(self, "namespace")
|
257
290
|
|
258
291
|
@namespace.setter
|
259
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
292
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
260
293
|
pulumi.set(self, "namespace", value)
|
261
294
|
|
262
295
|
@property
|
263
296
|
@pulumi.getter
|
264
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
297
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
265
298
|
"""
|
266
299
|
The unique path this backend should be mounted at. Must
|
267
300
|
not begin or end with a `/`. Defaults to `aws`.
|
@@ -269,162 +302,220 @@ class SecretBackendArgs:
|
|
269
302
|
return pulumi.get(self, "path")
|
270
303
|
|
271
304
|
@path.setter
|
272
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
305
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
273
306
|
pulumi.set(self, "path", value)
|
274
307
|
|
275
308
|
@property
|
276
309
|
@pulumi.getter
|
277
|
-
def region(self) -> Optional[pulumi.Input[str]]:
|
310
|
+
def region(self) -> Optional[pulumi.Input[builtins.str]]:
|
278
311
|
"""
|
279
312
|
The AWS region to make API calls against. Defaults to us-east-1.
|
280
313
|
"""
|
281
314
|
return pulumi.get(self, "region")
|
282
315
|
|
283
316
|
@region.setter
|
284
|
-
def region(self, value: Optional[pulumi.Input[str]]):
|
317
|
+
def region(self, value: Optional[pulumi.Input[builtins.str]]):
|
285
318
|
pulumi.set(self, "region", value)
|
286
319
|
|
287
320
|
@property
|
288
321
|
@pulumi.getter(name="roleArn")
|
289
|
-
def role_arn(self) -> Optional[pulumi.Input[str]]:
|
322
|
+
def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
|
290
323
|
"""
|
291
324
|
Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
292
|
-
|
293
|
-
```
|
294
|
-
{{ if (eq .Type "STS") }}
|
295
|
-
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
|
296
|
-
{{ else }}
|
297
|
-
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
|
298
|
-
{{ end }}
|
299
|
-
|
300
|
-
```
|
301
325
|
"""
|
302
326
|
return pulumi.get(self, "role_arn")
|
303
327
|
|
304
328
|
@role_arn.setter
|
305
|
-
def role_arn(self, value: Optional[pulumi.Input[str]]):
|
329
|
+
def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
|
306
330
|
pulumi.set(self, "role_arn", value)
|
307
331
|
|
332
|
+
@property
|
333
|
+
@pulumi.getter(name="rotationPeriod")
|
334
|
+
def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
335
|
+
"""
|
336
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
337
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
338
|
+
"""
|
339
|
+
return pulumi.get(self, "rotation_period")
|
340
|
+
|
341
|
+
@rotation_period.setter
|
342
|
+
def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
343
|
+
pulumi.set(self, "rotation_period", value)
|
344
|
+
|
345
|
+
@property
|
346
|
+
@pulumi.getter(name="rotationSchedule")
|
347
|
+
def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
|
348
|
+
"""
|
349
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
350
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
351
|
+
"""
|
352
|
+
return pulumi.get(self, "rotation_schedule")
|
353
|
+
|
354
|
+
@rotation_schedule.setter
|
355
|
+
def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
|
356
|
+
pulumi.set(self, "rotation_schedule", value)
|
357
|
+
|
358
|
+
@property
|
359
|
+
@pulumi.getter(name="rotationWindow")
|
360
|
+
def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
|
361
|
+
"""
|
362
|
+
The maximum amount of time in seconds allowed to complete
|
363
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
364
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
365
|
+
"""
|
366
|
+
return pulumi.get(self, "rotation_window")
|
367
|
+
|
368
|
+
@rotation_window.setter
|
369
|
+
def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
|
370
|
+
pulumi.set(self, "rotation_window", value)
|
371
|
+
|
308
372
|
@property
|
309
373
|
@pulumi.getter(name="secretKey")
|
310
|
-
def secret_key(self) -> Optional[pulumi.Input[str]]:
|
374
|
+
def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
311
375
|
"""
|
312
376
|
The AWS Secret Access Key to use when generating new credentials.
|
313
377
|
"""
|
314
378
|
return pulumi.get(self, "secret_key")
|
315
379
|
|
316
380
|
@secret_key.setter
|
317
|
-
def secret_key(self, value: Optional[pulumi.Input[str]]):
|
381
|
+
def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
318
382
|
pulumi.set(self, "secret_key", value)
|
319
383
|
|
320
384
|
@property
|
321
385
|
@pulumi.getter(name="stsEndpoint")
|
322
|
-
def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
|
386
|
+
def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
|
323
387
|
"""
|
324
388
|
Specifies a custom HTTP STS endpoint to use.
|
325
389
|
"""
|
326
390
|
return pulumi.get(self, "sts_endpoint")
|
327
391
|
|
328
392
|
@sts_endpoint.setter
|
329
|
-
def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
|
393
|
+
def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
|
330
394
|
pulumi.set(self, "sts_endpoint", value)
|
331
395
|
|
332
396
|
@property
|
333
397
|
@pulumi.getter(name="stsFallbackEndpoints")
|
334
|
-
def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
398
|
+
def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
335
399
|
"""
|
336
400
|
Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
337
401
|
"""
|
338
402
|
return pulumi.get(self, "sts_fallback_endpoints")
|
339
403
|
|
340
404
|
@sts_fallback_endpoints.setter
|
341
|
-
def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
405
|
+
def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
342
406
|
pulumi.set(self, "sts_fallback_endpoints", value)
|
343
407
|
|
344
408
|
@property
|
345
409
|
@pulumi.getter(name="stsFallbackRegions")
|
346
|
-
def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
410
|
+
def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
347
411
|
"""
|
348
412
|
Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
349
413
|
"""
|
350
414
|
return pulumi.get(self, "sts_fallback_regions")
|
351
415
|
|
352
416
|
@sts_fallback_regions.setter
|
353
|
-
def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
417
|
+
def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
354
418
|
pulumi.set(self, "sts_fallback_regions", value)
|
355
419
|
|
356
420
|
@property
|
357
421
|
@pulumi.getter(name="stsRegion")
|
358
|
-
def sts_region(self) -> Optional[pulumi.Input[str]]:
|
422
|
+
def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
|
359
423
|
"""
|
360
424
|
Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
361
425
|
"""
|
362
426
|
return pulumi.get(self, "sts_region")
|
363
427
|
|
364
428
|
@sts_region.setter
|
365
|
-
def sts_region(self, value: Optional[pulumi.Input[str]]):
|
429
|
+
def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
|
366
430
|
pulumi.set(self, "sts_region", value)
|
367
431
|
|
368
432
|
@property
|
369
433
|
@pulumi.getter(name="usernameTemplate")
|
370
|
-
def username_template(self) -> Optional[pulumi.Input[str]]:
|
434
|
+
def username_template(self) -> Optional[pulumi.Input[builtins.str]]:
|
371
435
|
"""
|
372
436
|
Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
437
|
+
|
438
|
+
```
|
439
|
+
{{ if (eq .Type "STS") }}
|
440
|
+
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
|
441
|
+
{{ else }}
|
442
|
+
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
|
443
|
+
{{ end }}
|
444
|
+
|
445
|
+
```
|
373
446
|
"""
|
374
447
|
return pulumi.get(self, "username_template")
|
375
448
|
|
376
449
|
@username_template.setter
|
377
|
-
def username_template(self, value: Optional[pulumi.Input[str]]):
|
450
|
+
def username_template(self, value: Optional[pulumi.Input[builtins.str]]):
|
378
451
|
pulumi.set(self, "username_template", value)
|
379
452
|
|
380
453
|
|
381
454
|
@pulumi.input_type
|
382
455
|
class _SecretBackendState:
|
383
456
|
def __init__(__self__, *,
|
384
|
-
access_key: Optional[pulumi.Input[str]] = None,
|
385
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
386
|
-
description: Optional[pulumi.Input[str]] = None,
|
387
|
-
|
388
|
-
|
389
|
-
|
390
|
-
|
391
|
-
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
397
|
-
|
398
|
-
|
399
|
-
|
400
|
-
|
401
|
-
|
402
|
-
|
403
|
-
|
457
|
+
access_key: Optional[pulumi.Input[builtins.str]] = None,
|
458
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
459
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
460
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
461
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
462
|
+
iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
463
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
464
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
465
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
466
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
467
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
468
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
469
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
470
|
+
region: Optional[pulumi.Input[builtins.str]] = None,
|
471
|
+
role_arn: Optional[pulumi.Input[builtins.str]] = None,
|
472
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
473
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
474
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
475
|
+
secret_key: Optional[pulumi.Input[builtins.str]] = None,
|
476
|
+
sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
477
|
+
sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
478
|
+
sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
479
|
+
sts_region: Optional[pulumi.Input[builtins.str]] = None,
|
480
|
+
username_template: Optional[pulumi.Input[builtins.str]] = None):
|
404
481
|
"""
|
405
482
|
Input properties used for looking up and filtering SecretBackend resources.
|
406
|
-
:param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
|
483
|
+
:param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
|
407
484
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
408
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
485
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
409
486
|
issued by this backend.
|
410
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
411
|
-
:param pulumi.Input[bool]
|
487
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
488
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
489
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
412
490
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
413
|
-
:param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
414
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
415
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
416
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
417
|
-
:param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
418
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
491
|
+
:param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
492
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
493
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
494
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
495
|
+
:param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
496
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
419
497
|
for credentials issued by this backend.
|
420
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
498
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
421
499
|
The value should not contain leading or trailing forward slashes.
|
422
500
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
423
501
|
*Available only for Vault Enterprise*.
|
424
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
502
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
425
503
|
not begin or end with a `/`. Defaults to `aws`.
|
426
|
-
:param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
427
|
-
:param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
504
|
+
:param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
505
|
+
:param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
506
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
507
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
508
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
509
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
510
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
511
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
512
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
513
|
+
:param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
514
|
+
:param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
515
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
516
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
517
|
+
:param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
518
|
+
:param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
428
519
|
|
429
520
|
```
|
430
521
|
{{ if (eq .Type "STS") }}
|
@@ -434,12 +525,6 @@ class _SecretBackendState:
|
|
434
525
|
{{ end }}
|
435
526
|
|
436
527
|
```
|
437
|
-
:param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
438
|
-
:param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
439
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
440
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
441
|
-
:param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
442
|
-
:param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
443
528
|
"""
|
444
529
|
if access_key is not None:
|
445
530
|
pulumi.set(__self__, "access_key", access_key)
|
@@ -447,6 +532,8 @@ class _SecretBackendState:
|
|
447
532
|
pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
|
448
533
|
if description is not None:
|
449
534
|
pulumi.set(__self__, "description", description)
|
535
|
+
if disable_automated_rotation is not None:
|
536
|
+
pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
|
450
537
|
if disable_remount is not None:
|
451
538
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
452
539
|
if iam_endpoint is not None:
|
@@ -469,6 +556,12 @@ class _SecretBackendState:
|
|
469
556
|
pulumi.set(__self__, "region", region)
|
470
557
|
if role_arn is not None:
|
471
558
|
pulumi.set(__self__, "role_arn", role_arn)
|
559
|
+
if rotation_period is not None:
|
560
|
+
pulumi.set(__self__, "rotation_period", rotation_period)
|
561
|
+
if rotation_schedule is not None:
|
562
|
+
pulumi.set(__self__, "rotation_schedule", rotation_schedule)
|
563
|
+
if rotation_window is not None:
|
564
|
+
pulumi.set(__self__, "rotation_window", rotation_window)
|
472
565
|
if secret_key is not None:
|
473
566
|
pulumi.set(__self__, "secret_key", secret_key)
|
474
567
|
if sts_endpoint is not None:
|
@@ -484,7 +577,7 @@ class _SecretBackendState:
|
|
484
577
|
|
485
578
|
@property
|
486
579
|
@pulumi.getter(name="accessKey")
|
487
|
-
def access_key(self) -> Optional[pulumi.Input[str]]:
|
580
|
+
def access_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
488
581
|
"""
|
489
582
|
The AWS Access Key ID this backend should use to
|
490
583
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
@@ -492,12 +585,12 @@ class _SecretBackendState:
|
|
492
585
|
return pulumi.get(self, "access_key")
|
493
586
|
|
494
587
|
@access_key.setter
|
495
|
-
def access_key(self, value: Optional[pulumi.Input[str]]):
|
588
|
+
def access_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
496
589
|
pulumi.set(self, "access_key", value)
|
497
590
|
|
498
591
|
@property
|
499
592
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
500
|
-
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
593
|
+
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
501
594
|
"""
|
502
595
|
The default TTL for credentials
|
503
596
|
issued by this backend.
|
@@ -505,24 +598,36 @@ class _SecretBackendState:
|
|
505
598
|
return pulumi.get(self, "default_lease_ttl_seconds")
|
506
599
|
|
507
600
|
@default_lease_ttl_seconds.setter
|
508
|
-
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
601
|
+
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
509
602
|
pulumi.set(self, "default_lease_ttl_seconds", value)
|
510
603
|
|
511
604
|
@property
|
512
605
|
@pulumi.getter
|
513
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
606
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
514
607
|
"""
|
515
608
|
A human-friendly description for this backend.
|
516
609
|
"""
|
517
610
|
return pulumi.get(self, "description")
|
518
611
|
|
519
612
|
@description.setter
|
520
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
613
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
521
614
|
pulumi.set(self, "description", value)
|
522
615
|
|
616
|
+
@property
|
617
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
618
|
+
def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
|
619
|
+
"""
|
620
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
621
|
+
"""
|
622
|
+
return pulumi.get(self, "disable_automated_rotation")
|
623
|
+
|
624
|
+
@disable_automated_rotation.setter
|
625
|
+
def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
|
626
|
+
pulumi.set(self, "disable_automated_rotation", value)
|
627
|
+
|
523
628
|
@property
|
524
629
|
@pulumi.getter(name="disableRemount")
|
525
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
630
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
526
631
|
"""
|
527
632
|
If set, opts out of mount migration on path updates.
|
528
633
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -530,72 +635,72 @@ class _SecretBackendState:
|
|
530
635
|
return pulumi.get(self, "disable_remount")
|
531
636
|
|
532
637
|
@disable_remount.setter
|
533
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
638
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
534
639
|
pulumi.set(self, "disable_remount", value)
|
535
640
|
|
536
641
|
@property
|
537
642
|
@pulumi.getter(name="iamEndpoint")
|
538
|
-
def iam_endpoint(self) -> Optional[pulumi.Input[str]]:
|
643
|
+
def iam_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
|
539
644
|
"""
|
540
645
|
Specifies a custom HTTP IAM endpoint to use.
|
541
646
|
"""
|
542
647
|
return pulumi.get(self, "iam_endpoint")
|
543
648
|
|
544
649
|
@iam_endpoint.setter
|
545
|
-
def iam_endpoint(self, value: Optional[pulumi.Input[str]]):
|
650
|
+
def iam_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
|
546
651
|
pulumi.set(self, "iam_endpoint", value)
|
547
652
|
|
548
653
|
@property
|
549
654
|
@pulumi.getter(name="identityTokenAudience")
|
550
|
-
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
655
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
|
551
656
|
"""
|
552
657
|
The audience claim value. Requires Vault 1.16+.
|
553
658
|
"""
|
554
659
|
return pulumi.get(self, "identity_token_audience")
|
555
660
|
|
556
661
|
@identity_token_audience.setter
|
557
|
-
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
662
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
|
558
663
|
pulumi.set(self, "identity_token_audience", value)
|
559
664
|
|
560
665
|
@property
|
561
666
|
@pulumi.getter(name="identityTokenKey")
|
562
|
-
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
667
|
+
def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
563
668
|
"""
|
564
669
|
The key to use for signing identity tokens. Requires Vault 1.16+.
|
565
670
|
"""
|
566
671
|
return pulumi.get(self, "identity_token_key")
|
567
672
|
|
568
673
|
@identity_token_key.setter
|
569
|
-
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
674
|
+
def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
570
675
|
pulumi.set(self, "identity_token_key", value)
|
571
676
|
|
572
677
|
@property
|
573
678
|
@pulumi.getter(name="identityTokenTtl")
|
574
|
-
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
679
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
|
575
680
|
"""
|
576
681
|
The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
577
682
|
"""
|
578
683
|
return pulumi.get(self, "identity_token_ttl")
|
579
684
|
|
580
685
|
@identity_token_ttl.setter
|
581
|
-
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
686
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
|
582
687
|
pulumi.set(self, "identity_token_ttl", value)
|
583
688
|
|
584
689
|
@property
|
585
690
|
@pulumi.getter
|
586
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
691
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
587
692
|
"""
|
588
693
|
Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
589
694
|
"""
|
590
695
|
return pulumi.get(self, "local")
|
591
696
|
|
592
697
|
@local.setter
|
593
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
698
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
594
699
|
pulumi.set(self, "local", value)
|
595
700
|
|
596
701
|
@property
|
597
702
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
598
|
-
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
703
|
+
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
599
704
|
"""
|
600
705
|
The maximum TTL that can be requested
|
601
706
|
for credentials issued by this backend.
|
@@ -603,12 +708,12 @@ class _SecretBackendState:
|
|
603
708
|
return pulumi.get(self, "max_lease_ttl_seconds")
|
604
709
|
|
605
710
|
@max_lease_ttl_seconds.setter
|
606
|
-
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
711
|
+
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
607
712
|
pulumi.set(self, "max_lease_ttl_seconds", value)
|
608
713
|
|
609
714
|
@property
|
610
715
|
@pulumi.getter
|
611
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
716
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
612
717
|
"""
|
613
718
|
The namespace to provision the resource in.
|
614
719
|
The value should not contain leading or trailing forward slashes.
|
@@ -618,12 +723,12 @@ class _SecretBackendState:
|
|
618
723
|
return pulumi.get(self, "namespace")
|
619
724
|
|
620
725
|
@namespace.setter
|
621
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
726
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
622
727
|
pulumi.set(self, "namespace", value)
|
623
728
|
|
624
729
|
@property
|
625
730
|
@pulumi.getter
|
626
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
731
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
627
732
|
"""
|
628
733
|
The unique path this backend should be mounted at. Must
|
629
734
|
not begin or end with a `/`. Defaults to `aws`.
|
@@ -631,112 +736,152 @@ class _SecretBackendState:
|
|
631
736
|
return pulumi.get(self, "path")
|
632
737
|
|
633
738
|
@path.setter
|
634
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
739
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
635
740
|
pulumi.set(self, "path", value)
|
636
741
|
|
637
742
|
@property
|
638
743
|
@pulumi.getter
|
639
|
-
def region(self) -> Optional[pulumi.Input[str]]:
|
744
|
+
def region(self) -> Optional[pulumi.Input[builtins.str]]:
|
640
745
|
"""
|
641
746
|
The AWS region to make API calls against. Defaults to us-east-1.
|
642
747
|
"""
|
643
748
|
return pulumi.get(self, "region")
|
644
749
|
|
645
750
|
@region.setter
|
646
|
-
def region(self, value: Optional[pulumi.Input[str]]):
|
751
|
+
def region(self, value: Optional[pulumi.Input[builtins.str]]):
|
647
752
|
pulumi.set(self, "region", value)
|
648
753
|
|
649
754
|
@property
|
650
755
|
@pulumi.getter(name="roleArn")
|
651
|
-
def role_arn(self) -> Optional[pulumi.Input[str]]:
|
756
|
+
def role_arn(self) -> Optional[pulumi.Input[builtins.str]]:
|
652
757
|
"""
|
653
758
|
Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
654
|
-
|
655
|
-
```
|
656
|
-
{{ if (eq .Type "STS") }}
|
657
|
-
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
|
658
|
-
{{ else }}
|
659
|
-
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
|
660
|
-
{{ end }}
|
661
|
-
|
662
|
-
```
|
663
759
|
"""
|
664
760
|
return pulumi.get(self, "role_arn")
|
665
761
|
|
666
762
|
@role_arn.setter
|
667
|
-
def role_arn(self, value: Optional[pulumi.Input[str]]):
|
763
|
+
def role_arn(self, value: Optional[pulumi.Input[builtins.str]]):
|
668
764
|
pulumi.set(self, "role_arn", value)
|
669
765
|
|
766
|
+
@property
|
767
|
+
@pulumi.getter(name="rotationPeriod")
|
768
|
+
def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
769
|
+
"""
|
770
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
771
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
772
|
+
"""
|
773
|
+
return pulumi.get(self, "rotation_period")
|
774
|
+
|
775
|
+
@rotation_period.setter
|
776
|
+
def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
777
|
+
pulumi.set(self, "rotation_period", value)
|
778
|
+
|
779
|
+
@property
|
780
|
+
@pulumi.getter(name="rotationSchedule")
|
781
|
+
def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
|
782
|
+
"""
|
783
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
784
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
785
|
+
"""
|
786
|
+
return pulumi.get(self, "rotation_schedule")
|
787
|
+
|
788
|
+
@rotation_schedule.setter
|
789
|
+
def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
|
790
|
+
pulumi.set(self, "rotation_schedule", value)
|
791
|
+
|
792
|
+
@property
|
793
|
+
@pulumi.getter(name="rotationWindow")
|
794
|
+
def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
|
795
|
+
"""
|
796
|
+
The maximum amount of time in seconds allowed to complete
|
797
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
798
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
799
|
+
"""
|
800
|
+
return pulumi.get(self, "rotation_window")
|
801
|
+
|
802
|
+
@rotation_window.setter
|
803
|
+
def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
|
804
|
+
pulumi.set(self, "rotation_window", value)
|
805
|
+
|
670
806
|
@property
|
671
807
|
@pulumi.getter(name="secretKey")
|
672
|
-
def secret_key(self) -> Optional[pulumi.Input[str]]:
|
808
|
+
def secret_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
673
809
|
"""
|
674
810
|
The AWS Secret Access Key to use when generating new credentials.
|
675
811
|
"""
|
676
812
|
return pulumi.get(self, "secret_key")
|
677
813
|
|
678
814
|
@secret_key.setter
|
679
|
-
def secret_key(self, value: Optional[pulumi.Input[str]]):
|
815
|
+
def secret_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
680
816
|
pulumi.set(self, "secret_key", value)
|
681
817
|
|
682
818
|
@property
|
683
819
|
@pulumi.getter(name="stsEndpoint")
|
684
|
-
def sts_endpoint(self) -> Optional[pulumi.Input[str]]:
|
820
|
+
def sts_endpoint(self) -> Optional[pulumi.Input[builtins.str]]:
|
685
821
|
"""
|
686
822
|
Specifies a custom HTTP STS endpoint to use.
|
687
823
|
"""
|
688
824
|
return pulumi.get(self, "sts_endpoint")
|
689
825
|
|
690
826
|
@sts_endpoint.setter
|
691
|
-
def sts_endpoint(self, value: Optional[pulumi.Input[str]]):
|
827
|
+
def sts_endpoint(self, value: Optional[pulumi.Input[builtins.str]]):
|
692
828
|
pulumi.set(self, "sts_endpoint", value)
|
693
829
|
|
694
830
|
@property
|
695
831
|
@pulumi.getter(name="stsFallbackEndpoints")
|
696
|
-
def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
832
|
+
def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
697
833
|
"""
|
698
834
|
Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
699
835
|
"""
|
700
836
|
return pulumi.get(self, "sts_fallback_endpoints")
|
701
837
|
|
702
838
|
@sts_fallback_endpoints.setter
|
703
|
-
def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
839
|
+
def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
704
840
|
pulumi.set(self, "sts_fallback_endpoints", value)
|
705
841
|
|
706
842
|
@property
|
707
843
|
@pulumi.getter(name="stsFallbackRegions")
|
708
|
-
def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
844
|
+
def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
709
845
|
"""
|
710
846
|
Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
711
847
|
"""
|
712
848
|
return pulumi.get(self, "sts_fallback_regions")
|
713
849
|
|
714
850
|
@sts_fallback_regions.setter
|
715
|
-
def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
851
|
+
def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
716
852
|
pulumi.set(self, "sts_fallback_regions", value)
|
717
853
|
|
718
854
|
@property
|
719
855
|
@pulumi.getter(name="stsRegion")
|
720
|
-
def sts_region(self) -> Optional[pulumi.Input[str]]:
|
856
|
+
def sts_region(self) -> Optional[pulumi.Input[builtins.str]]:
|
721
857
|
"""
|
722
858
|
Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
723
859
|
"""
|
724
860
|
return pulumi.get(self, "sts_region")
|
725
861
|
|
726
862
|
@sts_region.setter
|
727
|
-
def sts_region(self, value: Optional[pulumi.Input[str]]):
|
863
|
+
def sts_region(self, value: Optional[pulumi.Input[builtins.str]]):
|
728
864
|
pulumi.set(self, "sts_region", value)
|
729
865
|
|
730
866
|
@property
|
731
867
|
@pulumi.getter(name="usernameTemplate")
|
732
|
-
def username_template(self) -> Optional[pulumi.Input[str]]:
|
868
|
+
def username_template(self) -> Optional[pulumi.Input[builtins.str]]:
|
733
869
|
"""
|
734
870
|
Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
871
|
+
|
872
|
+
```
|
873
|
+
{{ if (eq .Type "STS") }}
|
874
|
+
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
|
875
|
+
{{ else }}
|
876
|
+
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
|
877
|
+
{{ end }}
|
878
|
+
|
879
|
+
```
|
735
880
|
"""
|
736
881
|
return pulumi.get(self, "username_template")
|
737
882
|
|
738
883
|
@username_template.setter
|
739
|
-
def username_template(self, value: Optional[pulumi.Input[str]]):
|
884
|
+
def username_template(self, value: Optional[pulumi.Input[builtins.str]]):
|
740
885
|
pulumi.set(self, "username_template", value)
|
741
886
|
|
742
887
|
|
@@ -745,26 +890,30 @@ class SecretBackend(pulumi.CustomResource):
|
|
745
890
|
def __init__(__self__,
|
746
891
|
resource_name: str,
|
747
892
|
opts: Optional[pulumi.ResourceOptions] = None,
|
748
|
-
access_key: Optional[pulumi.Input[str]] = None,
|
749
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
750
|
-
description: Optional[pulumi.Input[str]] = None,
|
751
|
-
|
752
|
-
|
753
|
-
|
754
|
-
|
755
|
-
|
756
|
-
|
757
|
-
|
758
|
-
|
759
|
-
|
760
|
-
|
761
|
-
|
762
|
-
|
763
|
-
|
764
|
-
|
765
|
-
|
766
|
-
|
767
|
-
|
893
|
+
access_key: Optional[pulumi.Input[builtins.str]] = None,
|
894
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
895
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
896
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
897
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
898
|
+
iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
899
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
900
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
901
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
902
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
903
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
904
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
905
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
906
|
+
region: Optional[pulumi.Input[builtins.str]] = None,
|
907
|
+
role_arn: Optional[pulumi.Input[builtins.str]] = None,
|
908
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
909
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
910
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
911
|
+
secret_key: Optional[pulumi.Input[builtins.str]] = None,
|
912
|
+
sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
913
|
+
sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
914
|
+
sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
915
|
+
sts_region: Optional[pulumi.Input[builtins.str]] = None,
|
916
|
+
username_template: Optional[pulumi.Input[builtins.str]] = None,
|
768
917
|
__props__=None):
|
769
918
|
"""
|
770
919
|
## Import
|
@@ -777,28 +926,42 @@ class SecretBackend(pulumi.CustomResource):
|
|
777
926
|
|
778
927
|
:param str resource_name: The name of the resource.
|
779
928
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
780
|
-
:param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
|
929
|
+
:param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
|
781
930
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
782
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
931
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
783
932
|
issued by this backend.
|
784
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
785
|
-
:param pulumi.Input[bool]
|
933
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
934
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
935
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
786
936
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
787
|
-
:param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
788
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
789
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
790
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
791
|
-
:param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
792
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
937
|
+
:param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
938
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
939
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
940
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
941
|
+
:param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
942
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
793
943
|
for credentials issued by this backend.
|
794
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
944
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
795
945
|
The value should not contain leading or trailing forward slashes.
|
796
946
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
797
947
|
*Available only for Vault Enterprise*.
|
798
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
948
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
799
949
|
not begin or end with a `/`. Defaults to `aws`.
|
800
|
-
:param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
801
|
-
:param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
950
|
+
:param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
951
|
+
:param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
952
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
953
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
954
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
955
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
956
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
957
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
958
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
959
|
+
:param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
960
|
+
:param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
961
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
962
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
963
|
+
:param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
964
|
+
:param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
802
965
|
|
803
966
|
```
|
804
967
|
{{ if (eq .Type "STS") }}
|
@@ -808,12 +971,6 @@ class SecretBackend(pulumi.CustomResource):
|
|
808
971
|
{{ end }}
|
809
972
|
|
810
973
|
```
|
811
|
-
:param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
812
|
-
:param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
813
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
814
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
815
|
-
:param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
816
|
-
:param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
817
974
|
"""
|
818
975
|
...
|
819
976
|
@overload
|
@@ -845,26 +1002,30 @@ class SecretBackend(pulumi.CustomResource):
|
|
845
1002
|
def _internal_init(__self__,
|
846
1003
|
resource_name: str,
|
847
1004
|
opts: Optional[pulumi.ResourceOptions] = None,
|
848
|
-
access_key: Optional[pulumi.Input[str]] = None,
|
849
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
850
|
-
description: Optional[pulumi.Input[str]] = None,
|
851
|
-
|
852
|
-
|
853
|
-
|
854
|
-
|
855
|
-
|
856
|
-
|
857
|
-
|
858
|
-
|
859
|
-
|
860
|
-
|
861
|
-
|
862
|
-
|
863
|
-
|
864
|
-
|
865
|
-
|
866
|
-
|
867
|
-
|
1005
|
+
access_key: Optional[pulumi.Input[builtins.str]] = None,
|
1006
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
1007
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
1008
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
1009
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
1010
|
+
iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
1011
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
1012
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
1013
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
1014
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
1015
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
1016
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
1017
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
1018
|
+
region: Optional[pulumi.Input[builtins.str]] = None,
|
1019
|
+
role_arn: Optional[pulumi.Input[builtins.str]] = None,
|
1020
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
1021
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
1022
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
1023
|
+
secret_key: Optional[pulumi.Input[builtins.str]] = None,
|
1024
|
+
sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
1025
|
+
sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1026
|
+
sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1027
|
+
sts_region: Optional[pulumi.Input[builtins.str]] = None,
|
1028
|
+
username_template: Optional[pulumi.Input[builtins.str]] = None,
|
868
1029
|
__props__=None):
|
869
1030
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
870
1031
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -877,6 +1038,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
877
1038
|
__props__.__dict__["access_key"] = None if access_key is None else pulumi.Output.secret(access_key)
|
878
1039
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
879
1040
|
__props__.__dict__["description"] = description
|
1041
|
+
__props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
|
880
1042
|
__props__.__dict__["disable_remount"] = disable_remount
|
881
1043
|
__props__.__dict__["iam_endpoint"] = iam_endpoint
|
882
1044
|
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
@@ -888,6 +1050,9 @@ class SecretBackend(pulumi.CustomResource):
|
|
888
1050
|
__props__.__dict__["path"] = path
|
889
1051
|
__props__.__dict__["region"] = region
|
890
1052
|
__props__.__dict__["role_arn"] = role_arn
|
1053
|
+
__props__.__dict__["rotation_period"] = rotation_period
|
1054
|
+
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
1055
|
+
__props__.__dict__["rotation_window"] = rotation_window
|
891
1056
|
__props__.__dict__["secret_key"] = None if secret_key is None else pulumi.Output.secret(secret_key)
|
892
1057
|
__props__.__dict__["sts_endpoint"] = sts_endpoint
|
893
1058
|
__props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
|
@@ -906,26 +1071,30 @@ class SecretBackend(pulumi.CustomResource):
|
|
906
1071
|
def get(resource_name: str,
|
907
1072
|
id: pulumi.Input[str],
|
908
1073
|
opts: Optional[pulumi.ResourceOptions] = None,
|
909
|
-
access_key: Optional[pulumi.Input[str]] = None,
|
910
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
911
|
-
description: Optional[pulumi.Input[str]] = None,
|
912
|
-
|
913
|
-
|
914
|
-
|
915
|
-
|
916
|
-
|
917
|
-
|
918
|
-
|
919
|
-
|
920
|
-
|
921
|
-
|
922
|
-
|
923
|
-
|
924
|
-
|
925
|
-
|
926
|
-
|
927
|
-
|
928
|
-
|
1074
|
+
access_key: Optional[pulumi.Input[builtins.str]] = None,
|
1075
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
1076
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
1077
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
1078
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
1079
|
+
iam_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
1080
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
1081
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
1082
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
1083
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
1084
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
1085
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
1086
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
1087
|
+
region: Optional[pulumi.Input[builtins.str]] = None,
|
1088
|
+
role_arn: Optional[pulumi.Input[builtins.str]] = None,
|
1089
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
1090
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
1091
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
1092
|
+
secret_key: Optional[pulumi.Input[builtins.str]] = None,
|
1093
|
+
sts_endpoint: Optional[pulumi.Input[builtins.str]] = None,
|
1094
|
+
sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1095
|
+
sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1096
|
+
sts_region: Optional[pulumi.Input[builtins.str]] = None,
|
1097
|
+
username_template: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackend':
|
929
1098
|
"""
|
930
1099
|
Get an existing SecretBackend resource's state with the given name, id, and optional extra
|
931
1100
|
properties used to qualify the lookup.
|
@@ -933,28 +1102,42 @@ class SecretBackend(pulumi.CustomResource):
|
|
933
1102
|
:param str resource_name: The unique name of the resulting resource.
|
934
1103
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
935
1104
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
936
|
-
:param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to
|
1105
|
+
:param pulumi.Input[builtins.str] access_key: The AWS Access Key ID this backend should use to
|
937
1106
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
938
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
1107
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
939
1108
|
issued by this backend.
|
940
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
941
|
-
:param pulumi.Input[bool]
|
1109
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
1110
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
1111
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
942
1112
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
943
|
-
:param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
944
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
945
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
946
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
947
|
-
:param pulumi.Input[bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
948
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
1113
|
+
:param pulumi.Input[builtins.str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
|
1114
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value. Requires Vault 1.16+.
|
1115
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing identity tokens. Requires Vault 1.16+.
|
1116
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
1117
|
+
:param pulumi.Input[builtins.bool] local: Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
1118
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
949
1119
|
for credentials issued by this backend.
|
950
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1120
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
951
1121
|
The value should not contain leading or trailing forward slashes.
|
952
1122
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
953
1123
|
*Available only for Vault Enterprise*.
|
954
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
1124
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
955
1125
|
not begin or end with a `/`. Defaults to `aws`.
|
956
|
-
:param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
957
|
-
:param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
1126
|
+
:param pulumi.Input[builtins.str] region: The AWS region to make API calls against. Defaults to us-east-1.
|
1127
|
+
:param pulumi.Input[builtins.str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
1128
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
1129
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
1130
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
1131
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
1132
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
1133
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
1134
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
1135
|
+
:param pulumi.Input[builtins.str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
1136
|
+
:param pulumi.Input[builtins.str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
1137
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
1138
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
1139
|
+
:param pulumi.Input[builtins.str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
1140
|
+
:param pulumi.Input[builtins.str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
958
1141
|
|
959
1142
|
```
|
960
1143
|
{{ if (eq .Type "STS") }}
|
@@ -964,12 +1147,6 @@ class SecretBackend(pulumi.CustomResource):
|
|
964
1147
|
{{ end }}
|
965
1148
|
|
966
1149
|
```
|
967
|
-
:param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
|
968
|
-
:param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
|
969
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
970
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
971
|
-
:param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
972
|
-
:param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
973
1150
|
"""
|
974
1151
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
975
1152
|
|
@@ -978,6 +1155,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
978
1155
|
__props__.__dict__["access_key"] = access_key
|
979
1156
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
980
1157
|
__props__.__dict__["description"] = description
|
1158
|
+
__props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
|
981
1159
|
__props__.__dict__["disable_remount"] = disable_remount
|
982
1160
|
__props__.__dict__["iam_endpoint"] = iam_endpoint
|
983
1161
|
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
@@ -989,6 +1167,9 @@ class SecretBackend(pulumi.CustomResource):
|
|
989
1167
|
__props__.__dict__["path"] = path
|
990
1168
|
__props__.__dict__["region"] = region
|
991
1169
|
__props__.__dict__["role_arn"] = role_arn
|
1170
|
+
__props__.__dict__["rotation_period"] = rotation_period
|
1171
|
+
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
1172
|
+
__props__.__dict__["rotation_window"] = rotation_window
|
992
1173
|
__props__.__dict__["secret_key"] = secret_key
|
993
1174
|
__props__.__dict__["sts_endpoint"] = sts_endpoint
|
994
1175
|
__props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
|
@@ -999,7 +1180,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
999
1180
|
|
1000
1181
|
@property
|
1001
1182
|
@pulumi.getter(name="accessKey")
|
1002
|
-
def access_key(self) -> pulumi.Output[Optional[str]]:
|
1183
|
+
def access_key(self) -> pulumi.Output[Optional[builtins.str]]:
|
1003
1184
|
"""
|
1004
1185
|
The AWS Access Key ID this backend should use to
|
1005
1186
|
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
|
@@ -1008,7 +1189,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1008
1189
|
|
1009
1190
|
@property
|
1010
1191
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
1011
|
-
def default_lease_ttl_seconds(self) -> pulumi.Output[int]:
|
1192
|
+
def default_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
|
1012
1193
|
"""
|
1013
1194
|
The default TTL for credentials
|
1014
1195
|
issued by this backend.
|
@@ -1017,15 +1198,23 @@ class SecretBackend(pulumi.CustomResource):
|
|
1017
1198
|
|
1018
1199
|
@property
|
1019
1200
|
@pulumi.getter
|
1020
|
-
def description(self) -> pulumi.Output[Optional[str]]:
|
1201
|
+
def description(self) -> pulumi.Output[Optional[builtins.str]]:
|
1021
1202
|
"""
|
1022
1203
|
A human-friendly description for this backend.
|
1023
1204
|
"""
|
1024
1205
|
return pulumi.get(self, "description")
|
1025
1206
|
|
1207
|
+
@property
|
1208
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
1209
|
+
def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1210
|
+
"""
|
1211
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
1212
|
+
"""
|
1213
|
+
return pulumi.get(self, "disable_automated_rotation")
|
1214
|
+
|
1026
1215
|
@property
|
1027
1216
|
@pulumi.getter(name="disableRemount")
|
1028
|
-
def disable_remount(self) -> pulumi.Output[Optional[bool]]:
|
1217
|
+
def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1029
1218
|
"""
|
1030
1219
|
If set, opts out of mount migration on path updates.
|
1031
1220
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -1034,7 +1223,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1034
1223
|
|
1035
1224
|
@property
|
1036
1225
|
@pulumi.getter(name="iamEndpoint")
|
1037
|
-
def iam_endpoint(self) -> pulumi.Output[Optional[str]]:
|
1226
|
+
def iam_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
|
1038
1227
|
"""
|
1039
1228
|
Specifies a custom HTTP IAM endpoint to use.
|
1040
1229
|
"""
|
@@ -1042,7 +1231,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1042
1231
|
|
1043
1232
|
@property
|
1044
1233
|
@pulumi.getter(name="identityTokenAudience")
|
1045
|
-
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
1234
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[builtins.str]]:
|
1046
1235
|
"""
|
1047
1236
|
The audience claim value. Requires Vault 1.16+.
|
1048
1237
|
"""
|
@@ -1050,7 +1239,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1050
1239
|
|
1051
1240
|
@property
|
1052
1241
|
@pulumi.getter(name="identityTokenKey")
|
1053
|
-
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
1242
|
+
def identity_token_key(self) -> pulumi.Output[Optional[builtins.str]]:
|
1054
1243
|
"""
|
1055
1244
|
The key to use for signing identity tokens. Requires Vault 1.16+.
|
1056
1245
|
"""
|
@@ -1058,7 +1247,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1058
1247
|
|
1059
1248
|
@property
|
1060
1249
|
@pulumi.getter(name="identityTokenTtl")
|
1061
|
-
def identity_token_ttl(self) -> pulumi.Output[int]:
|
1250
|
+
def identity_token_ttl(self) -> pulumi.Output[builtins.int]:
|
1062
1251
|
"""
|
1063
1252
|
The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
|
1064
1253
|
"""
|
@@ -1066,7 +1255,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1066
1255
|
|
1067
1256
|
@property
|
1068
1257
|
@pulumi.getter
|
1069
|
-
def local(self) -> pulumi.Output[Optional[bool]]:
|
1258
|
+
def local(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1070
1259
|
"""
|
1071
1260
|
Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
|
1072
1261
|
"""
|
@@ -1074,7 +1263,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1074
1263
|
|
1075
1264
|
@property
|
1076
1265
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
1077
|
-
def max_lease_ttl_seconds(self) -> pulumi.Output[int]:
|
1266
|
+
def max_lease_ttl_seconds(self) -> pulumi.Output[builtins.int]:
|
1078
1267
|
"""
|
1079
1268
|
The maximum TTL that can be requested
|
1080
1269
|
for credentials issued by this backend.
|
@@ -1083,7 +1272,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1083
1272
|
|
1084
1273
|
@property
|
1085
1274
|
@pulumi.getter
|
1086
|
-
def namespace(self) -> pulumi.Output[Optional[str]]:
|
1275
|
+
def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
|
1087
1276
|
"""
|
1088
1277
|
The namespace to provision the resource in.
|
1089
1278
|
The value should not contain leading or trailing forward slashes.
|
@@ -1094,7 +1283,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1094
1283
|
|
1095
1284
|
@property
|
1096
1285
|
@pulumi.getter
|
1097
|
-
def path(self) -> pulumi.Output[Optional[str]]:
|
1286
|
+
def path(self) -> pulumi.Output[Optional[builtins.str]]:
|
1098
1287
|
"""
|
1099
1288
|
The unique path this backend should be mounted at. Must
|
1100
1289
|
not begin or end with a `/`. Defaults to `aws`.
|
@@ -1103,7 +1292,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1103
1292
|
|
1104
1293
|
@property
|
1105
1294
|
@pulumi.getter
|
1106
|
-
def region(self) -> pulumi.Output[str]:
|
1295
|
+
def region(self) -> pulumi.Output[builtins.str]:
|
1107
1296
|
"""
|
1108
1297
|
The AWS region to make API calls against. Defaults to us-east-1.
|
1109
1298
|
"""
|
@@ -1111,24 +1300,43 @@ class SecretBackend(pulumi.CustomResource):
|
|
1111
1300
|
|
1112
1301
|
@property
|
1113
1302
|
@pulumi.getter(name="roleArn")
|
1114
|
-
def role_arn(self) -> pulumi.Output[Optional[str]]:
|
1303
|
+
def role_arn(self) -> pulumi.Output[Optional[builtins.str]]:
|
1115
1304
|
"""
|
1116
1305
|
Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
|
1306
|
+
"""
|
1307
|
+
return pulumi.get(self, "role_arn")
|
1117
1308
|
|
1118
|
-
|
1119
|
-
|
1120
|
-
|
1121
|
-
|
1122
|
-
|
1123
|
-
|
1309
|
+
@property
|
1310
|
+
@pulumi.getter(name="rotationPeriod")
|
1311
|
+
def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
|
1312
|
+
"""
|
1313
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
1314
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
1315
|
+
"""
|
1316
|
+
return pulumi.get(self, "rotation_period")
|
1124
1317
|
|
1125
|
-
|
1318
|
+
@property
|
1319
|
+
@pulumi.getter(name="rotationSchedule")
|
1320
|
+
def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
|
1126
1321
|
"""
|
1127
|
-
|
1322
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
1323
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
|
1324
|
+
"""
|
1325
|
+
return pulumi.get(self, "rotation_schedule")
|
1326
|
+
|
1327
|
+
@property
|
1328
|
+
@pulumi.getter(name="rotationWindow")
|
1329
|
+
def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
|
1330
|
+
"""
|
1331
|
+
The maximum amount of time in seconds allowed to complete
|
1332
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
1333
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
|
1334
|
+
"""
|
1335
|
+
return pulumi.get(self, "rotation_window")
|
1128
1336
|
|
1129
1337
|
@property
|
1130
1338
|
@pulumi.getter(name="secretKey")
|
1131
|
-
def secret_key(self) -> pulumi.Output[Optional[str]]:
|
1339
|
+
def secret_key(self) -> pulumi.Output[Optional[builtins.str]]:
|
1132
1340
|
"""
|
1133
1341
|
The AWS Secret Access Key to use when generating new credentials.
|
1134
1342
|
"""
|
@@ -1136,7 +1344,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1136
1344
|
|
1137
1345
|
@property
|
1138
1346
|
@pulumi.getter(name="stsEndpoint")
|
1139
|
-
def sts_endpoint(self) -> pulumi.Output[Optional[str]]:
|
1347
|
+
def sts_endpoint(self) -> pulumi.Output[Optional[builtins.str]]:
|
1140
1348
|
"""
|
1141
1349
|
Specifies a custom HTTP STS endpoint to use.
|
1142
1350
|
"""
|
@@ -1144,7 +1352,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1144
1352
|
|
1145
1353
|
@property
|
1146
1354
|
@pulumi.getter(name="stsFallbackEndpoints")
|
1147
|
-
def sts_fallback_endpoints(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1355
|
+
def sts_fallback_endpoints(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
|
1148
1356
|
"""
|
1149
1357
|
Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
|
1150
1358
|
"""
|
@@ -1152,7 +1360,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1152
1360
|
|
1153
1361
|
@property
|
1154
1362
|
@pulumi.getter(name="stsFallbackRegions")
|
1155
|
-
def sts_fallback_regions(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1363
|
+
def sts_fallback_regions(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
|
1156
1364
|
"""
|
1157
1365
|
Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
|
1158
1366
|
"""
|
@@ -1160,7 +1368,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
1160
1368
|
|
1161
1369
|
@property
|
1162
1370
|
@pulumi.getter(name="stsRegion")
|
1163
|
-
def sts_region(self) -> pulumi.Output[Optional[str]]:
|
1371
|
+
def sts_region(self) -> pulumi.Output[Optional[builtins.str]]:
|
1164
1372
|
"""
|
1165
1373
|
Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
|
1166
1374
|
"""
|
@@ -1168,9 +1376,18 @@ class SecretBackend(pulumi.CustomResource):
|
|
1168
1376
|
|
1169
1377
|
@property
|
1170
1378
|
@pulumi.getter(name="usernameTemplate")
|
1171
|
-
def username_template(self) -> pulumi.Output[str]:
|
1379
|
+
def username_template(self) -> pulumi.Output[builtins.str]:
|
1172
1380
|
"""
|
1173
1381
|
Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
|
1382
|
+
|
1383
|
+
```
|
1384
|
+
{{ if (eq .Type "STS") }}
|
1385
|
+
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
|
1386
|
+
{{ else }}
|
1387
|
+
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
|
1388
|
+
{{ end }}
|
1389
|
+
|
1390
|
+
```
|
1174
1391
|
"""
|
1175
1392
|
return pulumi.get(self, "username_template")
|
1176
1393
|
|