pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. pulumi_vault/__init__.py +9 -0
  2. pulumi_vault/_inputs.py +583 -562
  3. pulumi_vault/ad/__init__.py +1 -0
  4. pulumi_vault/ad/get_access_credentials.py +20 -19
  5. pulumi_vault/ad/secret_backend.py +477 -476
  6. pulumi_vault/ad/secret_library.py +99 -98
  7. pulumi_vault/ad/secret_role.py +85 -84
  8. pulumi_vault/alicloud/__init__.py +1 -0
  9. pulumi_vault/alicloud/auth_backend_role.py +183 -182
  10. pulumi_vault/approle/__init__.py +1 -0
  11. pulumi_vault/approle/auth_backend_login.py +106 -105
  12. pulumi_vault/approle/auth_backend_role.py +239 -238
  13. pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
  14. pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
  15. pulumi_vault/audit.py +85 -84
  16. pulumi_vault/audit_request_header.py +43 -42
  17. pulumi_vault/auth_backend.py +106 -105
  18. pulumi_vault/aws/__init__.py +1 -0
  19. pulumi_vault/aws/auth_backend_cert.py +71 -70
  20. pulumi_vault/aws/auth_backend_client.py +425 -200
  21. pulumi_vault/aws/auth_backend_config_identity.py +85 -84
  22. pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
  23. pulumi_vault/aws/auth_backend_login.py +209 -208
  24. pulumi_vault/aws/auth_backend_role.py +400 -399
  25. pulumi_vault/aws/auth_backend_role_tag.py +127 -126
  26. pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
  27. pulumi_vault/aws/auth_backend_sts_role.py +71 -70
  28. pulumi_vault/aws/get_access_credentials.py +44 -43
  29. pulumi_vault/aws/get_static_access_credentials.py +13 -12
  30. pulumi_vault/aws/secret_backend.py +523 -306
  31. pulumi_vault/aws/secret_backend_role.py +211 -210
  32. pulumi_vault/aws/secret_backend_static_role.py +288 -70
  33. pulumi_vault/azure/__init__.py +1 -0
  34. pulumi_vault/azure/_inputs.py +21 -20
  35. pulumi_vault/azure/auth_backend_config.py +383 -130
  36. pulumi_vault/azure/auth_backend_role.py +253 -252
  37. pulumi_vault/azure/backend.py +432 -186
  38. pulumi_vault/azure/backend_role.py +188 -140
  39. pulumi_vault/azure/get_access_credentials.py +58 -57
  40. pulumi_vault/azure/outputs.py +11 -10
  41. pulumi_vault/cert_auth_backend_role.py +365 -364
  42. pulumi_vault/config/__init__.py +1 -0
  43. pulumi_vault/config/__init__.pyi +1 -0
  44. pulumi_vault/config/_inputs.py +11 -10
  45. pulumi_vault/config/outputs.py +287 -286
  46. pulumi_vault/config/ui_custom_message.py +113 -112
  47. pulumi_vault/config/vars.py +1 -0
  48. pulumi_vault/consul/__init__.py +1 -0
  49. pulumi_vault/consul/secret_backend.py +197 -196
  50. pulumi_vault/consul/secret_backend_role.py +183 -182
  51. pulumi_vault/database/__init__.py +1 -0
  52. pulumi_vault/database/_inputs.py +3857 -2200
  53. pulumi_vault/database/outputs.py +2483 -1330
  54. pulumi_vault/database/secret_backend_connection.py +333 -112
  55. pulumi_vault/database/secret_backend_role.py +169 -168
  56. pulumi_vault/database/secret_backend_static_role.py +283 -140
  57. pulumi_vault/database/secrets_mount.py +275 -266
  58. pulumi_vault/egp_policy.py +71 -70
  59. pulumi_vault/gcp/__init__.py +1 -0
  60. pulumi_vault/gcp/_inputs.py +82 -81
  61. pulumi_vault/gcp/auth_backend.py +426 -205
  62. pulumi_vault/gcp/auth_backend_role.py +281 -280
  63. pulumi_vault/gcp/get_auth_backend_role.py +70 -69
  64. pulumi_vault/gcp/outputs.py +50 -49
  65. pulumi_vault/gcp/secret_backend.py +420 -179
  66. pulumi_vault/gcp/secret_impersonated_account.py +92 -91
  67. pulumi_vault/gcp/secret_roleset.py +92 -91
  68. pulumi_vault/gcp/secret_static_account.py +92 -91
  69. pulumi_vault/generic/__init__.py +1 -0
  70. pulumi_vault/generic/endpoint.py +113 -112
  71. pulumi_vault/generic/get_secret.py +28 -27
  72. pulumi_vault/generic/secret.py +78 -77
  73. pulumi_vault/get_auth_backend.py +19 -18
  74. pulumi_vault/get_auth_backends.py +14 -13
  75. pulumi_vault/get_namespace.py +15 -14
  76. pulumi_vault/get_namespaces.py +68 -18
  77. pulumi_vault/get_nomad_access_token.py +19 -18
  78. pulumi_vault/get_policy_document.py +6 -5
  79. pulumi_vault/get_raft_autopilot_state.py +18 -17
  80. pulumi_vault/github/__init__.py +1 -0
  81. pulumi_vault/github/_inputs.py +42 -41
  82. pulumi_vault/github/auth_backend.py +232 -231
  83. pulumi_vault/github/outputs.py +26 -25
  84. pulumi_vault/github/team.py +57 -56
  85. pulumi_vault/github/user.py +57 -56
  86. pulumi_vault/identity/__init__.py +1 -0
  87. pulumi_vault/identity/entity.py +85 -84
  88. pulumi_vault/identity/entity_alias.py +71 -70
  89. pulumi_vault/identity/entity_policies.py +64 -63
  90. pulumi_vault/identity/get_entity.py +43 -42
  91. pulumi_vault/identity/get_group.py +50 -49
  92. pulumi_vault/identity/get_oidc_client_creds.py +14 -13
  93. pulumi_vault/identity/get_oidc_openid_config.py +24 -23
  94. pulumi_vault/identity/get_oidc_public_keys.py +13 -12
  95. pulumi_vault/identity/group.py +141 -140
  96. pulumi_vault/identity/group_alias.py +57 -56
  97. pulumi_vault/identity/group_member_entity_ids.py +57 -56
  98. pulumi_vault/identity/group_member_group_ids.py +57 -56
  99. pulumi_vault/identity/group_policies.py +64 -63
  100. pulumi_vault/identity/mfa_duo.py +148 -147
  101. pulumi_vault/identity/mfa_login_enforcement.py +120 -119
  102. pulumi_vault/identity/mfa_okta.py +134 -133
  103. pulumi_vault/identity/mfa_pingid.py +127 -126
  104. pulumi_vault/identity/mfa_totp.py +176 -175
  105. pulumi_vault/identity/oidc.py +29 -28
  106. pulumi_vault/identity/oidc_assignment.py +57 -56
  107. pulumi_vault/identity/oidc_client.py +127 -126
  108. pulumi_vault/identity/oidc_key.py +85 -84
  109. pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
  110. pulumi_vault/identity/oidc_provider.py +92 -91
  111. pulumi_vault/identity/oidc_role.py +85 -84
  112. pulumi_vault/identity/oidc_scope.py +57 -56
  113. pulumi_vault/identity/outputs.py +32 -31
  114. pulumi_vault/jwt/__init__.py +1 -0
  115. pulumi_vault/jwt/_inputs.py +42 -41
  116. pulumi_vault/jwt/auth_backend.py +288 -287
  117. pulumi_vault/jwt/auth_backend_role.py +407 -406
  118. pulumi_vault/jwt/outputs.py +26 -25
  119. pulumi_vault/kmip/__init__.py +1 -0
  120. pulumi_vault/kmip/secret_backend.py +183 -182
  121. pulumi_vault/kmip/secret_role.py +295 -294
  122. pulumi_vault/kmip/secret_scope.py +57 -56
  123. pulumi_vault/kubernetes/__init__.py +1 -0
  124. pulumi_vault/kubernetes/auth_backend_config.py +141 -140
  125. pulumi_vault/kubernetes/auth_backend_role.py +225 -224
  126. pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
  127. pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
  128. pulumi_vault/kubernetes/get_service_account_token.py +38 -37
  129. pulumi_vault/kubernetes/secret_backend.py +316 -315
  130. pulumi_vault/kubernetes/secret_backend_role.py +197 -196
  131. pulumi_vault/kv/__init__.py +1 -0
  132. pulumi_vault/kv/_inputs.py +21 -20
  133. pulumi_vault/kv/get_secret.py +17 -16
  134. pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
  135. pulumi_vault/kv/get_secret_v2.py +29 -28
  136. pulumi_vault/kv/get_secrets_list.py +13 -12
  137. pulumi_vault/kv/get_secrets_list_v2.py +19 -18
  138. pulumi_vault/kv/outputs.py +13 -12
  139. pulumi_vault/kv/secret.py +50 -49
  140. pulumi_vault/kv/secret_backend_v2.py +71 -70
  141. pulumi_vault/kv/secret_v2.py +134 -133
  142. pulumi_vault/ldap/__init__.py +1 -0
  143. pulumi_vault/ldap/auth_backend.py +754 -533
  144. pulumi_vault/ldap/auth_backend_group.py +57 -56
  145. pulumi_vault/ldap/auth_backend_user.py +71 -70
  146. pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
  147. pulumi_vault/ldap/get_static_credentials.py +18 -17
  148. pulumi_vault/ldap/secret_backend.py +720 -499
  149. pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
  150. pulumi_vault/ldap/secret_backend_library_set.py +99 -98
  151. pulumi_vault/ldap/secret_backend_static_role.py +99 -98
  152. pulumi_vault/managed/__init__.py +1 -0
  153. pulumi_vault/managed/_inputs.py +229 -228
  154. pulumi_vault/managed/keys.py +15 -14
  155. pulumi_vault/managed/outputs.py +139 -138
  156. pulumi_vault/mfa_duo.py +113 -112
  157. pulumi_vault/mfa_okta.py +113 -112
  158. pulumi_vault/mfa_pingid.py +120 -119
  159. pulumi_vault/mfa_totp.py +127 -126
  160. pulumi_vault/mongodbatlas/__init__.py +1 -0
  161. pulumi_vault/mongodbatlas/secret_backend.py +64 -63
  162. pulumi_vault/mongodbatlas/secret_role.py +155 -154
  163. pulumi_vault/mount.py +274 -273
  164. pulumi_vault/namespace.py +64 -63
  165. pulumi_vault/nomad_secret_backend.py +211 -210
  166. pulumi_vault/nomad_secret_role.py +85 -84
  167. pulumi_vault/okta/__init__.py +1 -0
  168. pulumi_vault/okta/_inputs.py +26 -25
  169. pulumi_vault/okta/auth_backend.py +274 -273
  170. pulumi_vault/okta/auth_backend_group.py +57 -56
  171. pulumi_vault/okta/auth_backend_user.py +71 -70
  172. pulumi_vault/okta/outputs.py +16 -15
  173. pulumi_vault/outputs.py +73 -60
  174. pulumi_vault/password_policy.py +43 -42
  175. pulumi_vault/pkisecret/__init__.py +3 -0
  176. pulumi_vault/pkisecret/_inputs.py +31 -36
  177. pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
  178. pulumi_vault/pkisecret/backend_config_acme.py +174 -126
  179. pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
  180. pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
  181. pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
  182. pulumi_vault/pkisecret/backend_config_est.py +120 -119
  183. pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
  184. pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
  185. pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
  186. pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
  187. pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
  188. pulumi_vault/pkisecret/get_backend_key.py +20 -19
  189. pulumi_vault/pkisecret/get_backend_keys.py +15 -14
  190. pulumi_vault/pkisecret/outputs.py +28 -31
  191. pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
  192. pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
  193. pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
  194. pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
  195. pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
  196. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
  197. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
  198. pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
  199. pulumi_vault/pkisecret/secret_backend_key.py +120 -119
  200. pulumi_vault/pkisecret/secret_backend_role.py +894 -644
  201. pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
  202. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
  203. pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
  204. pulumi_vault/plugin.py +127 -126
  205. pulumi_vault/plugin_pinned_version.py +43 -42
  206. pulumi_vault/policy.py +43 -42
  207. pulumi_vault/provider.py +120 -119
  208. pulumi_vault/pulumi-plugin.json +1 -1
  209. pulumi_vault/quota_lease_count.py +85 -84
  210. pulumi_vault/quota_rate_limit.py +113 -112
  211. pulumi_vault/rabbitmq/__init__.py +1 -0
  212. pulumi_vault/rabbitmq/_inputs.py +41 -40
  213. pulumi_vault/rabbitmq/outputs.py +25 -24
  214. pulumi_vault/rabbitmq/secret_backend.py +169 -168
  215. pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
  216. pulumi_vault/raft_autopilot.py +113 -112
  217. pulumi_vault/raft_snapshot_agent_config.py +393 -392
  218. pulumi_vault/rgp_policy.py +57 -56
  219. pulumi_vault/saml/__init__.py +1 -0
  220. pulumi_vault/saml/auth_backend.py +155 -154
  221. pulumi_vault/saml/auth_backend_role.py +239 -238
  222. pulumi_vault/secrets/__init__.py +1 -0
  223. pulumi_vault/secrets/_inputs.py +16 -15
  224. pulumi_vault/secrets/outputs.py +10 -9
  225. pulumi_vault/secrets/sync_association.py +71 -70
  226. pulumi_vault/secrets/sync_aws_destination.py +148 -147
  227. pulumi_vault/secrets/sync_azure_destination.py +148 -147
  228. pulumi_vault/secrets/sync_config.py +43 -42
  229. pulumi_vault/secrets/sync_gcp_destination.py +106 -105
  230. pulumi_vault/secrets/sync_gh_destination.py +134 -133
  231. pulumi_vault/secrets/sync_github_apps.py +64 -63
  232. pulumi_vault/secrets/sync_vercel_destination.py +120 -119
  233. pulumi_vault/ssh/__init__.py +2 -0
  234. pulumi_vault/ssh/_inputs.py +11 -10
  235. pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
  236. pulumi_vault/ssh/outputs.py +7 -6
  237. pulumi_vault/ssh/secret_backend_ca.py +99 -98
  238. pulumi_vault/ssh/secret_backend_role.py +365 -364
  239. pulumi_vault/terraformcloud/__init__.py +1 -0
  240. pulumi_vault/terraformcloud/secret_backend.py +111 -110
  241. pulumi_vault/terraformcloud/secret_creds.py +74 -73
  242. pulumi_vault/terraformcloud/secret_role.py +96 -95
  243. pulumi_vault/token.py +246 -245
  244. pulumi_vault/tokenauth/__init__.py +1 -0
  245. pulumi_vault/tokenauth/auth_backend_role.py +267 -266
  246. pulumi_vault/transform/__init__.py +1 -0
  247. pulumi_vault/transform/alphabet.py +57 -56
  248. pulumi_vault/transform/get_decode.py +47 -46
  249. pulumi_vault/transform/get_encode.py +47 -46
  250. pulumi_vault/transform/role.py +57 -56
  251. pulumi_vault/transform/template.py +113 -112
  252. pulumi_vault/transform/transformation.py +141 -140
  253. pulumi_vault/transit/__init__.py +3 -0
  254. pulumi_vault/transit/get_decrypt.py +18 -17
  255. pulumi_vault/transit/get_encrypt.py +21 -20
  256. pulumi_vault/transit/get_sign.py +325 -0
  257. pulumi_vault/transit/get_verify.py +355 -0
  258. pulumi_vault/transit/secret_backend_key.py +394 -231
  259. pulumi_vault/transit/secret_cache_config.py +43 -42
  260. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
  261. pulumi_vault-6.7.0.dist-info/RECORD +265 -0
  262. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
  263. pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
  264. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
2
2
  # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
3
3
  # *** Do not edit by hand unless you're certain you know what you are doing! ***
4
4
 
5
+ import builtins
5
6
  import copy
6
7
  import warnings
7
8
  import sys
@@ -21,27 +22,31 @@ __all__ = ['AuthBackendArgs', 'AuthBackend']
21
22
  @pulumi.input_type
22
23
  class AuthBackendArgs:
23
24
  def __init__(__self__, *,
24
- client_email: Optional[pulumi.Input[str]] = None,
25
- client_id: Optional[pulumi.Input[str]] = None,
26
- credentials: Optional[pulumi.Input[str]] = None,
25
+ client_email: Optional[pulumi.Input[builtins.str]] = None,
26
+ client_id: Optional[pulumi.Input[builtins.str]] = None,
27
+ credentials: Optional[pulumi.Input[builtins.str]] = None,
27
28
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
28
- description: Optional[pulumi.Input[str]] = None,
29
- disable_remount: Optional[pulumi.Input[bool]] = None,
30
- identity_token_audience: Optional[pulumi.Input[str]] = None,
31
- identity_token_key: Optional[pulumi.Input[str]] = None,
32
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
33
- local: Optional[pulumi.Input[bool]] = None,
34
- namespace: Optional[pulumi.Input[str]] = None,
35
- path: Optional[pulumi.Input[str]] = None,
36
- private_key_id: Optional[pulumi.Input[str]] = None,
37
- project_id: Optional[pulumi.Input[str]] = None,
38
- service_account_email: Optional[pulumi.Input[str]] = None,
29
+ description: Optional[pulumi.Input[builtins.str]] = None,
30
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
31
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
32
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
33
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
34
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
35
+ local: Optional[pulumi.Input[builtins.bool]] = None,
36
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
37
+ path: Optional[pulumi.Input[builtins.str]] = None,
38
+ private_key_id: Optional[pulumi.Input[builtins.str]] = None,
39
+ project_id: Optional[pulumi.Input[builtins.str]] = None,
40
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
41
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
42
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
43
+ service_account_email: Optional[pulumi.Input[builtins.str]] = None,
39
44
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
40
45
  """
41
46
  The set of arguments for constructing a AuthBackend resource.
42
- :param pulumi.Input[str] client_email: The clients email associated with the credentials
43
- :param pulumi.Input[str] client_id: The Client ID of the credentials
44
- :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
47
+ :param pulumi.Input[builtins.str] client_email: The clients email associated with the credentials
48
+ :param pulumi.Input[builtins.str] client_id: The Client ID of the credentials
49
+ :param pulumi.Input[builtins.str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
45
50
  :param pulumi.Input['AuthBackendCustomEndpointArgs'] custom_endpoint: Specifies overrides to
46
51
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
47
52
  used when making API requests. This allows specific requests made during authentication
@@ -49,24 +54,32 @@ class AuthBackendArgs:
49
54
  environments. Requires Vault 1.11+.
50
55
 
51
56
  Overrides are set at the subdomain level using the following keys:
52
- :param pulumi.Input[str] description: A description of the auth method.
53
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
57
+ :param pulumi.Input[builtins.str] description: A description of the auth method.
58
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
59
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
54
60
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
55
- :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
61
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
56
62
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
57
63
  Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
58
- :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
64
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
59
65
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
60
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
61
- :param pulumi.Input[bool] local: Specifies if the auth method is local only.
62
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
66
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
67
+ :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
68
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
63
69
  The value should not contain leading or trailing forward slashes.
64
70
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
65
71
  *Available only for Vault Enterprise*.
66
- :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
67
- :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
68
- :param pulumi.Input[str] project_id: The GCP Project ID
69
- :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
72
+ :param pulumi.Input[builtins.str] path: The path to mount the auth method — this defaults to 'gcp'.
73
+ :param pulumi.Input[builtins.str] private_key_id: The ID of the private key from the credentials
74
+ :param pulumi.Input[builtins.str] project_id: The GCP Project ID
75
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
76
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
77
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
78
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
79
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
80
+ a rotation when a scheduled token rotation occurs. The default rotation window is
81
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
82
+ :param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
70
83
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
71
84
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
72
85
 
@@ -82,6 +95,8 @@ class AuthBackendArgs:
82
95
  pulumi.set(__self__, "custom_endpoint", custom_endpoint)
83
96
  if description is not None:
84
97
  pulumi.set(__self__, "description", description)
98
+ if disable_automated_rotation is not None:
99
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
85
100
  if disable_remount is not None:
86
101
  pulumi.set(__self__, "disable_remount", disable_remount)
87
102
  if identity_token_audience is not None:
@@ -100,6 +115,12 @@ class AuthBackendArgs:
100
115
  pulumi.set(__self__, "private_key_id", private_key_id)
101
116
  if project_id is not None:
102
117
  pulumi.set(__self__, "project_id", project_id)
118
+ if rotation_period is not None:
119
+ pulumi.set(__self__, "rotation_period", rotation_period)
120
+ if rotation_schedule is not None:
121
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
122
+ if rotation_window is not None:
123
+ pulumi.set(__self__, "rotation_window", rotation_window)
103
124
  if service_account_email is not None:
104
125
  pulumi.set(__self__, "service_account_email", service_account_email)
105
126
  if tune is not None:
@@ -107,38 +128,38 @@ class AuthBackendArgs:
107
128
 
108
129
  @property
109
130
  @pulumi.getter(name="clientEmail")
110
- def client_email(self) -> Optional[pulumi.Input[str]]:
131
+ def client_email(self) -> Optional[pulumi.Input[builtins.str]]:
111
132
  """
112
133
  The clients email associated with the credentials
113
134
  """
114
135
  return pulumi.get(self, "client_email")
115
136
 
116
137
  @client_email.setter
117
- def client_email(self, value: Optional[pulumi.Input[str]]):
138
+ def client_email(self, value: Optional[pulumi.Input[builtins.str]]):
118
139
  pulumi.set(self, "client_email", value)
119
140
 
120
141
  @property
121
142
  @pulumi.getter(name="clientId")
122
- def client_id(self) -> Optional[pulumi.Input[str]]:
143
+ def client_id(self) -> Optional[pulumi.Input[builtins.str]]:
123
144
  """
124
145
  The Client ID of the credentials
125
146
  """
126
147
  return pulumi.get(self, "client_id")
127
148
 
128
149
  @client_id.setter
129
- def client_id(self, value: Optional[pulumi.Input[str]]):
150
+ def client_id(self, value: Optional[pulumi.Input[builtins.str]]):
130
151
  pulumi.set(self, "client_id", value)
131
152
 
132
153
  @property
133
154
  @pulumi.getter
134
- def credentials(self) -> Optional[pulumi.Input[str]]:
155
+ def credentials(self) -> Optional[pulumi.Input[builtins.str]]:
135
156
  """
136
157
  A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
137
158
  """
138
159
  return pulumi.get(self, "credentials")
139
160
 
140
161
  @credentials.setter
141
- def credentials(self, value: Optional[pulumi.Input[str]]):
162
+ def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
142
163
  pulumi.set(self, "credentials", value)
143
164
 
144
165
  @property
@@ -161,19 +182,31 @@ class AuthBackendArgs:
161
182
 
162
183
  @property
163
184
  @pulumi.getter
164
- def description(self) -> Optional[pulumi.Input[str]]:
185
+ def description(self) -> Optional[pulumi.Input[builtins.str]]:
165
186
  """
166
187
  A description of the auth method.
167
188
  """
168
189
  return pulumi.get(self, "description")
169
190
 
170
191
  @description.setter
171
- def description(self, value: Optional[pulumi.Input[str]]):
192
+ def description(self, value: Optional[pulumi.Input[builtins.str]]):
172
193
  pulumi.set(self, "description", value)
173
194
 
195
+ @property
196
+ @pulumi.getter(name="disableAutomatedRotation")
197
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
198
+ """
199
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
200
+ """
201
+ return pulumi.get(self, "disable_automated_rotation")
202
+
203
+ @disable_automated_rotation.setter
204
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
205
+ pulumi.set(self, "disable_automated_rotation", value)
206
+
174
207
  @property
175
208
  @pulumi.getter(name="disableRemount")
176
- def disable_remount(self) -> Optional[pulumi.Input[bool]]:
209
+ def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
177
210
  """
178
211
  If set, opts out of mount migration on path updates.
179
212
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -181,12 +214,12 @@ class AuthBackendArgs:
181
214
  return pulumi.get(self, "disable_remount")
182
215
 
183
216
  @disable_remount.setter
184
- def disable_remount(self, value: Optional[pulumi.Input[bool]]):
217
+ def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
185
218
  pulumi.set(self, "disable_remount", value)
186
219
 
187
220
  @property
188
221
  @pulumi.getter(name="identityTokenAudience")
189
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
222
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
190
223
  """
191
224
  The audience claim value for plugin identity
192
225
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
@@ -195,12 +228,12 @@ class AuthBackendArgs:
195
228
  return pulumi.get(self, "identity_token_audience")
196
229
 
197
230
  @identity_token_audience.setter
198
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
231
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
199
232
  pulumi.set(self, "identity_token_audience", value)
200
233
 
201
234
  @property
202
235
  @pulumi.getter(name="identityTokenKey")
203
- def identity_token_key(self) -> Optional[pulumi.Input[str]]:
236
+ def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
204
237
  """
205
238
  The key to use for signing plugin identity
206
239
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
@@ -208,36 +241,36 @@ class AuthBackendArgs:
208
241
  return pulumi.get(self, "identity_token_key")
209
242
 
210
243
  @identity_token_key.setter
211
- def identity_token_key(self, value: Optional[pulumi.Input[str]]):
244
+ def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
212
245
  pulumi.set(self, "identity_token_key", value)
213
246
 
214
247
  @property
215
248
  @pulumi.getter(name="identityTokenTtl")
216
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
249
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
217
250
  """
218
251
  The TTL of generated tokens.
219
252
  """
220
253
  return pulumi.get(self, "identity_token_ttl")
221
254
 
222
255
  @identity_token_ttl.setter
223
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
256
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
224
257
  pulumi.set(self, "identity_token_ttl", value)
225
258
 
226
259
  @property
227
260
  @pulumi.getter
228
- def local(self) -> Optional[pulumi.Input[bool]]:
261
+ def local(self) -> Optional[pulumi.Input[builtins.bool]]:
229
262
  """
230
263
  Specifies if the auth method is local only.
231
264
  """
232
265
  return pulumi.get(self, "local")
233
266
 
234
267
  @local.setter
235
- def local(self, value: Optional[pulumi.Input[bool]]):
268
+ def local(self, value: Optional[pulumi.Input[builtins.bool]]):
236
269
  pulumi.set(self, "local", value)
237
270
 
238
271
  @property
239
272
  @pulumi.getter
240
- def namespace(self) -> Optional[pulumi.Input[str]]:
273
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
241
274
  """
242
275
  The namespace to provision the resource in.
243
276
  The value should not contain leading or trailing forward slashes.
@@ -247,48 +280,88 @@ class AuthBackendArgs:
247
280
  return pulumi.get(self, "namespace")
248
281
 
249
282
  @namespace.setter
250
- def namespace(self, value: Optional[pulumi.Input[str]]):
283
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
251
284
  pulumi.set(self, "namespace", value)
252
285
 
253
286
  @property
254
287
  @pulumi.getter
255
- def path(self) -> Optional[pulumi.Input[str]]:
288
+ def path(self) -> Optional[pulumi.Input[builtins.str]]:
256
289
  """
257
290
  The path to mount the auth method — this defaults to 'gcp'.
258
291
  """
259
292
  return pulumi.get(self, "path")
260
293
 
261
294
  @path.setter
262
- def path(self, value: Optional[pulumi.Input[str]]):
295
+ def path(self, value: Optional[pulumi.Input[builtins.str]]):
263
296
  pulumi.set(self, "path", value)
264
297
 
265
298
  @property
266
299
  @pulumi.getter(name="privateKeyId")
267
- def private_key_id(self) -> Optional[pulumi.Input[str]]:
300
+ def private_key_id(self) -> Optional[pulumi.Input[builtins.str]]:
268
301
  """
269
302
  The ID of the private key from the credentials
270
303
  """
271
304
  return pulumi.get(self, "private_key_id")
272
305
 
273
306
  @private_key_id.setter
274
- def private_key_id(self, value: Optional[pulumi.Input[str]]):
307
+ def private_key_id(self, value: Optional[pulumi.Input[builtins.str]]):
275
308
  pulumi.set(self, "private_key_id", value)
276
309
 
277
310
  @property
278
311
  @pulumi.getter(name="projectId")
279
- def project_id(self) -> Optional[pulumi.Input[str]]:
312
+ def project_id(self) -> Optional[pulumi.Input[builtins.str]]:
280
313
  """
281
314
  The GCP Project ID
282
315
  """
283
316
  return pulumi.get(self, "project_id")
284
317
 
285
318
  @project_id.setter
286
- def project_id(self, value: Optional[pulumi.Input[str]]):
319
+ def project_id(self, value: Optional[pulumi.Input[builtins.str]]):
287
320
  pulumi.set(self, "project_id", value)
288
321
 
322
+ @property
323
+ @pulumi.getter(name="rotationPeriod")
324
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
325
+ """
326
+ The amount of time in seconds Vault should wait before rotating the root credential.
327
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
328
+ """
329
+ return pulumi.get(self, "rotation_period")
330
+
331
+ @rotation_period.setter
332
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
333
+ pulumi.set(self, "rotation_period", value)
334
+
335
+ @property
336
+ @pulumi.getter(name="rotationSchedule")
337
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
338
+ """
339
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
340
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
341
+ """
342
+ return pulumi.get(self, "rotation_schedule")
343
+
344
+ @rotation_schedule.setter
345
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
346
+ pulumi.set(self, "rotation_schedule", value)
347
+
348
+ @property
349
+ @pulumi.getter(name="rotationWindow")
350
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
351
+ """
352
+ The maximum amount of time in seconds allowed to complete
353
+ a rotation when a scheduled token rotation occurs. The default rotation window is
354
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
355
+ """
356
+ return pulumi.get(self, "rotation_window")
357
+
358
+ @rotation_window.setter
359
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
360
+ pulumi.set(self, "rotation_window", value)
361
+
289
362
  @property
290
363
  @pulumi.getter(name="serviceAccountEmail")
291
- def service_account_email(self) -> Optional[pulumi.Input[str]]:
364
+ def service_account_email(self) -> Optional[pulumi.Input[builtins.str]]:
292
365
  """
293
366
  Service Account to impersonate for plugin workload identity federation.
294
367
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
@@ -296,7 +369,7 @@ class AuthBackendArgs:
296
369
  return pulumi.get(self, "service_account_email")
297
370
 
298
371
  @service_account_email.setter
299
- def service_account_email(self, value: Optional[pulumi.Input[str]]):
372
+ def service_account_email(self, value: Optional[pulumi.Input[builtins.str]]):
300
373
  pulumi.set(self, "service_account_email", value)
301
374
 
302
375
  @property
@@ -317,29 +390,33 @@ class AuthBackendArgs:
317
390
  @pulumi.input_type
318
391
  class _AuthBackendState:
319
392
  def __init__(__self__, *,
320
- accessor: Optional[pulumi.Input[str]] = None,
321
- client_email: Optional[pulumi.Input[str]] = None,
322
- client_id: Optional[pulumi.Input[str]] = None,
323
- credentials: Optional[pulumi.Input[str]] = None,
393
+ accessor: Optional[pulumi.Input[builtins.str]] = None,
394
+ client_email: Optional[pulumi.Input[builtins.str]] = None,
395
+ client_id: Optional[pulumi.Input[builtins.str]] = None,
396
+ credentials: Optional[pulumi.Input[builtins.str]] = None,
324
397
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
325
- description: Optional[pulumi.Input[str]] = None,
326
- disable_remount: Optional[pulumi.Input[bool]] = None,
327
- identity_token_audience: Optional[pulumi.Input[str]] = None,
328
- identity_token_key: Optional[pulumi.Input[str]] = None,
329
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
330
- local: Optional[pulumi.Input[bool]] = None,
331
- namespace: Optional[pulumi.Input[str]] = None,
332
- path: Optional[pulumi.Input[str]] = None,
333
- private_key_id: Optional[pulumi.Input[str]] = None,
334
- project_id: Optional[pulumi.Input[str]] = None,
335
- service_account_email: Optional[pulumi.Input[str]] = None,
398
+ description: Optional[pulumi.Input[builtins.str]] = None,
399
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
400
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
401
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
402
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
403
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
404
+ local: Optional[pulumi.Input[builtins.bool]] = None,
405
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
406
+ path: Optional[pulumi.Input[builtins.str]] = None,
407
+ private_key_id: Optional[pulumi.Input[builtins.str]] = None,
408
+ project_id: Optional[pulumi.Input[builtins.str]] = None,
409
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
410
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
411
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
412
+ service_account_email: Optional[pulumi.Input[builtins.str]] = None,
336
413
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
337
414
  """
338
415
  Input properties used for looking up and filtering AuthBackend resources.
339
- :param pulumi.Input[str] accessor: The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
340
- :param pulumi.Input[str] client_email: The clients email associated with the credentials
341
- :param pulumi.Input[str] client_id: The Client ID of the credentials
342
- :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
416
+ :param pulumi.Input[builtins.str] accessor: The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
417
+ :param pulumi.Input[builtins.str] client_email: The clients email associated with the credentials
418
+ :param pulumi.Input[builtins.str] client_id: The Client ID of the credentials
419
+ :param pulumi.Input[builtins.str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
343
420
  :param pulumi.Input['AuthBackendCustomEndpointArgs'] custom_endpoint: Specifies overrides to
344
421
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
345
422
  used when making API requests. This allows specific requests made during authentication
@@ -347,24 +424,32 @@ class _AuthBackendState:
347
424
  environments. Requires Vault 1.11+.
348
425
 
349
426
  Overrides are set at the subdomain level using the following keys:
350
- :param pulumi.Input[str] description: A description of the auth method.
351
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
427
+ :param pulumi.Input[builtins.str] description: A description of the auth method.
428
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
429
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
352
430
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
353
- :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
431
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
354
432
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
355
433
  Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
356
- :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
434
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
357
435
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
358
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
359
- :param pulumi.Input[bool] local: Specifies if the auth method is local only.
360
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
436
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
437
+ :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
438
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
361
439
  The value should not contain leading or trailing forward slashes.
362
440
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
363
441
  *Available only for Vault Enterprise*.
364
- :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
365
- :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
366
- :param pulumi.Input[str] project_id: The GCP Project ID
367
- :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
442
+ :param pulumi.Input[builtins.str] path: The path to mount the auth method — this defaults to 'gcp'.
443
+ :param pulumi.Input[builtins.str] private_key_id: The ID of the private key from the credentials
444
+ :param pulumi.Input[builtins.str] project_id: The GCP Project ID
445
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
446
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
447
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
448
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
449
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
450
+ a rotation when a scheduled token rotation occurs. The default rotation window is
451
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
452
+ :param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
368
453
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
369
454
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
370
455
 
@@ -382,6 +467,8 @@ class _AuthBackendState:
382
467
  pulumi.set(__self__, "custom_endpoint", custom_endpoint)
383
468
  if description is not None:
384
469
  pulumi.set(__self__, "description", description)
470
+ if disable_automated_rotation is not None:
471
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
385
472
  if disable_remount is not None:
386
473
  pulumi.set(__self__, "disable_remount", disable_remount)
387
474
  if identity_token_audience is not None:
@@ -400,6 +487,12 @@ class _AuthBackendState:
400
487
  pulumi.set(__self__, "private_key_id", private_key_id)
401
488
  if project_id is not None:
402
489
  pulumi.set(__self__, "project_id", project_id)
490
+ if rotation_period is not None:
491
+ pulumi.set(__self__, "rotation_period", rotation_period)
492
+ if rotation_schedule is not None:
493
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
494
+ if rotation_window is not None:
495
+ pulumi.set(__self__, "rotation_window", rotation_window)
403
496
  if service_account_email is not None:
404
497
  pulumi.set(__self__, "service_account_email", service_account_email)
405
498
  if tune is not None:
@@ -407,50 +500,50 @@ class _AuthBackendState:
407
500
 
408
501
  @property
409
502
  @pulumi.getter
410
- def accessor(self) -> Optional[pulumi.Input[str]]:
503
+ def accessor(self) -> Optional[pulumi.Input[builtins.str]]:
411
504
  """
412
505
  The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
413
506
  """
414
507
  return pulumi.get(self, "accessor")
415
508
 
416
509
  @accessor.setter
417
- def accessor(self, value: Optional[pulumi.Input[str]]):
510
+ def accessor(self, value: Optional[pulumi.Input[builtins.str]]):
418
511
  pulumi.set(self, "accessor", value)
419
512
 
420
513
  @property
421
514
  @pulumi.getter(name="clientEmail")
422
- def client_email(self) -> Optional[pulumi.Input[str]]:
515
+ def client_email(self) -> Optional[pulumi.Input[builtins.str]]:
423
516
  """
424
517
  The clients email associated with the credentials
425
518
  """
426
519
  return pulumi.get(self, "client_email")
427
520
 
428
521
  @client_email.setter
429
- def client_email(self, value: Optional[pulumi.Input[str]]):
522
+ def client_email(self, value: Optional[pulumi.Input[builtins.str]]):
430
523
  pulumi.set(self, "client_email", value)
431
524
 
432
525
  @property
433
526
  @pulumi.getter(name="clientId")
434
- def client_id(self) -> Optional[pulumi.Input[str]]:
527
+ def client_id(self) -> Optional[pulumi.Input[builtins.str]]:
435
528
  """
436
529
  The Client ID of the credentials
437
530
  """
438
531
  return pulumi.get(self, "client_id")
439
532
 
440
533
  @client_id.setter
441
- def client_id(self, value: Optional[pulumi.Input[str]]):
534
+ def client_id(self, value: Optional[pulumi.Input[builtins.str]]):
442
535
  pulumi.set(self, "client_id", value)
443
536
 
444
537
  @property
445
538
  @pulumi.getter
446
- def credentials(self) -> Optional[pulumi.Input[str]]:
539
+ def credentials(self) -> Optional[pulumi.Input[builtins.str]]:
447
540
  """
448
541
  A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
449
542
  """
450
543
  return pulumi.get(self, "credentials")
451
544
 
452
545
  @credentials.setter
453
- def credentials(self, value: Optional[pulumi.Input[str]]):
546
+ def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
454
547
  pulumi.set(self, "credentials", value)
455
548
 
456
549
  @property
@@ -473,19 +566,31 @@ class _AuthBackendState:
473
566
 
474
567
  @property
475
568
  @pulumi.getter
476
- def description(self) -> Optional[pulumi.Input[str]]:
569
+ def description(self) -> Optional[pulumi.Input[builtins.str]]:
477
570
  """
478
571
  A description of the auth method.
479
572
  """
480
573
  return pulumi.get(self, "description")
481
574
 
482
575
  @description.setter
483
- def description(self, value: Optional[pulumi.Input[str]]):
576
+ def description(self, value: Optional[pulumi.Input[builtins.str]]):
484
577
  pulumi.set(self, "description", value)
485
578
 
579
+ @property
580
+ @pulumi.getter(name="disableAutomatedRotation")
581
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
582
+ """
583
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
584
+ """
585
+ return pulumi.get(self, "disable_automated_rotation")
586
+
587
+ @disable_automated_rotation.setter
588
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
589
+ pulumi.set(self, "disable_automated_rotation", value)
590
+
486
591
  @property
487
592
  @pulumi.getter(name="disableRemount")
488
- def disable_remount(self) -> Optional[pulumi.Input[bool]]:
593
+ def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
489
594
  """
490
595
  If set, opts out of mount migration on path updates.
491
596
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -493,12 +598,12 @@ class _AuthBackendState:
493
598
  return pulumi.get(self, "disable_remount")
494
599
 
495
600
  @disable_remount.setter
496
- def disable_remount(self, value: Optional[pulumi.Input[bool]]):
601
+ def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
497
602
  pulumi.set(self, "disable_remount", value)
498
603
 
499
604
  @property
500
605
  @pulumi.getter(name="identityTokenAudience")
501
- def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
606
+ def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
502
607
  """
503
608
  The audience claim value for plugin identity
504
609
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
@@ -507,12 +612,12 @@ class _AuthBackendState:
507
612
  return pulumi.get(self, "identity_token_audience")
508
613
 
509
614
  @identity_token_audience.setter
510
- def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
615
+ def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
511
616
  pulumi.set(self, "identity_token_audience", value)
512
617
 
513
618
  @property
514
619
  @pulumi.getter(name="identityTokenKey")
515
- def identity_token_key(self) -> Optional[pulumi.Input[str]]:
620
+ def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
516
621
  """
517
622
  The key to use for signing plugin identity
518
623
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
@@ -520,36 +625,36 @@ class _AuthBackendState:
520
625
  return pulumi.get(self, "identity_token_key")
521
626
 
522
627
  @identity_token_key.setter
523
- def identity_token_key(self, value: Optional[pulumi.Input[str]]):
628
+ def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
524
629
  pulumi.set(self, "identity_token_key", value)
525
630
 
526
631
  @property
527
632
  @pulumi.getter(name="identityTokenTtl")
528
- def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
633
+ def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
529
634
  """
530
635
  The TTL of generated tokens.
531
636
  """
532
637
  return pulumi.get(self, "identity_token_ttl")
533
638
 
534
639
  @identity_token_ttl.setter
535
- def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
640
+ def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
536
641
  pulumi.set(self, "identity_token_ttl", value)
537
642
 
538
643
  @property
539
644
  @pulumi.getter
540
- def local(self) -> Optional[pulumi.Input[bool]]:
645
+ def local(self) -> Optional[pulumi.Input[builtins.bool]]:
541
646
  """
542
647
  Specifies if the auth method is local only.
543
648
  """
544
649
  return pulumi.get(self, "local")
545
650
 
546
651
  @local.setter
547
- def local(self, value: Optional[pulumi.Input[bool]]):
652
+ def local(self, value: Optional[pulumi.Input[builtins.bool]]):
548
653
  pulumi.set(self, "local", value)
549
654
 
550
655
  @property
551
656
  @pulumi.getter
552
- def namespace(self) -> Optional[pulumi.Input[str]]:
657
+ def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
553
658
  """
554
659
  The namespace to provision the resource in.
555
660
  The value should not contain leading or trailing forward slashes.
@@ -559,48 +664,88 @@ class _AuthBackendState:
559
664
  return pulumi.get(self, "namespace")
560
665
 
561
666
  @namespace.setter
562
- def namespace(self, value: Optional[pulumi.Input[str]]):
667
+ def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
563
668
  pulumi.set(self, "namespace", value)
564
669
 
565
670
  @property
566
671
  @pulumi.getter
567
- def path(self) -> Optional[pulumi.Input[str]]:
672
+ def path(self) -> Optional[pulumi.Input[builtins.str]]:
568
673
  """
569
674
  The path to mount the auth method — this defaults to 'gcp'.
570
675
  """
571
676
  return pulumi.get(self, "path")
572
677
 
573
678
  @path.setter
574
- def path(self, value: Optional[pulumi.Input[str]]):
679
+ def path(self, value: Optional[pulumi.Input[builtins.str]]):
575
680
  pulumi.set(self, "path", value)
576
681
 
577
682
  @property
578
683
  @pulumi.getter(name="privateKeyId")
579
- def private_key_id(self) -> Optional[pulumi.Input[str]]:
684
+ def private_key_id(self) -> Optional[pulumi.Input[builtins.str]]:
580
685
  """
581
686
  The ID of the private key from the credentials
582
687
  """
583
688
  return pulumi.get(self, "private_key_id")
584
689
 
585
690
  @private_key_id.setter
586
- def private_key_id(self, value: Optional[pulumi.Input[str]]):
691
+ def private_key_id(self, value: Optional[pulumi.Input[builtins.str]]):
587
692
  pulumi.set(self, "private_key_id", value)
588
693
 
589
694
  @property
590
695
  @pulumi.getter(name="projectId")
591
- def project_id(self) -> Optional[pulumi.Input[str]]:
696
+ def project_id(self) -> Optional[pulumi.Input[builtins.str]]:
592
697
  """
593
698
  The GCP Project ID
594
699
  """
595
700
  return pulumi.get(self, "project_id")
596
701
 
597
702
  @project_id.setter
598
- def project_id(self, value: Optional[pulumi.Input[str]]):
703
+ def project_id(self, value: Optional[pulumi.Input[builtins.str]]):
599
704
  pulumi.set(self, "project_id", value)
600
705
 
706
+ @property
707
+ @pulumi.getter(name="rotationPeriod")
708
+ def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
709
+ """
710
+ The amount of time in seconds Vault should wait before rotating the root credential.
711
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
712
+ """
713
+ return pulumi.get(self, "rotation_period")
714
+
715
+ @rotation_period.setter
716
+ def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
717
+ pulumi.set(self, "rotation_period", value)
718
+
719
+ @property
720
+ @pulumi.getter(name="rotationSchedule")
721
+ def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
722
+ """
723
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
724
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
725
+ """
726
+ return pulumi.get(self, "rotation_schedule")
727
+
728
+ @rotation_schedule.setter
729
+ def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
730
+ pulumi.set(self, "rotation_schedule", value)
731
+
732
+ @property
733
+ @pulumi.getter(name="rotationWindow")
734
+ def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
735
+ """
736
+ The maximum amount of time in seconds allowed to complete
737
+ a rotation when a scheduled token rotation occurs. The default rotation window is
738
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
739
+ """
740
+ return pulumi.get(self, "rotation_window")
741
+
742
+ @rotation_window.setter
743
+ def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
744
+ pulumi.set(self, "rotation_window", value)
745
+
601
746
  @property
602
747
  @pulumi.getter(name="serviceAccountEmail")
603
- def service_account_email(self) -> Optional[pulumi.Input[str]]:
748
+ def service_account_email(self) -> Optional[pulumi.Input[builtins.str]]:
604
749
  """
605
750
  Service Account to impersonate for plugin workload identity federation.
606
751
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
@@ -608,7 +753,7 @@ class _AuthBackendState:
608
753
  return pulumi.get(self, "service_account_email")
609
754
 
610
755
  @service_account_email.setter
611
- def service_account_email(self, value: Optional[pulumi.Input[str]]):
756
+ def service_account_email(self, value: Optional[pulumi.Input[builtins.str]]):
612
757
  pulumi.set(self, "service_account_email", value)
613
758
 
614
759
  @property
@@ -631,21 +776,25 @@ class AuthBackend(pulumi.CustomResource):
631
776
  def __init__(__self__,
632
777
  resource_name: str,
633
778
  opts: Optional[pulumi.ResourceOptions] = None,
634
- client_email: Optional[pulumi.Input[str]] = None,
635
- client_id: Optional[pulumi.Input[str]] = None,
636
- credentials: Optional[pulumi.Input[str]] = None,
779
+ client_email: Optional[pulumi.Input[builtins.str]] = None,
780
+ client_id: Optional[pulumi.Input[builtins.str]] = None,
781
+ credentials: Optional[pulumi.Input[builtins.str]] = None,
637
782
  custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
638
- description: Optional[pulumi.Input[str]] = None,
639
- disable_remount: Optional[pulumi.Input[bool]] = None,
640
- identity_token_audience: Optional[pulumi.Input[str]] = None,
641
- identity_token_key: Optional[pulumi.Input[str]] = None,
642
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
643
- local: Optional[pulumi.Input[bool]] = None,
644
- namespace: Optional[pulumi.Input[str]] = None,
645
- path: Optional[pulumi.Input[str]] = None,
646
- private_key_id: Optional[pulumi.Input[str]] = None,
647
- project_id: Optional[pulumi.Input[str]] = None,
648
- service_account_email: Optional[pulumi.Input[str]] = None,
783
+ description: Optional[pulumi.Input[builtins.str]] = None,
784
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
785
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
786
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
787
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
788
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
789
+ local: Optional[pulumi.Input[builtins.bool]] = None,
790
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
791
+ path: Optional[pulumi.Input[builtins.str]] = None,
792
+ private_key_id: Optional[pulumi.Input[builtins.str]] = None,
793
+ project_id: Optional[pulumi.Input[builtins.str]] = None,
794
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
795
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
796
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
797
+ service_account_email: Optional[pulumi.Input[builtins.str]] = None,
649
798
  tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
650
799
  __props__=None):
651
800
  """
@@ -662,7 +811,9 @@ class AuthBackend(pulumi.CustomResource):
662
811
  identity_token_key="example-key",
663
812
  identity_token_ttl=1800,
664
813
  identity_token_audience="<TOKEN_AUDIENCE>",
665
- service_account_email="<SERVICE_ACCOUNT_EMAIL>")
814
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>",
815
+ rotation_schedule="0 * * * SAT",
816
+ rotation_window=3600)
666
817
  ```
667
818
 
668
819
  ## Import
@@ -675,9 +826,9 @@ class AuthBackend(pulumi.CustomResource):
675
826
 
676
827
  :param str resource_name: The name of the resource.
677
828
  :param pulumi.ResourceOptions opts: Options for the resource.
678
- :param pulumi.Input[str] client_email: The clients email associated with the credentials
679
- :param pulumi.Input[str] client_id: The Client ID of the credentials
680
- :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
829
+ :param pulumi.Input[builtins.str] client_email: The clients email associated with the credentials
830
+ :param pulumi.Input[builtins.str] client_id: The Client ID of the credentials
831
+ :param pulumi.Input[builtins.str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
681
832
  :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
682
833
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
683
834
  used when making API requests. This allows specific requests made during authentication
@@ -685,24 +836,32 @@ class AuthBackend(pulumi.CustomResource):
685
836
  environments. Requires Vault 1.11+.
686
837
 
687
838
  Overrides are set at the subdomain level using the following keys:
688
- :param pulumi.Input[str] description: A description of the auth method.
689
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
839
+ :param pulumi.Input[builtins.str] description: A description of the auth method.
840
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
841
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
690
842
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
691
- :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
843
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
692
844
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
693
845
  Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
694
- :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
846
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
695
847
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
696
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
697
- :param pulumi.Input[bool] local: Specifies if the auth method is local only.
698
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
848
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
849
+ :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
850
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
699
851
  The value should not contain leading or trailing forward slashes.
700
852
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
701
853
  *Available only for Vault Enterprise*.
702
- :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
703
- :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
704
- :param pulumi.Input[str] project_id: The GCP Project ID
705
- :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
854
+ :param pulumi.Input[builtins.str] path: The path to mount the auth method — this defaults to 'gcp'.
855
+ :param pulumi.Input[builtins.str] private_key_id: The ID of the private key from the credentials
856
+ :param pulumi.Input[builtins.str] project_id: The GCP Project ID
857
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
858
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
859
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
860
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
861
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
862
+ a rotation when a scheduled token rotation occurs. The default rotation window is
863
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
864
+ :param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
706
865
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
707
866
  :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
708
867
 
@@ -728,7 +887,9 @@ class AuthBackend(pulumi.CustomResource):
728
887
  identity_token_key="example-key",
729
888
  identity_token_ttl=1800,
730
889
  identity_token_audience="<TOKEN_AUDIENCE>",
731
- service_account_email="<SERVICE_ACCOUNT_EMAIL>")
890
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>",
891
+ rotation_schedule="0 * * * SAT",
892
+ rotation_window=3600)
732
893
  ```
733
894
 
734
895
  ## Import
@@ -754,21 +915,25 @@ class AuthBackend(pulumi.CustomResource):
754
915
  def _internal_init(__self__,
755
916
  resource_name: str,
756
917
  opts: Optional[pulumi.ResourceOptions] = None,
757
- client_email: Optional[pulumi.Input[str]] = None,
758
- client_id: Optional[pulumi.Input[str]] = None,
759
- credentials: Optional[pulumi.Input[str]] = None,
918
+ client_email: Optional[pulumi.Input[builtins.str]] = None,
919
+ client_id: Optional[pulumi.Input[builtins.str]] = None,
920
+ credentials: Optional[pulumi.Input[builtins.str]] = None,
760
921
  custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
761
- description: Optional[pulumi.Input[str]] = None,
762
- disable_remount: Optional[pulumi.Input[bool]] = None,
763
- identity_token_audience: Optional[pulumi.Input[str]] = None,
764
- identity_token_key: Optional[pulumi.Input[str]] = None,
765
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
766
- local: Optional[pulumi.Input[bool]] = None,
767
- namespace: Optional[pulumi.Input[str]] = None,
768
- path: Optional[pulumi.Input[str]] = None,
769
- private_key_id: Optional[pulumi.Input[str]] = None,
770
- project_id: Optional[pulumi.Input[str]] = None,
771
- service_account_email: Optional[pulumi.Input[str]] = None,
922
+ description: Optional[pulumi.Input[builtins.str]] = None,
923
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
924
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
925
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
926
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
927
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
928
+ local: Optional[pulumi.Input[builtins.bool]] = None,
929
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
930
+ path: Optional[pulumi.Input[builtins.str]] = None,
931
+ private_key_id: Optional[pulumi.Input[builtins.str]] = None,
932
+ project_id: Optional[pulumi.Input[builtins.str]] = None,
933
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
934
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
935
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
936
+ service_account_email: Optional[pulumi.Input[builtins.str]] = None,
772
937
  tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
773
938
  __props__=None):
774
939
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -784,6 +949,7 @@ class AuthBackend(pulumi.CustomResource):
784
949
  __props__.__dict__["credentials"] = None if credentials is None else pulumi.Output.secret(credentials)
785
950
  __props__.__dict__["custom_endpoint"] = custom_endpoint
786
951
  __props__.__dict__["description"] = description
952
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
787
953
  __props__.__dict__["disable_remount"] = disable_remount
788
954
  __props__.__dict__["identity_token_audience"] = identity_token_audience
789
955
  __props__.__dict__["identity_token_key"] = identity_token_key
@@ -793,6 +959,9 @@ class AuthBackend(pulumi.CustomResource):
793
959
  __props__.__dict__["path"] = path
794
960
  __props__.__dict__["private_key_id"] = private_key_id
795
961
  __props__.__dict__["project_id"] = project_id
962
+ __props__.__dict__["rotation_period"] = rotation_period
963
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
964
+ __props__.__dict__["rotation_window"] = rotation_window
796
965
  __props__.__dict__["service_account_email"] = service_account_email
797
966
  __props__.__dict__["tune"] = tune
798
967
  __props__.__dict__["accessor"] = None
@@ -808,22 +977,26 @@ class AuthBackend(pulumi.CustomResource):
808
977
  def get(resource_name: str,
809
978
  id: pulumi.Input[str],
810
979
  opts: Optional[pulumi.ResourceOptions] = None,
811
- accessor: Optional[pulumi.Input[str]] = None,
812
- client_email: Optional[pulumi.Input[str]] = None,
813
- client_id: Optional[pulumi.Input[str]] = None,
814
- credentials: Optional[pulumi.Input[str]] = None,
980
+ accessor: Optional[pulumi.Input[builtins.str]] = None,
981
+ client_email: Optional[pulumi.Input[builtins.str]] = None,
982
+ client_id: Optional[pulumi.Input[builtins.str]] = None,
983
+ credentials: Optional[pulumi.Input[builtins.str]] = None,
815
984
  custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
816
- description: Optional[pulumi.Input[str]] = None,
817
- disable_remount: Optional[pulumi.Input[bool]] = None,
818
- identity_token_audience: Optional[pulumi.Input[str]] = None,
819
- identity_token_key: Optional[pulumi.Input[str]] = None,
820
- identity_token_ttl: Optional[pulumi.Input[int]] = None,
821
- local: Optional[pulumi.Input[bool]] = None,
822
- namespace: Optional[pulumi.Input[str]] = None,
823
- path: Optional[pulumi.Input[str]] = None,
824
- private_key_id: Optional[pulumi.Input[str]] = None,
825
- project_id: Optional[pulumi.Input[str]] = None,
826
- service_account_email: Optional[pulumi.Input[str]] = None,
985
+ description: Optional[pulumi.Input[builtins.str]] = None,
986
+ disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
987
+ disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
988
+ identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
989
+ identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
990
+ identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
991
+ local: Optional[pulumi.Input[builtins.bool]] = None,
992
+ namespace: Optional[pulumi.Input[builtins.str]] = None,
993
+ path: Optional[pulumi.Input[builtins.str]] = None,
994
+ private_key_id: Optional[pulumi.Input[builtins.str]] = None,
995
+ project_id: Optional[pulumi.Input[builtins.str]] = None,
996
+ rotation_period: Optional[pulumi.Input[builtins.int]] = None,
997
+ rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
998
+ rotation_window: Optional[pulumi.Input[builtins.int]] = None,
999
+ service_account_email: Optional[pulumi.Input[builtins.str]] = None,
827
1000
  tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
828
1001
  """
829
1002
  Get an existing AuthBackend resource's state with the given name, id, and optional extra
@@ -832,10 +1005,10 @@ class AuthBackend(pulumi.CustomResource):
832
1005
  :param str resource_name: The unique name of the resulting resource.
833
1006
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
834
1007
  :param pulumi.ResourceOptions opts: Options for the resource.
835
- :param pulumi.Input[str] accessor: The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
836
- :param pulumi.Input[str] client_email: The clients email associated with the credentials
837
- :param pulumi.Input[str] client_id: The Client ID of the credentials
838
- :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
1008
+ :param pulumi.Input[builtins.str] accessor: The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
1009
+ :param pulumi.Input[builtins.str] client_email: The clients email associated with the credentials
1010
+ :param pulumi.Input[builtins.str] client_id: The Client ID of the credentials
1011
+ :param pulumi.Input[builtins.str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
839
1012
  :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
840
1013
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
841
1014
  used when making API requests. This allows specific requests made during authentication
@@ -843,24 +1016,32 @@ class AuthBackend(pulumi.CustomResource):
843
1016
  environments. Requires Vault 1.11+.
844
1017
 
845
1018
  Overrides are set at the subdomain level using the following keys:
846
- :param pulumi.Input[str] description: A description of the auth method.
847
- :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
1019
+ :param pulumi.Input[builtins.str] description: A description of the auth method.
1020
+ :param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1021
+ :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
848
1022
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
849
- :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
1023
+ :param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
850
1024
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
851
1025
  Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
852
- :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
1026
+ :param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
853
1027
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
854
- :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
855
- :param pulumi.Input[bool] local: Specifies if the auth method is local only.
856
- :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1028
+ :param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
1029
+ :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
1030
+ :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
857
1031
  The value should not contain leading or trailing forward slashes.
858
1032
  The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
859
1033
  *Available only for Vault Enterprise*.
860
- :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
861
- :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
862
- :param pulumi.Input[str] project_id: The GCP Project ID
863
- :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
1034
+ :param pulumi.Input[builtins.str] path: The path to mount the auth method — this defaults to 'gcp'.
1035
+ :param pulumi.Input[builtins.str] private_key_id: The ID of the private key from the credentials
1036
+ :param pulumi.Input[builtins.str] project_id: The GCP Project ID
1037
+ :param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
1038
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1039
+ :param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1040
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1041
+ :param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
1042
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1043
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1044
+ :param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
864
1045
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
865
1046
  :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
866
1047
 
@@ -876,6 +1057,7 @@ class AuthBackend(pulumi.CustomResource):
876
1057
  __props__.__dict__["credentials"] = credentials
877
1058
  __props__.__dict__["custom_endpoint"] = custom_endpoint
878
1059
  __props__.__dict__["description"] = description
1060
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
879
1061
  __props__.__dict__["disable_remount"] = disable_remount
880
1062
  __props__.__dict__["identity_token_audience"] = identity_token_audience
881
1063
  __props__.__dict__["identity_token_key"] = identity_token_key
@@ -885,13 +1067,16 @@ class AuthBackend(pulumi.CustomResource):
885
1067
  __props__.__dict__["path"] = path
886
1068
  __props__.__dict__["private_key_id"] = private_key_id
887
1069
  __props__.__dict__["project_id"] = project_id
1070
+ __props__.__dict__["rotation_period"] = rotation_period
1071
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1072
+ __props__.__dict__["rotation_window"] = rotation_window
888
1073
  __props__.__dict__["service_account_email"] = service_account_email
889
1074
  __props__.__dict__["tune"] = tune
890
1075
  return AuthBackend(resource_name, opts=opts, __props__=__props__)
891
1076
 
892
1077
  @property
893
1078
  @pulumi.getter
894
- def accessor(self) -> pulumi.Output[str]:
1079
+ def accessor(self) -> pulumi.Output[builtins.str]:
895
1080
  """
896
1081
  The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
897
1082
  """
@@ -899,7 +1084,7 @@ class AuthBackend(pulumi.CustomResource):
899
1084
 
900
1085
  @property
901
1086
  @pulumi.getter(name="clientEmail")
902
- def client_email(self) -> pulumi.Output[str]:
1087
+ def client_email(self) -> pulumi.Output[builtins.str]:
903
1088
  """
904
1089
  The clients email associated with the credentials
905
1090
  """
@@ -907,7 +1092,7 @@ class AuthBackend(pulumi.CustomResource):
907
1092
 
908
1093
  @property
909
1094
  @pulumi.getter(name="clientId")
910
- def client_id(self) -> pulumi.Output[str]:
1095
+ def client_id(self) -> pulumi.Output[builtins.str]:
911
1096
  """
912
1097
  The Client ID of the credentials
913
1098
  """
@@ -915,7 +1100,7 @@ class AuthBackend(pulumi.CustomResource):
915
1100
 
916
1101
  @property
917
1102
  @pulumi.getter
918
- def credentials(self) -> pulumi.Output[Optional[str]]:
1103
+ def credentials(self) -> pulumi.Output[Optional[builtins.str]]:
919
1104
  """
920
1105
  A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
921
1106
  """
@@ -937,15 +1122,23 @@ class AuthBackend(pulumi.CustomResource):
937
1122
 
938
1123
  @property
939
1124
  @pulumi.getter
940
- def description(self) -> pulumi.Output[Optional[str]]:
1125
+ def description(self) -> pulumi.Output[Optional[builtins.str]]:
941
1126
  """
942
1127
  A description of the auth method.
943
1128
  """
944
1129
  return pulumi.get(self, "description")
945
1130
 
1131
+ @property
1132
+ @pulumi.getter(name="disableAutomatedRotation")
1133
+ def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
1134
+ """
1135
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1136
+ """
1137
+ return pulumi.get(self, "disable_automated_rotation")
1138
+
946
1139
  @property
947
1140
  @pulumi.getter(name="disableRemount")
948
- def disable_remount(self) -> pulumi.Output[Optional[bool]]:
1141
+ def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
949
1142
  """
950
1143
  If set, opts out of mount migration on path updates.
951
1144
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -954,7 +1147,7 @@ class AuthBackend(pulumi.CustomResource):
954
1147
 
955
1148
  @property
956
1149
  @pulumi.getter(name="identityTokenAudience")
957
- def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
1150
+ def identity_token_audience(self) -> pulumi.Output[Optional[builtins.str]]:
958
1151
  """
959
1152
  The audience claim value for plugin identity
960
1153
  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
@@ -964,7 +1157,7 @@ class AuthBackend(pulumi.CustomResource):
964
1157
 
965
1158
  @property
966
1159
  @pulumi.getter(name="identityTokenKey")
967
- def identity_token_key(self) -> pulumi.Output[Optional[str]]:
1160
+ def identity_token_key(self) -> pulumi.Output[Optional[builtins.str]]:
968
1161
  """
969
1162
  The key to use for signing plugin identity
970
1163
  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
@@ -973,7 +1166,7 @@ class AuthBackend(pulumi.CustomResource):
973
1166
 
974
1167
  @property
975
1168
  @pulumi.getter(name="identityTokenTtl")
976
- def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
1169
+ def identity_token_ttl(self) -> pulumi.Output[Optional[builtins.int]]:
977
1170
  """
978
1171
  The TTL of generated tokens.
979
1172
  """
@@ -981,7 +1174,7 @@ class AuthBackend(pulumi.CustomResource):
981
1174
 
982
1175
  @property
983
1176
  @pulumi.getter
984
- def local(self) -> pulumi.Output[Optional[bool]]:
1177
+ def local(self) -> pulumi.Output[Optional[builtins.bool]]:
985
1178
  """
986
1179
  Specifies if the auth method is local only.
987
1180
  """
@@ -989,7 +1182,7 @@ class AuthBackend(pulumi.CustomResource):
989
1182
 
990
1183
  @property
991
1184
  @pulumi.getter
992
- def namespace(self) -> pulumi.Output[Optional[str]]:
1185
+ def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
993
1186
  """
994
1187
  The namespace to provision the resource in.
995
1188
  The value should not contain leading or trailing forward slashes.
@@ -1000,7 +1193,7 @@ class AuthBackend(pulumi.CustomResource):
1000
1193
 
1001
1194
  @property
1002
1195
  @pulumi.getter
1003
- def path(self) -> pulumi.Output[Optional[str]]:
1196
+ def path(self) -> pulumi.Output[Optional[builtins.str]]:
1004
1197
  """
1005
1198
  The path to mount the auth method — this defaults to 'gcp'.
1006
1199
  """
@@ -1008,7 +1201,7 @@ class AuthBackend(pulumi.CustomResource):
1008
1201
 
1009
1202
  @property
1010
1203
  @pulumi.getter(name="privateKeyId")
1011
- def private_key_id(self) -> pulumi.Output[str]:
1204
+ def private_key_id(self) -> pulumi.Output[builtins.str]:
1012
1205
  """
1013
1206
  The ID of the private key from the credentials
1014
1207
  """
@@ -1016,15 +1209,43 @@ class AuthBackend(pulumi.CustomResource):
1016
1209
 
1017
1210
  @property
1018
1211
  @pulumi.getter(name="projectId")
1019
- def project_id(self) -> pulumi.Output[str]:
1212
+ def project_id(self) -> pulumi.Output[builtins.str]:
1020
1213
  """
1021
1214
  The GCP Project ID
1022
1215
  """
1023
1216
  return pulumi.get(self, "project_id")
1024
1217
 
1218
+ @property
1219
+ @pulumi.getter(name="rotationPeriod")
1220
+ def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
1221
+ """
1222
+ The amount of time in seconds Vault should wait before rotating the root credential.
1223
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1224
+ """
1225
+ return pulumi.get(self, "rotation_period")
1226
+
1227
+ @property
1228
+ @pulumi.getter(name="rotationSchedule")
1229
+ def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
1230
+ """
1231
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1232
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1233
+ """
1234
+ return pulumi.get(self, "rotation_schedule")
1235
+
1236
+ @property
1237
+ @pulumi.getter(name="rotationWindow")
1238
+ def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
1239
+ """
1240
+ The maximum amount of time in seconds allowed to complete
1241
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1242
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1243
+ """
1244
+ return pulumi.get(self, "rotation_window")
1245
+
1025
1246
  @property
1026
1247
  @pulumi.getter(name="serviceAccountEmail")
1027
- def service_account_email(self) -> pulumi.Output[Optional[str]]:
1248
+ def service_account_email(self) -> pulumi.Output[Optional[builtins.str]]:
1028
1249
  """
1029
1250
  Service Account to impersonate for plugin workload identity federation.
1030
1251
  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.