pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +9 -0
- pulumi_vault/_inputs.py +583 -562
- pulumi_vault/ad/__init__.py +1 -0
- pulumi_vault/ad/get_access_credentials.py +20 -19
- pulumi_vault/ad/secret_backend.py +477 -476
- pulumi_vault/ad/secret_library.py +99 -98
- pulumi_vault/ad/secret_role.py +85 -84
- pulumi_vault/alicloud/__init__.py +1 -0
- pulumi_vault/alicloud/auth_backend_role.py +183 -182
- pulumi_vault/approle/__init__.py +1 -0
- pulumi_vault/approle/auth_backend_login.py +106 -105
- pulumi_vault/approle/auth_backend_role.py +239 -238
- pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
- pulumi_vault/audit.py +85 -84
- pulumi_vault/audit_request_header.py +43 -42
- pulumi_vault/auth_backend.py +106 -105
- pulumi_vault/aws/__init__.py +1 -0
- pulumi_vault/aws/auth_backend_cert.py +71 -70
- pulumi_vault/aws/auth_backend_client.py +425 -200
- pulumi_vault/aws/auth_backend_config_identity.py +85 -84
- pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
- pulumi_vault/aws/auth_backend_login.py +209 -208
- pulumi_vault/aws/auth_backend_role.py +400 -399
- pulumi_vault/aws/auth_backend_role_tag.py +127 -126
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
- pulumi_vault/aws/auth_backend_sts_role.py +71 -70
- pulumi_vault/aws/get_access_credentials.py +44 -43
- pulumi_vault/aws/get_static_access_credentials.py +13 -12
- pulumi_vault/aws/secret_backend.py +523 -306
- pulumi_vault/aws/secret_backend_role.py +211 -210
- pulumi_vault/aws/secret_backend_static_role.py +288 -70
- pulumi_vault/azure/__init__.py +1 -0
- pulumi_vault/azure/_inputs.py +21 -20
- pulumi_vault/azure/auth_backend_config.py +383 -130
- pulumi_vault/azure/auth_backend_role.py +253 -252
- pulumi_vault/azure/backend.py +432 -186
- pulumi_vault/azure/backend_role.py +188 -140
- pulumi_vault/azure/get_access_credentials.py +58 -57
- pulumi_vault/azure/outputs.py +11 -10
- pulumi_vault/cert_auth_backend_role.py +365 -364
- pulumi_vault/config/__init__.py +1 -0
- pulumi_vault/config/__init__.pyi +1 -0
- pulumi_vault/config/_inputs.py +11 -10
- pulumi_vault/config/outputs.py +287 -286
- pulumi_vault/config/ui_custom_message.py +113 -112
- pulumi_vault/config/vars.py +1 -0
- pulumi_vault/consul/__init__.py +1 -0
- pulumi_vault/consul/secret_backend.py +197 -196
- pulumi_vault/consul/secret_backend_role.py +183 -182
- pulumi_vault/database/__init__.py +1 -0
- pulumi_vault/database/_inputs.py +3857 -2200
- pulumi_vault/database/outputs.py +2483 -1330
- pulumi_vault/database/secret_backend_connection.py +333 -112
- pulumi_vault/database/secret_backend_role.py +169 -168
- pulumi_vault/database/secret_backend_static_role.py +283 -140
- pulumi_vault/database/secrets_mount.py +275 -266
- pulumi_vault/egp_policy.py +71 -70
- pulumi_vault/gcp/__init__.py +1 -0
- pulumi_vault/gcp/_inputs.py +82 -81
- pulumi_vault/gcp/auth_backend.py +426 -205
- pulumi_vault/gcp/auth_backend_role.py +281 -280
- pulumi_vault/gcp/get_auth_backend_role.py +70 -69
- pulumi_vault/gcp/outputs.py +50 -49
- pulumi_vault/gcp/secret_backend.py +420 -179
- pulumi_vault/gcp/secret_impersonated_account.py +92 -91
- pulumi_vault/gcp/secret_roleset.py +92 -91
- pulumi_vault/gcp/secret_static_account.py +92 -91
- pulumi_vault/generic/__init__.py +1 -0
- pulumi_vault/generic/endpoint.py +113 -112
- pulumi_vault/generic/get_secret.py +28 -27
- pulumi_vault/generic/secret.py +78 -77
- pulumi_vault/get_auth_backend.py +19 -18
- pulumi_vault/get_auth_backends.py +14 -13
- pulumi_vault/get_namespace.py +15 -14
- pulumi_vault/get_namespaces.py +68 -18
- pulumi_vault/get_nomad_access_token.py +19 -18
- pulumi_vault/get_policy_document.py +6 -5
- pulumi_vault/get_raft_autopilot_state.py +18 -17
- pulumi_vault/github/__init__.py +1 -0
- pulumi_vault/github/_inputs.py +42 -41
- pulumi_vault/github/auth_backend.py +232 -231
- pulumi_vault/github/outputs.py +26 -25
- pulumi_vault/github/team.py +57 -56
- pulumi_vault/github/user.py +57 -56
- pulumi_vault/identity/__init__.py +1 -0
- pulumi_vault/identity/entity.py +85 -84
- pulumi_vault/identity/entity_alias.py +71 -70
- pulumi_vault/identity/entity_policies.py +64 -63
- pulumi_vault/identity/get_entity.py +43 -42
- pulumi_vault/identity/get_group.py +50 -49
- pulumi_vault/identity/get_oidc_client_creds.py +14 -13
- pulumi_vault/identity/get_oidc_openid_config.py +24 -23
- pulumi_vault/identity/get_oidc_public_keys.py +13 -12
- pulumi_vault/identity/group.py +141 -140
- pulumi_vault/identity/group_alias.py +57 -56
- pulumi_vault/identity/group_member_entity_ids.py +57 -56
- pulumi_vault/identity/group_member_group_ids.py +57 -56
- pulumi_vault/identity/group_policies.py +64 -63
- pulumi_vault/identity/mfa_duo.py +148 -147
- pulumi_vault/identity/mfa_login_enforcement.py +120 -119
- pulumi_vault/identity/mfa_okta.py +134 -133
- pulumi_vault/identity/mfa_pingid.py +127 -126
- pulumi_vault/identity/mfa_totp.py +176 -175
- pulumi_vault/identity/oidc.py +29 -28
- pulumi_vault/identity/oidc_assignment.py +57 -56
- pulumi_vault/identity/oidc_client.py +127 -126
- pulumi_vault/identity/oidc_key.py +85 -84
- pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
- pulumi_vault/identity/oidc_provider.py +92 -91
- pulumi_vault/identity/oidc_role.py +85 -84
- pulumi_vault/identity/oidc_scope.py +57 -56
- pulumi_vault/identity/outputs.py +32 -31
- pulumi_vault/jwt/__init__.py +1 -0
- pulumi_vault/jwt/_inputs.py +42 -41
- pulumi_vault/jwt/auth_backend.py +288 -287
- pulumi_vault/jwt/auth_backend_role.py +407 -406
- pulumi_vault/jwt/outputs.py +26 -25
- pulumi_vault/kmip/__init__.py +1 -0
- pulumi_vault/kmip/secret_backend.py +183 -182
- pulumi_vault/kmip/secret_role.py +295 -294
- pulumi_vault/kmip/secret_scope.py +57 -56
- pulumi_vault/kubernetes/__init__.py +1 -0
- pulumi_vault/kubernetes/auth_backend_config.py +141 -140
- pulumi_vault/kubernetes/auth_backend_role.py +225 -224
- pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
- pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
- pulumi_vault/kubernetes/get_service_account_token.py +38 -37
- pulumi_vault/kubernetes/secret_backend.py +316 -315
- pulumi_vault/kubernetes/secret_backend_role.py +197 -196
- pulumi_vault/kv/__init__.py +1 -0
- pulumi_vault/kv/_inputs.py +21 -20
- pulumi_vault/kv/get_secret.py +17 -16
- pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
- pulumi_vault/kv/get_secret_v2.py +29 -28
- pulumi_vault/kv/get_secrets_list.py +13 -12
- pulumi_vault/kv/get_secrets_list_v2.py +19 -18
- pulumi_vault/kv/outputs.py +13 -12
- pulumi_vault/kv/secret.py +50 -49
- pulumi_vault/kv/secret_backend_v2.py +71 -70
- pulumi_vault/kv/secret_v2.py +134 -133
- pulumi_vault/ldap/__init__.py +1 -0
- pulumi_vault/ldap/auth_backend.py +754 -533
- pulumi_vault/ldap/auth_backend_group.py +57 -56
- pulumi_vault/ldap/auth_backend_user.py +71 -70
- pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
- pulumi_vault/ldap/get_static_credentials.py +18 -17
- pulumi_vault/ldap/secret_backend.py +720 -499
- pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
- pulumi_vault/ldap/secret_backend_library_set.py +99 -98
- pulumi_vault/ldap/secret_backend_static_role.py +99 -98
- pulumi_vault/managed/__init__.py +1 -0
- pulumi_vault/managed/_inputs.py +229 -228
- pulumi_vault/managed/keys.py +15 -14
- pulumi_vault/managed/outputs.py +139 -138
- pulumi_vault/mfa_duo.py +113 -112
- pulumi_vault/mfa_okta.py +113 -112
- pulumi_vault/mfa_pingid.py +120 -119
- pulumi_vault/mfa_totp.py +127 -126
- pulumi_vault/mongodbatlas/__init__.py +1 -0
- pulumi_vault/mongodbatlas/secret_backend.py +64 -63
- pulumi_vault/mongodbatlas/secret_role.py +155 -154
- pulumi_vault/mount.py +274 -273
- pulumi_vault/namespace.py +64 -63
- pulumi_vault/nomad_secret_backend.py +211 -210
- pulumi_vault/nomad_secret_role.py +85 -84
- pulumi_vault/okta/__init__.py +1 -0
- pulumi_vault/okta/_inputs.py +26 -25
- pulumi_vault/okta/auth_backend.py +274 -273
- pulumi_vault/okta/auth_backend_group.py +57 -56
- pulumi_vault/okta/auth_backend_user.py +71 -70
- pulumi_vault/okta/outputs.py +16 -15
- pulumi_vault/outputs.py +73 -60
- pulumi_vault/password_policy.py +43 -42
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +31 -36
- pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
- pulumi_vault/pkisecret/backend_config_acme.py +174 -126
- pulumi_vault/pkisecret/backend_config_auto_tidy.py +1377 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
- pulumi_vault/pkisecret/backend_config_cmpv2.py +152 -104
- pulumi_vault/pkisecret/backend_config_est.py +120 -119
- pulumi_vault/pkisecret/get_backend_cert_metadata.py +278 -0
- pulumi_vault/pkisecret/get_backend_config_cmpv2.py +35 -17
- pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
- pulumi_vault/pkisecret/get_backend_issuer.py +139 -25
- pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
- pulumi_vault/pkisecret/get_backend_key.py +20 -19
- pulumi_vault/pkisecret/get_backend_keys.py +15 -14
- pulumi_vault/pkisecret/outputs.py +28 -31
- pulumi_vault/pkisecret/secret_backend_cert.py +439 -297
- pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
- pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
- pulumi_vault/pkisecret/secret_backend_crl_config.py +237 -182
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +520 -378
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
- pulumi_vault/pkisecret/secret_backend_issuer.py +441 -175
- pulumi_vault/pkisecret/secret_backend_key.py +120 -119
- pulumi_vault/pkisecret/secret_backend_role.py +894 -644
- pulumi_vault/pkisecret/secret_backend_root_cert.py +851 -427
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +936 -357
- pulumi_vault/pkisecret/secret_backend_sign.py +347 -252
- pulumi_vault/plugin.py +127 -126
- pulumi_vault/plugin_pinned_version.py +43 -42
- pulumi_vault/policy.py +43 -42
- pulumi_vault/provider.py +120 -119
- pulumi_vault/pulumi-plugin.json +1 -1
- pulumi_vault/quota_lease_count.py +85 -84
- pulumi_vault/quota_rate_limit.py +113 -112
- pulumi_vault/rabbitmq/__init__.py +1 -0
- pulumi_vault/rabbitmq/_inputs.py +41 -40
- pulumi_vault/rabbitmq/outputs.py +25 -24
- pulumi_vault/rabbitmq/secret_backend.py +169 -168
- pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
- pulumi_vault/raft_autopilot.py +113 -112
- pulumi_vault/raft_snapshot_agent_config.py +393 -392
- pulumi_vault/rgp_policy.py +57 -56
- pulumi_vault/saml/__init__.py +1 -0
- pulumi_vault/saml/auth_backend.py +155 -154
- pulumi_vault/saml/auth_backend_role.py +239 -238
- pulumi_vault/secrets/__init__.py +1 -0
- pulumi_vault/secrets/_inputs.py +16 -15
- pulumi_vault/secrets/outputs.py +10 -9
- pulumi_vault/secrets/sync_association.py +71 -70
- pulumi_vault/secrets/sync_aws_destination.py +148 -147
- pulumi_vault/secrets/sync_azure_destination.py +148 -147
- pulumi_vault/secrets/sync_config.py +43 -42
- pulumi_vault/secrets/sync_gcp_destination.py +106 -105
- pulumi_vault/secrets/sync_gh_destination.py +134 -133
- pulumi_vault/secrets/sync_github_apps.py +64 -63
- pulumi_vault/secrets/sync_vercel_destination.py +120 -119
- pulumi_vault/ssh/__init__.py +2 -0
- pulumi_vault/ssh/_inputs.py +11 -10
- pulumi_vault/ssh/get_secret_backend_sign.py +295 -0
- pulumi_vault/ssh/outputs.py +7 -6
- pulumi_vault/ssh/secret_backend_ca.py +99 -98
- pulumi_vault/ssh/secret_backend_role.py +365 -364
- pulumi_vault/terraformcloud/__init__.py +1 -0
- pulumi_vault/terraformcloud/secret_backend.py +111 -110
- pulumi_vault/terraformcloud/secret_creds.py +74 -73
- pulumi_vault/terraformcloud/secret_role.py +96 -95
- pulumi_vault/token.py +246 -245
- pulumi_vault/tokenauth/__init__.py +1 -0
- pulumi_vault/tokenauth/auth_backend_role.py +267 -266
- pulumi_vault/transform/__init__.py +1 -0
- pulumi_vault/transform/alphabet.py +57 -56
- pulumi_vault/transform/get_decode.py +47 -46
- pulumi_vault/transform/get_encode.py +47 -46
- pulumi_vault/transform/role.py +57 -56
- pulumi_vault/transform/template.py +113 -112
- pulumi_vault/transform/transformation.py +141 -140
- pulumi_vault/transit/__init__.py +3 -0
- pulumi_vault/transit/get_decrypt.py +18 -17
- pulumi_vault/transit/get_encrypt.py +21 -20
- pulumi_vault/transit/get_sign.py +325 -0
- pulumi_vault/transit/get_verify.py +355 -0
- pulumi_vault/transit/secret_backend_key.py +394 -231
- pulumi_vault/transit/secret_cache_config.py +43 -42
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/METADATA +2 -2
- pulumi_vault-6.7.0.dist-info/RECORD +265 -0
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/WHEEL +1 -1
- pulumi_vault-6.6.0a1741415971.dist-info/RECORD +0 -260
- {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0.dist-info}/top_level.txt +0 -0
@@ -2,6 +2,7 @@
|
|
2
2
|
# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
|
3
3
|
# *** Do not edit by hand unless you're certain you know what you are doing! ***
|
4
4
|
|
5
|
+
import builtins
|
5
6
|
import copy
|
6
7
|
import warnings
|
7
8
|
import sys
|
@@ -19,42 +20,56 @@ __all__ = ['SecretBackendArgs', 'SecretBackend']
|
|
19
20
|
@pulumi.input_type
|
20
21
|
class SecretBackendArgs:
|
21
22
|
def __init__(__self__, *,
|
22
|
-
credentials: Optional[pulumi.Input[str]] = None,
|
23
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
24
|
-
description: Optional[pulumi.Input[str]] = None,
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
23
|
+
credentials: Optional[pulumi.Input[builtins.str]] = None,
|
24
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
25
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
26
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
27
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
28
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
29
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
30
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
31
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
32
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
33
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
34
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
35
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
36
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
37
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
38
|
+
service_account_email: Optional[pulumi.Input[builtins.str]] = None):
|
34
39
|
"""
|
35
40
|
The set of arguments for constructing a SecretBackend resource.
|
36
|
-
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
37
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
41
|
+
:param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
|
42
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
38
43
|
issued by this backend. Defaults to '0'.
|
39
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
40
|
-
:param pulumi.Input[bool]
|
44
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
45
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
46
|
+
*Available only for Vault Enterprise*.
|
47
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
41
48
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
42
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
49
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
|
43
50
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
44
51
|
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
45
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
52
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
|
46
53
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
47
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
48
|
-
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
49
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
54
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
|
55
|
+
:param pulumi.Input[builtins.bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
56
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
50
57
|
for credentials issued by this backend. Defaults to '0'.
|
51
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
58
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
52
59
|
The value should not contain leading or trailing forward slashes.
|
53
60
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
54
61
|
*Available only for Vault Enterprise*.
|
55
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
62
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
56
63
|
not begin or end with a `/`. Defaults to `gcp`.
|
57
|
-
:param pulumi.Input[
|
64
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
65
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
66
|
+
*Available only for Vault Enterprise*.
|
67
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
68
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
69
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
70
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
71
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
72
|
+
:param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
58
73
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
59
74
|
"""
|
60
75
|
if credentials is not None:
|
@@ -63,6 +78,8 @@ class SecretBackendArgs:
|
|
63
78
|
pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
|
64
79
|
if description is not None:
|
65
80
|
pulumi.set(__self__, "description", description)
|
81
|
+
if disable_automated_rotation is not None:
|
82
|
+
pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
|
66
83
|
if disable_remount is not None:
|
67
84
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
68
85
|
if identity_token_audience is not None:
|
@@ -79,24 +96,30 @@ class SecretBackendArgs:
|
|
79
96
|
pulumi.set(__self__, "namespace", namespace)
|
80
97
|
if path is not None:
|
81
98
|
pulumi.set(__self__, "path", path)
|
99
|
+
if rotation_period is not None:
|
100
|
+
pulumi.set(__self__, "rotation_period", rotation_period)
|
101
|
+
if rotation_schedule is not None:
|
102
|
+
pulumi.set(__self__, "rotation_schedule", rotation_schedule)
|
103
|
+
if rotation_window is not None:
|
104
|
+
pulumi.set(__self__, "rotation_window", rotation_window)
|
82
105
|
if service_account_email is not None:
|
83
106
|
pulumi.set(__self__, "service_account_email", service_account_email)
|
84
107
|
|
85
108
|
@property
|
86
109
|
@pulumi.getter
|
87
|
-
def credentials(self) -> Optional[pulumi.Input[str]]:
|
110
|
+
def credentials(self) -> Optional[pulumi.Input[builtins.str]]:
|
88
111
|
"""
|
89
112
|
JSON-encoded credentials to use to connect to GCP
|
90
113
|
"""
|
91
114
|
return pulumi.get(self, "credentials")
|
92
115
|
|
93
116
|
@credentials.setter
|
94
|
-
def credentials(self, value: Optional[pulumi.Input[str]]):
|
117
|
+
def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
|
95
118
|
pulumi.set(self, "credentials", value)
|
96
119
|
|
97
120
|
@property
|
98
121
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
99
|
-
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
122
|
+
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
100
123
|
"""
|
101
124
|
The default TTL for credentials
|
102
125
|
issued by this backend. Defaults to '0'.
|
@@ -104,24 +127,37 @@ class SecretBackendArgs:
|
|
104
127
|
return pulumi.get(self, "default_lease_ttl_seconds")
|
105
128
|
|
106
129
|
@default_lease_ttl_seconds.setter
|
107
|
-
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
130
|
+
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
108
131
|
pulumi.set(self, "default_lease_ttl_seconds", value)
|
109
132
|
|
110
133
|
@property
|
111
134
|
@pulumi.getter
|
112
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
135
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
113
136
|
"""
|
114
137
|
A human-friendly description for this backend.
|
115
138
|
"""
|
116
139
|
return pulumi.get(self, "description")
|
117
140
|
|
118
141
|
@description.setter
|
119
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
142
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
120
143
|
pulumi.set(self, "description", value)
|
121
144
|
|
145
|
+
@property
|
146
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
147
|
+
def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
|
148
|
+
"""
|
149
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
150
|
+
*Available only for Vault Enterprise*.
|
151
|
+
"""
|
152
|
+
return pulumi.get(self, "disable_automated_rotation")
|
153
|
+
|
154
|
+
@disable_automated_rotation.setter
|
155
|
+
def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
|
156
|
+
pulumi.set(self, "disable_automated_rotation", value)
|
157
|
+
|
122
158
|
@property
|
123
159
|
@pulumi.getter(name="disableRemount")
|
124
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
160
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
125
161
|
"""
|
126
162
|
If set, opts out of mount migration on path updates.
|
127
163
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -129,12 +165,12 @@ class SecretBackendArgs:
|
|
129
165
|
return pulumi.get(self, "disable_remount")
|
130
166
|
|
131
167
|
@disable_remount.setter
|
132
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
168
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
133
169
|
pulumi.set(self, "disable_remount", value)
|
134
170
|
|
135
171
|
@property
|
136
172
|
@pulumi.getter(name="identityTokenAudience")
|
137
|
-
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
173
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
|
138
174
|
"""
|
139
175
|
The audience claim value for plugin identity
|
140
176
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
@@ -143,12 +179,12 @@ class SecretBackendArgs:
|
|
143
179
|
return pulumi.get(self, "identity_token_audience")
|
144
180
|
|
145
181
|
@identity_token_audience.setter
|
146
|
-
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
182
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
|
147
183
|
pulumi.set(self, "identity_token_audience", value)
|
148
184
|
|
149
185
|
@property
|
150
186
|
@pulumi.getter(name="identityTokenKey")
|
151
|
-
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
187
|
+
def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
152
188
|
"""
|
153
189
|
The key to use for signing plugin identity
|
154
190
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
@@ -156,36 +192,36 @@ class SecretBackendArgs:
|
|
156
192
|
return pulumi.get(self, "identity_token_key")
|
157
193
|
|
158
194
|
@identity_token_key.setter
|
159
|
-
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
195
|
+
def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
160
196
|
pulumi.set(self, "identity_token_key", value)
|
161
197
|
|
162
198
|
@property
|
163
199
|
@pulumi.getter(name="identityTokenTtl")
|
164
|
-
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
200
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
|
165
201
|
"""
|
166
202
|
The TTL of generated tokens.
|
167
203
|
"""
|
168
204
|
return pulumi.get(self, "identity_token_ttl")
|
169
205
|
|
170
206
|
@identity_token_ttl.setter
|
171
|
-
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
207
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
|
172
208
|
pulumi.set(self, "identity_token_ttl", value)
|
173
209
|
|
174
210
|
@property
|
175
211
|
@pulumi.getter
|
176
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
212
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
177
213
|
"""
|
178
214
|
Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
179
215
|
"""
|
180
216
|
return pulumi.get(self, "local")
|
181
217
|
|
182
218
|
@local.setter
|
183
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
219
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
184
220
|
pulumi.set(self, "local", value)
|
185
221
|
|
186
222
|
@property
|
187
223
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
188
|
-
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
224
|
+
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
189
225
|
"""
|
190
226
|
The maximum TTL that can be requested
|
191
227
|
for credentials issued by this backend. Defaults to '0'.
|
@@ -193,12 +229,12 @@ class SecretBackendArgs:
|
|
193
229
|
return pulumi.get(self, "max_lease_ttl_seconds")
|
194
230
|
|
195
231
|
@max_lease_ttl_seconds.setter
|
196
|
-
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
232
|
+
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
197
233
|
pulumi.set(self, "max_lease_ttl_seconds", value)
|
198
234
|
|
199
235
|
@property
|
200
236
|
@pulumi.getter
|
201
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
237
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
202
238
|
"""
|
203
239
|
The namespace to provision the resource in.
|
204
240
|
The value should not contain leading or trailing forward slashes.
|
@@ -208,12 +244,12 @@ class SecretBackendArgs:
|
|
208
244
|
return pulumi.get(self, "namespace")
|
209
245
|
|
210
246
|
@namespace.setter
|
211
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
247
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
212
248
|
pulumi.set(self, "namespace", value)
|
213
249
|
|
214
250
|
@property
|
215
251
|
@pulumi.getter
|
216
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
252
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
217
253
|
"""
|
218
254
|
The unique path this backend should be mounted at. Must
|
219
255
|
not begin or end with a `/`. Defaults to `gcp`.
|
@@ -221,12 +257,53 @@ class SecretBackendArgs:
|
|
221
257
|
return pulumi.get(self, "path")
|
222
258
|
|
223
259
|
@path.setter
|
224
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
260
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
225
261
|
pulumi.set(self, "path", value)
|
226
262
|
|
263
|
+
@property
|
264
|
+
@pulumi.getter(name="rotationPeriod")
|
265
|
+
def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
266
|
+
"""
|
267
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
268
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
269
|
+
*Available only for Vault Enterprise*.
|
270
|
+
"""
|
271
|
+
return pulumi.get(self, "rotation_period")
|
272
|
+
|
273
|
+
@rotation_period.setter
|
274
|
+
def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
275
|
+
pulumi.set(self, "rotation_period", value)
|
276
|
+
|
277
|
+
@property
|
278
|
+
@pulumi.getter(name="rotationSchedule")
|
279
|
+
def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
|
280
|
+
"""
|
281
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
282
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
283
|
+
"""
|
284
|
+
return pulumi.get(self, "rotation_schedule")
|
285
|
+
|
286
|
+
@rotation_schedule.setter
|
287
|
+
def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
|
288
|
+
pulumi.set(self, "rotation_schedule", value)
|
289
|
+
|
290
|
+
@property
|
291
|
+
@pulumi.getter(name="rotationWindow")
|
292
|
+
def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
|
293
|
+
"""
|
294
|
+
The maximum amount of time in seconds allowed to complete
|
295
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
296
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
297
|
+
"""
|
298
|
+
return pulumi.get(self, "rotation_window")
|
299
|
+
|
300
|
+
@rotation_window.setter
|
301
|
+
def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
|
302
|
+
pulumi.set(self, "rotation_window", value)
|
303
|
+
|
227
304
|
@property
|
228
305
|
@pulumi.getter(name="serviceAccountEmail")
|
229
|
-
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
306
|
+
def service_account_email(self) -> Optional[pulumi.Input[builtins.str]]:
|
230
307
|
"""
|
231
308
|
Service Account to impersonate for plugin workload identity federation.
|
232
309
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
@@ -234,51 +311,65 @@ class SecretBackendArgs:
|
|
234
311
|
return pulumi.get(self, "service_account_email")
|
235
312
|
|
236
313
|
@service_account_email.setter
|
237
|
-
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
314
|
+
def service_account_email(self, value: Optional[pulumi.Input[builtins.str]]):
|
238
315
|
pulumi.set(self, "service_account_email", value)
|
239
316
|
|
240
317
|
|
241
318
|
@pulumi.input_type
|
242
319
|
class _SecretBackendState:
|
243
320
|
def __init__(__self__, *,
|
244
|
-
accessor: Optional[pulumi.Input[str]] = None,
|
245
|
-
credentials: Optional[pulumi.Input[str]] = None,
|
246
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
247
|
-
description: Optional[pulumi.Input[str]] = None,
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
321
|
+
accessor: Optional[pulumi.Input[builtins.str]] = None,
|
322
|
+
credentials: Optional[pulumi.Input[builtins.str]] = None,
|
323
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
324
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
325
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
326
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
327
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
328
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
329
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
330
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
331
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
332
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
333
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
334
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
335
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
336
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
337
|
+
service_account_email: Optional[pulumi.Input[builtins.str]] = None):
|
257
338
|
"""
|
258
339
|
Input properties used for looking up and filtering SecretBackend resources.
|
259
|
-
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
260
|
-
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
261
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
340
|
+
:param pulumi.Input[builtins.str] accessor: The accessor of the created GCP mount.
|
341
|
+
:param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
|
342
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
262
343
|
issued by this backend. Defaults to '0'.
|
263
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
264
|
-
:param pulumi.Input[bool]
|
344
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
345
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
346
|
+
*Available only for Vault Enterprise*.
|
347
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
265
348
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
266
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
349
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
|
267
350
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
268
351
|
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
269
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
352
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
|
270
353
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
271
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
272
|
-
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
273
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
354
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
|
355
|
+
:param pulumi.Input[builtins.bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
356
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
274
357
|
for credentials issued by this backend. Defaults to '0'.
|
275
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
358
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
276
359
|
The value should not contain leading or trailing forward slashes.
|
277
360
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
278
361
|
*Available only for Vault Enterprise*.
|
279
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
362
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
280
363
|
not begin or end with a `/`. Defaults to `gcp`.
|
281
|
-
:param pulumi.Input[
|
364
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
365
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
366
|
+
*Available only for Vault Enterprise*.
|
367
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
368
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
369
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
370
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
371
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
372
|
+
:param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
282
373
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
283
374
|
"""
|
284
375
|
if accessor is not None:
|
@@ -289,6 +380,8 @@ class _SecretBackendState:
|
|
289
380
|
pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
|
290
381
|
if description is not None:
|
291
382
|
pulumi.set(__self__, "description", description)
|
383
|
+
if disable_automated_rotation is not None:
|
384
|
+
pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
|
292
385
|
if disable_remount is not None:
|
293
386
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
294
387
|
if identity_token_audience is not None:
|
@@ -305,36 +398,42 @@ class _SecretBackendState:
|
|
305
398
|
pulumi.set(__self__, "namespace", namespace)
|
306
399
|
if path is not None:
|
307
400
|
pulumi.set(__self__, "path", path)
|
401
|
+
if rotation_period is not None:
|
402
|
+
pulumi.set(__self__, "rotation_period", rotation_period)
|
403
|
+
if rotation_schedule is not None:
|
404
|
+
pulumi.set(__self__, "rotation_schedule", rotation_schedule)
|
405
|
+
if rotation_window is not None:
|
406
|
+
pulumi.set(__self__, "rotation_window", rotation_window)
|
308
407
|
if service_account_email is not None:
|
309
408
|
pulumi.set(__self__, "service_account_email", service_account_email)
|
310
409
|
|
311
410
|
@property
|
312
411
|
@pulumi.getter
|
313
|
-
def accessor(self) -> Optional[pulumi.Input[str]]:
|
412
|
+
def accessor(self) -> Optional[pulumi.Input[builtins.str]]:
|
314
413
|
"""
|
315
414
|
The accessor of the created GCP mount.
|
316
415
|
"""
|
317
416
|
return pulumi.get(self, "accessor")
|
318
417
|
|
319
418
|
@accessor.setter
|
320
|
-
def accessor(self, value: Optional[pulumi.Input[str]]):
|
419
|
+
def accessor(self, value: Optional[pulumi.Input[builtins.str]]):
|
321
420
|
pulumi.set(self, "accessor", value)
|
322
421
|
|
323
422
|
@property
|
324
423
|
@pulumi.getter
|
325
|
-
def credentials(self) -> Optional[pulumi.Input[str]]:
|
424
|
+
def credentials(self) -> Optional[pulumi.Input[builtins.str]]:
|
326
425
|
"""
|
327
426
|
JSON-encoded credentials to use to connect to GCP
|
328
427
|
"""
|
329
428
|
return pulumi.get(self, "credentials")
|
330
429
|
|
331
430
|
@credentials.setter
|
332
|
-
def credentials(self, value: Optional[pulumi.Input[str]]):
|
431
|
+
def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
|
333
432
|
pulumi.set(self, "credentials", value)
|
334
433
|
|
335
434
|
@property
|
336
435
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
337
|
-
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
436
|
+
def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
338
437
|
"""
|
339
438
|
The default TTL for credentials
|
340
439
|
issued by this backend. Defaults to '0'.
|
@@ -342,24 +441,37 @@ class _SecretBackendState:
|
|
342
441
|
return pulumi.get(self, "default_lease_ttl_seconds")
|
343
442
|
|
344
443
|
@default_lease_ttl_seconds.setter
|
345
|
-
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
444
|
+
def default_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
346
445
|
pulumi.set(self, "default_lease_ttl_seconds", value)
|
347
446
|
|
348
447
|
@property
|
349
448
|
@pulumi.getter
|
350
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
449
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
351
450
|
"""
|
352
451
|
A human-friendly description for this backend.
|
353
452
|
"""
|
354
453
|
return pulumi.get(self, "description")
|
355
454
|
|
356
455
|
@description.setter
|
357
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
456
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
358
457
|
pulumi.set(self, "description", value)
|
359
458
|
|
459
|
+
@property
|
460
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
461
|
+
def disable_automated_rotation(self) -> Optional[pulumi.Input[builtins.bool]]:
|
462
|
+
"""
|
463
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
464
|
+
*Available only for Vault Enterprise*.
|
465
|
+
"""
|
466
|
+
return pulumi.get(self, "disable_automated_rotation")
|
467
|
+
|
468
|
+
@disable_automated_rotation.setter
|
469
|
+
def disable_automated_rotation(self, value: Optional[pulumi.Input[builtins.bool]]):
|
470
|
+
pulumi.set(self, "disable_automated_rotation", value)
|
471
|
+
|
360
472
|
@property
|
361
473
|
@pulumi.getter(name="disableRemount")
|
362
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
474
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
363
475
|
"""
|
364
476
|
If set, opts out of mount migration on path updates.
|
365
477
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -367,12 +479,12 @@ class _SecretBackendState:
|
|
367
479
|
return pulumi.get(self, "disable_remount")
|
368
480
|
|
369
481
|
@disable_remount.setter
|
370
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
482
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
371
483
|
pulumi.set(self, "disable_remount", value)
|
372
484
|
|
373
485
|
@property
|
374
486
|
@pulumi.getter(name="identityTokenAudience")
|
375
|
-
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
487
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[builtins.str]]:
|
376
488
|
"""
|
377
489
|
The audience claim value for plugin identity
|
378
490
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
@@ -381,12 +493,12 @@ class _SecretBackendState:
|
|
381
493
|
return pulumi.get(self, "identity_token_audience")
|
382
494
|
|
383
495
|
@identity_token_audience.setter
|
384
|
-
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
496
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[builtins.str]]):
|
385
497
|
pulumi.set(self, "identity_token_audience", value)
|
386
498
|
|
387
499
|
@property
|
388
500
|
@pulumi.getter(name="identityTokenKey")
|
389
|
-
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
501
|
+
def identity_token_key(self) -> Optional[pulumi.Input[builtins.str]]:
|
390
502
|
"""
|
391
503
|
The key to use for signing plugin identity
|
392
504
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
@@ -394,36 +506,36 @@ class _SecretBackendState:
|
|
394
506
|
return pulumi.get(self, "identity_token_key")
|
395
507
|
|
396
508
|
@identity_token_key.setter
|
397
|
-
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
509
|
+
def identity_token_key(self, value: Optional[pulumi.Input[builtins.str]]):
|
398
510
|
pulumi.set(self, "identity_token_key", value)
|
399
511
|
|
400
512
|
@property
|
401
513
|
@pulumi.getter(name="identityTokenTtl")
|
402
|
-
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
514
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[builtins.int]]:
|
403
515
|
"""
|
404
516
|
The TTL of generated tokens.
|
405
517
|
"""
|
406
518
|
return pulumi.get(self, "identity_token_ttl")
|
407
519
|
|
408
520
|
@identity_token_ttl.setter
|
409
|
-
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
521
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[builtins.int]]):
|
410
522
|
pulumi.set(self, "identity_token_ttl", value)
|
411
523
|
|
412
524
|
@property
|
413
525
|
@pulumi.getter
|
414
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
526
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
415
527
|
"""
|
416
528
|
Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
417
529
|
"""
|
418
530
|
return pulumi.get(self, "local")
|
419
531
|
|
420
532
|
@local.setter
|
421
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
533
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
422
534
|
pulumi.set(self, "local", value)
|
423
535
|
|
424
536
|
@property
|
425
537
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
426
|
-
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[int]]:
|
538
|
+
def max_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
|
427
539
|
"""
|
428
540
|
The maximum TTL that can be requested
|
429
541
|
for credentials issued by this backend. Defaults to '0'.
|
@@ -431,12 +543,12 @@ class _SecretBackendState:
|
|
431
543
|
return pulumi.get(self, "max_lease_ttl_seconds")
|
432
544
|
|
433
545
|
@max_lease_ttl_seconds.setter
|
434
|
-
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[int]]):
|
546
|
+
def max_lease_ttl_seconds(self, value: Optional[pulumi.Input[builtins.int]]):
|
435
547
|
pulumi.set(self, "max_lease_ttl_seconds", value)
|
436
548
|
|
437
549
|
@property
|
438
550
|
@pulumi.getter
|
439
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
551
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
440
552
|
"""
|
441
553
|
The namespace to provision the resource in.
|
442
554
|
The value should not contain leading or trailing forward slashes.
|
@@ -446,12 +558,12 @@ class _SecretBackendState:
|
|
446
558
|
return pulumi.get(self, "namespace")
|
447
559
|
|
448
560
|
@namespace.setter
|
449
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
561
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
450
562
|
pulumi.set(self, "namespace", value)
|
451
563
|
|
452
564
|
@property
|
453
565
|
@pulumi.getter
|
454
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
566
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
455
567
|
"""
|
456
568
|
The unique path this backend should be mounted at. Must
|
457
569
|
not begin or end with a `/`. Defaults to `gcp`.
|
@@ -459,12 +571,53 @@ class _SecretBackendState:
|
|
459
571
|
return pulumi.get(self, "path")
|
460
572
|
|
461
573
|
@path.setter
|
462
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
574
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
463
575
|
pulumi.set(self, "path", value)
|
464
576
|
|
577
|
+
@property
|
578
|
+
@pulumi.getter(name="rotationPeriod")
|
579
|
+
def rotation_period(self) -> Optional[pulumi.Input[builtins.int]]:
|
580
|
+
"""
|
581
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
582
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
583
|
+
*Available only for Vault Enterprise*.
|
584
|
+
"""
|
585
|
+
return pulumi.get(self, "rotation_period")
|
586
|
+
|
587
|
+
@rotation_period.setter
|
588
|
+
def rotation_period(self, value: Optional[pulumi.Input[builtins.int]]):
|
589
|
+
pulumi.set(self, "rotation_period", value)
|
590
|
+
|
591
|
+
@property
|
592
|
+
@pulumi.getter(name="rotationSchedule")
|
593
|
+
def rotation_schedule(self) -> Optional[pulumi.Input[builtins.str]]:
|
594
|
+
"""
|
595
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
596
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
597
|
+
"""
|
598
|
+
return pulumi.get(self, "rotation_schedule")
|
599
|
+
|
600
|
+
@rotation_schedule.setter
|
601
|
+
def rotation_schedule(self, value: Optional[pulumi.Input[builtins.str]]):
|
602
|
+
pulumi.set(self, "rotation_schedule", value)
|
603
|
+
|
604
|
+
@property
|
605
|
+
@pulumi.getter(name="rotationWindow")
|
606
|
+
def rotation_window(self) -> Optional[pulumi.Input[builtins.int]]:
|
607
|
+
"""
|
608
|
+
The maximum amount of time in seconds allowed to complete
|
609
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
610
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
611
|
+
"""
|
612
|
+
return pulumi.get(self, "rotation_window")
|
613
|
+
|
614
|
+
@rotation_window.setter
|
615
|
+
def rotation_window(self, value: Optional[pulumi.Input[builtins.int]]):
|
616
|
+
pulumi.set(self, "rotation_window", value)
|
617
|
+
|
465
618
|
@property
|
466
619
|
@pulumi.getter(name="serviceAccountEmail")
|
467
|
-
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
620
|
+
def service_account_email(self) -> Optional[pulumi.Input[builtins.str]]:
|
468
621
|
"""
|
469
622
|
Service Account to impersonate for plugin workload identity federation.
|
470
623
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
@@ -472,7 +625,7 @@ class _SecretBackendState:
|
|
472
625
|
return pulumi.get(self, "service_account_email")
|
473
626
|
|
474
627
|
@service_account_email.setter
|
475
|
-
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
628
|
+
def service_account_email(self, value: Optional[pulumi.Input[builtins.str]]):
|
476
629
|
pulumi.set(self, "service_account_email", value)
|
477
630
|
|
478
631
|
|
@@ -481,18 +634,22 @@ class SecretBackend(pulumi.CustomResource):
|
|
481
634
|
def __init__(__self__,
|
482
635
|
resource_name: str,
|
483
636
|
opts: Optional[pulumi.ResourceOptions] = None,
|
484
|
-
credentials: Optional[pulumi.Input[str]] = None,
|
485
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
486
|
-
description: Optional[pulumi.Input[str]] = None,
|
487
|
-
|
488
|
-
|
489
|
-
|
490
|
-
|
491
|
-
|
492
|
-
|
493
|
-
|
494
|
-
|
495
|
-
|
637
|
+
credentials: Optional[pulumi.Input[builtins.str]] = None,
|
638
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
639
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
640
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
641
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
642
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
643
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
644
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
645
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
646
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
647
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
648
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
649
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
650
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
651
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
652
|
+
service_account_email: Optional[pulumi.Input[builtins.str]] = None,
|
496
653
|
__props__=None):
|
497
654
|
"""
|
498
655
|
## Example Usage
|
@@ -506,7 +663,9 @@ class SecretBackend(pulumi.CustomResource):
|
|
506
663
|
identity_token_key="example-key",
|
507
664
|
identity_token_ttl=1800,
|
508
665
|
identity_token_audience="<TOKEN_AUDIENCE>",
|
509
|
-
service_account_email="<SERVICE_ACCOUNT_EMAIL>"
|
666
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>",
|
667
|
+
rotation_schedule="0 * * * SAT",
|
668
|
+
rotation_window=3600)
|
510
669
|
```
|
511
670
|
|
512
671
|
```python
|
@@ -514,33 +673,46 @@ class SecretBackend(pulumi.CustomResource):
|
|
514
673
|
import pulumi_std as std
|
515
674
|
import pulumi_vault as vault
|
516
675
|
|
517
|
-
gcp = vault.gcp.SecretBackend("gcp",
|
676
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
677
|
+
credentials=std.file(input="credentials.json").result,
|
678
|
+
rotation_schedule="0 * * * SAT",
|
679
|
+
rotation_window=3600)
|
518
680
|
```
|
519
681
|
|
520
682
|
:param str resource_name: The name of the resource.
|
521
683
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
522
|
-
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
523
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
684
|
+
:param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
|
685
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
524
686
|
issued by this backend. Defaults to '0'.
|
525
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
526
|
-
:param pulumi.Input[bool]
|
687
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
688
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
689
|
+
*Available only for Vault Enterprise*.
|
690
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
527
691
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
528
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
692
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
|
529
693
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
530
694
|
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
531
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
695
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
|
532
696
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
533
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
534
|
-
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
535
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
697
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
|
698
|
+
:param pulumi.Input[builtins.bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
699
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
536
700
|
for credentials issued by this backend. Defaults to '0'.
|
537
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
701
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
538
702
|
The value should not contain leading or trailing forward slashes.
|
539
703
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
540
704
|
*Available only for Vault Enterprise*.
|
541
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
705
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
542
706
|
not begin or end with a `/`. Defaults to `gcp`.
|
543
|
-
:param pulumi.Input[
|
707
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
708
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
709
|
+
*Available only for Vault Enterprise*.
|
710
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
711
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
712
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
713
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
714
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
715
|
+
:param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
544
716
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
545
717
|
"""
|
546
718
|
...
|
@@ -561,7 +733,9 @@ class SecretBackend(pulumi.CustomResource):
|
|
561
733
|
identity_token_key="example-key",
|
562
734
|
identity_token_ttl=1800,
|
563
735
|
identity_token_audience="<TOKEN_AUDIENCE>",
|
564
|
-
service_account_email="<SERVICE_ACCOUNT_EMAIL>"
|
736
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>",
|
737
|
+
rotation_schedule="0 * * * SAT",
|
738
|
+
rotation_window=3600)
|
565
739
|
```
|
566
740
|
|
567
741
|
```python
|
@@ -569,7 +743,10 @@ class SecretBackend(pulumi.CustomResource):
|
|
569
743
|
import pulumi_std as std
|
570
744
|
import pulumi_vault as vault
|
571
745
|
|
572
|
-
gcp = vault.gcp.SecretBackend("gcp",
|
746
|
+
gcp = vault.gcp.SecretBackend("gcp",
|
747
|
+
credentials=std.file(input="credentials.json").result,
|
748
|
+
rotation_schedule="0 * * * SAT",
|
749
|
+
rotation_window=3600)
|
573
750
|
```
|
574
751
|
|
575
752
|
:param str resource_name: The name of the resource.
|
@@ -587,18 +764,22 @@ class SecretBackend(pulumi.CustomResource):
|
|
587
764
|
def _internal_init(__self__,
|
588
765
|
resource_name: str,
|
589
766
|
opts: Optional[pulumi.ResourceOptions] = None,
|
590
|
-
credentials: Optional[pulumi.Input[str]] = None,
|
591
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
592
|
-
description: Optional[pulumi.Input[str]] = None,
|
593
|
-
|
594
|
-
|
595
|
-
|
596
|
-
|
597
|
-
|
598
|
-
|
599
|
-
|
600
|
-
|
601
|
-
|
767
|
+
credentials: Optional[pulumi.Input[builtins.str]] = None,
|
768
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
769
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
770
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
771
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
772
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
773
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
774
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
775
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
776
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
777
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
778
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
779
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
780
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
781
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
782
|
+
service_account_email: Optional[pulumi.Input[builtins.str]] = None,
|
602
783
|
__props__=None):
|
603
784
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
604
785
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -611,6 +792,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
611
792
|
__props__.__dict__["credentials"] = None if credentials is None else pulumi.Output.secret(credentials)
|
612
793
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
613
794
|
__props__.__dict__["description"] = description
|
795
|
+
__props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
|
614
796
|
__props__.__dict__["disable_remount"] = disable_remount
|
615
797
|
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
616
798
|
__props__.__dict__["identity_token_key"] = identity_token_key
|
@@ -619,6 +801,9 @@ class SecretBackend(pulumi.CustomResource):
|
|
619
801
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
620
802
|
__props__.__dict__["namespace"] = namespace
|
621
803
|
__props__.__dict__["path"] = path
|
804
|
+
__props__.__dict__["rotation_period"] = rotation_period
|
805
|
+
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
806
|
+
__props__.__dict__["rotation_window"] = rotation_window
|
622
807
|
__props__.__dict__["service_account_email"] = service_account_email
|
623
808
|
__props__.__dict__["accessor"] = None
|
624
809
|
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
|
@@ -633,19 +818,23 @@ class SecretBackend(pulumi.CustomResource):
|
|
633
818
|
def get(resource_name: str,
|
634
819
|
id: pulumi.Input[str],
|
635
820
|
opts: Optional[pulumi.ResourceOptions] = None,
|
636
|
-
accessor: Optional[pulumi.Input[str]] = None,
|
637
|
-
credentials: Optional[pulumi.Input[str]] = None,
|
638
|
-
default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
|
639
|
-
description: Optional[pulumi.Input[str]] = None,
|
640
|
-
|
641
|
-
|
642
|
-
|
643
|
-
|
644
|
-
|
645
|
-
|
646
|
-
|
647
|
-
|
648
|
-
|
821
|
+
accessor: Optional[pulumi.Input[builtins.str]] = None,
|
822
|
+
credentials: Optional[pulumi.Input[builtins.str]] = None,
|
823
|
+
default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
824
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
825
|
+
disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
|
826
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
827
|
+
identity_token_audience: Optional[pulumi.Input[builtins.str]] = None,
|
828
|
+
identity_token_key: Optional[pulumi.Input[builtins.str]] = None,
|
829
|
+
identity_token_ttl: Optional[pulumi.Input[builtins.int]] = None,
|
830
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
831
|
+
max_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
|
832
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
833
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
834
|
+
rotation_period: Optional[pulumi.Input[builtins.int]] = None,
|
835
|
+
rotation_schedule: Optional[pulumi.Input[builtins.str]] = None,
|
836
|
+
rotation_window: Optional[pulumi.Input[builtins.int]] = None,
|
837
|
+
service_account_email: Optional[pulumi.Input[builtins.str]] = None) -> 'SecretBackend':
|
649
838
|
"""
|
650
839
|
Get an existing SecretBackend resource's state with the given name, id, and optional extra
|
651
840
|
properties used to qualify the lookup.
|
@@ -653,29 +842,39 @@ class SecretBackend(pulumi.CustomResource):
|
|
653
842
|
:param str resource_name: The unique name of the resulting resource.
|
654
843
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
655
844
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
656
|
-
:param pulumi.Input[str] accessor: The accessor of the created GCP mount.
|
657
|
-
:param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
|
658
|
-
:param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
|
845
|
+
:param pulumi.Input[builtins.str] accessor: The accessor of the created GCP mount.
|
846
|
+
:param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
|
847
|
+
:param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
|
659
848
|
issued by this backend. Defaults to '0'.
|
660
|
-
:param pulumi.Input[str] description: A human-friendly description for this backend.
|
661
|
-
:param pulumi.Input[bool]
|
849
|
+
:param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
|
850
|
+
:param pulumi.Input[builtins.bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
851
|
+
*Available only for Vault Enterprise*.
|
852
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
662
853
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
663
|
-
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
854
|
+
:param pulumi.Input[builtins.str] identity_token_audience: The audience claim value for plugin identity
|
664
855
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
665
856
|
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
666
|
-
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
857
|
+
:param pulumi.Input[builtins.str] identity_token_key: The key to use for signing plugin identity
|
667
858
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
668
|
-
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
669
|
-
:param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
670
|
-
:param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
859
|
+
:param pulumi.Input[builtins.int] identity_token_ttl: The TTL of generated tokens.
|
860
|
+
:param pulumi.Input[builtins.bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
861
|
+
:param pulumi.Input[builtins.int] max_lease_ttl_seconds: The maximum TTL that can be requested
|
671
862
|
for credentials issued by this backend. Defaults to '0'.
|
672
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
863
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
673
864
|
The value should not contain leading or trailing forward slashes.
|
674
865
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
675
866
|
*Available only for Vault Enterprise*.
|
676
|
-
:param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
|
867
|
+
:param pulumi.Input[builtins.str] path: The unique path this backend should be mounted at. Must
|
677
868
|
not begin or end with a `/`. Defaults to `gcp`.
|
678
|
-
:param pulumi.Input[
|
869
|
+
:param pulumi.Input[builtins.int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
|
870
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
871
|
+
*Available only for Vault Enterprise*.
|
872
|
+
:param pulumi.Input[builtins.str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
873
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
874
|
+
:param pulumi.Input[builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
|
875
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
876
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
877
|
+
:param pulumi.Input[builtins.str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
679
878
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
680
879
|
"""
|
681
880
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
@@ -686,6 +885,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
686
885
|
__props__.__dict__["credentials"] = credentials
|
687
886
|
__props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
|
688
887
|
__props__.__dict__["description"] = description
|
888
|
+
__props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
|
689
889
|
__props__.__dict__["disable_remount"] = disable_remount
|
690
890
|
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
691
891
|
__props__.__dict__["identity_token_key"] = identity_token_key
|
@@ -694,12 +894,15 @@ class SecretBackend(pulumi.CustomResource):
|
|
694
894
|
__props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
|
695
895
|
__props__.__dict__["namespace"] = namespace
|
696
896
|
__props__.__dict__["path"] = path
|
897
|
+
__props__.__dict__["rotation_period"] = rotation_period
|
898
|
+
__props__.__dict__["rotation_schedule"] = rotation_schedule
|
899
|
+
__props__.__dict__["rotation_window"] = rotation_window
|
697
900
|
__props__.__dict__["service_account_email"] = service_account_email
|
698
901
|
return SecretBackend(resource_name, opts=opts, __props__=__props__)
|
699
902
|
|
700
903
|
@property
|
701
904
|
@pulumi.getter
|
702
|
-
def accessor(self) -> pulumi.Output[str]:
|
905
|
+
def accessor(self) -> pulumi.Output[builtins.str]:
|
703
906
|
"""
|
704
907
|
The accessor of the created GCP mount.
|
705
908
|
"""
|
@@ -707,7 +910,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
707
910
|
|
708
911
|
@property
|
709
912
|
@pulumi.getter
|
710
|
-
def credentials(self) -> pulumi.Output[Optional[str]]:
|
913
|
+
def credentials(self) -> pulumi.Output[Optional[builtins.str]]:
|
711
914
|
"""
|
712
915
|
JSON-encoded credentials to use to connect to GCP
|
713
916
|
"""
|
@@ -715,7 +918,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
715
918
|
|
716
919
|
@property
|
717
920
|
@pulumi.getter(name="defaultLeaseTtlSeconds")
|
718
|
-
def default_lease_ttl_seconds(self) -> pulumi.Output[Optional[int]]:
|
921
|
+
def default_lease_ttl_seconds(self) -> pulumi.Output[Optional[builtins.int]]:
|
719
922
|
"""
|
720
923
|
The default TTL for credentials
|
721
924
|
issued by this backend. Defaults to '0'.
|
@@ -724,15 +927,24 @@ class SecretBackend(pulumi.CustomResource):
|
|
724
927
|
|
725
928
|
@property
|
726
929
|
@pulumi.getter
|
727
|
-
def description(self) -> pulumi.Output[Optional[str]]:
|
930
|
+
def description(self) -> pulumi.Output[Optional[builtins.str]]:
|
728
931
|
"""
|
729
932
|
A human-friendly description for this backend.
|
730
933
|
"""
|
731
934
|
return pulumi.get(self, "description")
|
732
935
|
|
936
|
+
@property
|
937
|
+
@pulumi.getter(name="disableAutomatedRotation")
|
938
|
+
def disable_automated_rotation(self) -> pulumi.Output[Optional[builtins.bool]]:
|
939
|
+
"""
|
940
|
+
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
|
941
|
+
*Available only for Vault Enterprise*.
|
942
|
+
"""
|
943
|
+
return pulumi.get(self, "disable_automated_rotation")
|
944
|
+
|
733
945
|
@property
|
734
946
|
@pulumi.getter(name="disableRemount")
|
735
|
-
def disable_remount(self) -> pulumi.Output[Optional[bool]]:
|
947
|
+
def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
|
736
948
|
"""
|
737
949
|
If set, opts out of mount migration on path updates.
|
738
950
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -741,7 +953,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
741
953
|
|
742
954
|
@property
|
743
955
|
@pulumi.getter(name="identityTokenAudience")
|
744
|
-
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
956
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[builtins.str]]:
|
745
957
|
"""
|
746
958
|
The audience claim value for plugin identity
|
747
959
|
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
@@ -751,7 +963,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
751
963
|
|
752
964
|
@property
|
753
965
|
@pulumi.getter(name="identityTokenKey")
|
754
|
-
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
966
|
+
def identity_token_key(self) -> pulumi.Output[Optional[builtins.str]]:
|
755
967
|
"""
|
756
968
|
The key to use for signing plugin identity
|
757
969
|
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
@@ -760,7 +972,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
760
972
|
|
761
973
|
@property
|
762
974
|
@pulumi.getter(name="identityTokenTtl")
|
763
|
-
def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
|
975
|
+
def identity_token_ttl(self) -> pulumi.Output[Optional[builtins.int]]:
|
764
976
|
"""
|
765
977
|
The TTL of generated tokens.
|
766
978
|
"""
|
@@ -768,7 +980,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
768
980
|
|
769
981
|
@property
|
770
982
|
@pulumi.getter
|
771
|
-
def local(self) -> pulumi.Output[Optional[bool]]:
|
983
|
+
def local(self) -> pulumi.Output[Optional[builtins.bool]]:
|
772
984
|
"""
|
773
985
|
Boolean flag that can be explicitly set to true to enforce local mount in HA environment
|
774
986
|
"""
|
@@ -776,7 +988,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
776
988
|
|
777
989
|
@property
|
778
990
|
@pulumi.getter(name="maxLeaseTtlSeconds")
|
779
|
-
def max_lease_ttl_seconds(self) -> pulumi.Output[Optional[int]]:
|
991
|
+
def max_lease_ttl_seconds(self) -> pulumi.Output[Optional[builtins.int]]:
|
780
992
|
"""
|
781
993
|
The maximum TTL that can be requested
|
782
994
|
for credentials issued by this backend. Defaults to '0'.
|
@@ -785,7 +997,7 @@ class SecretBackend(pulumi.CustomResource):
|
|
785
997
|
|
786
998
|
@property
|
787
999
|
@pulumi.getter
|
788
|
-
def namespace(self) -> pulumi.Output[Optional[str]]:
|
1000
|
+
def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
|
789
1001
|
"""
|
790
1002
|
The namespace to provision the resource in.
|
791
1003
|
The value should not contain leading or trailing forward slashes.
|
@@ -796,16 +1008,45 @@ class SecretBackend(pulumi.CustomResource):
|
|
796
1008
|
|
797
1009
|
@property
|
798
1010
|
@pulumi.getter
|
799
|
-
def path(self) -> pulumi.Output[Optional[str]]:
|
1011
|
+
def path(self) -> pulumi.Output[Optional[builtins.str]]:
|
800
1012
|
"""
|
801
1013
|
The unique path this backend should be mounted at. Must
|
802
1014
|
not begin or end with a `/`. Defaults to `gcp`.
|
803
1015
|
"""
|
804
1016
|
return pulumi.get(self, "path")
|
805
1017
|
|
1018
|
+
@property
|
1019
|
+
@pulumi.getter(name="rotationPeriod")
|
1020
|
+
def rotation_period(self) -> pulumi.Output[Optional[builtins.int]]:
|
1021
|
+
"""
|
1022
|
+
The amount of time in seconds Vault should wait before rotating the root credential.
|
1023
|
+
A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
|
1024
|
+
*Available only for Vault Enterprise*.
|
1025
|
+
"""
|
1026
|
+
return pulumi.get(self, "rotation_period")
|
1027
|
+
|
1028
|
+
@property
|
1029
|
+
@pulumi.getter(name="rotationSchedule")
|
1030
|
+
def rotation_schedule(self) -> pulumi.Output[Optional[builtins.str]]:
|
1031
|
+
"""
|
1032
|
+
The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
|
1033
|
+
defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
1034
|
+
"""
|
1035
|
+
return pulumi.get(self, "rotation_schedule")
|
1036
|
+
|
1037
|
+
@property
|
1038
|
+
@pulumi.getter(name="rotationWindow")
|
1039
|
+
def rotation_window(self) -> pulumi.Output[Optional[builtins.int]]:
|
1040
|
+
"""
|
1041
|
+
The maximum amount of time in seconds allowed to complete
|
1042
|
+
a rotation when a scheduled token rotation occurs. The default rotation window is
|
1043
|
+
unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.
|
1044
|
+
"""
|
1045
|
+
return pulumi.get(self, "rotation_window")
|
1046
|
+
|
806
1047
|
@property
|
807
1048
|
@pulumi.getter(name="serviceAccountEmail")
|
808
|
-
def service_account_email(self) -> pulumi.Output[Optional[str]]:
|
1049
|
+
def service_account_email(self) -> pulumi.Output[Optional[builtins.str]]:
|
809
1050
|
"""
|
810
1051
|
Service Account to impersonate for plugin workload identity federation.
|
811
1052
|
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|