pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.7.0a1741847926__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. pulumi_vault/__init__.py +8 -0
  2. pulumi_vault/aws/auth_backend_client.py +228 -4
  3. pulumi_vault/aws/secret_backend.py +266 -50
  4. pulumi_vault/aws/secret_backend_static_role.py +217 -0
  5. pulumi_vault/azure/auth_backend_config.py +257 -5
  6. pulumi_vault/azure/backend.py +249 -4
  7. pulumi_vault/database/_inputs.py +1692 -36
  8. pulumi_vault/database/outputs.py +1170 -18
  9. pulumi_vault/database/secret_backend_connection.py +220 -0
  10. pulumi_vault/database/secret_backend_static_role.py +143 -1
  11. pulumi_vault/database/secrets_mount.py +8 -0
  12. pulumi_vault/gcp/auth_backend.py +222 -2
  13. pulumi_vault/gcp/secret_backend.py +244 -4
  14. pulumi_vault/ldap/auth_backend.py +222 -2
  15. pulumi_vault/ldap/secret_backend.py +222 -2
  16. pulumi_vault/pkisecret/__init__.py +2 -0
  17. pulumi_vault/pkisecret/_inputs.py +0 -6
  18. pulumi_vault/pkisecret/backend_config_acme.py +47 -0
  19. pulumi_vault/pkisecret/backend_config_auto_tidy.py +1376 -0
  20. pulumi_vault/pkisecret/backend_config_cmpv2.py +61 -14
  21. pulumi_vault/pkisecret/get_backend_cert_metadata.py +277 -0
  22. pulumi_vault/pkisecret/get_backend_config_cmpv2.py +18 -1
  23. pulumi_vault/pkisecret/get_backend_issuer.py +114 -1
  24. pulumi_vault/pkisecret/outputs.py +0 -4
  25. pulumi_vault/pkisecret/secret_backend_cert.py +148 -7
  26. pulumi_vault/pkisecret/secret_backend_crl_config.py +54 -0
  27. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +141 -0
  28. pulumi_vault/pkisecret/secret_backend_issuer.py +265 -0
  29. pulumi_vault/pkisecret/secret_backend_role.py +252 -3
  30. pulumi_vault/pkisecret/secret_backend_root_cert.py +423 -0
  31. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +581 -3
  32. pulumi_vault/pkisecret/secret_backend_sign.py +94 -0
  33. pulumi_vault/pulumi-plugin.json +1 -1
  34. pulumi_vault/ssh/__init__.py +1 -0
  35. pulumi_vault/ssh/get_secret_backend_sign.py +294 -0
  36. pulumi_vault/terraformcloud/secret_role.py +7 -7
  37. pulumi_vault/transit/__init__.py +2 -0
  38. pulumi_vault/transit/get_sign.py +324 -0
  39. pulumi_vault/transit/get_verify.py +354 -0
  40. pulumi_vault/transit/secret_backend_key.py +162 -0
  41. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0a1741847926.dist-info}/METADATA +1 -1
  42. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0a1741847926.dist-info}/RECORD +44 -39
  43. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0a1741847926.dist-info}/WHEEL +1 -1
  44. {pulumi_vault-6.6.0a1741415971.dist-info → pulumi_vault-6.7.0a1741847926.dist-info}/top_level.txt +0 -0
@@ -22,6 +22,7 @@ class SecretBackendArgs:
22
22
  access_key: Optional[pulumi.Input[str]] = None,
23
23
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
24
24
  description: Optional[pulumi.Input[str]] = None,
25
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
25
26
  disable_remount: Optional[pulumi.Input[bool]] = None,
26
27
  iam_endpoint: Optional[pulumi.Input[str]] = None,
27
28
  identity_token_audience: Optional[pulumi.Input[str]] = None,
@@ -33,6 +34,9 @@ class SecretBackendArgs:
33
34
  path: Optional[pulumi.Input[str]] = None,
34
35
  region: Optional[pulumi.Input[str]] = None,
35
36
  role_arn: Optional[pulumi.Input[str]] = None,
37
+ rotation_period: Optional[pulumi.Input[int]] = None,
38
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
39
+ rotation_window: Optional[pulumi.Input[int]] = None,
36
40
  secret_key: Optional[pulumi.Input[str]] = None,
37
41
  sts_endpoint: Optional[pulumi.Input[str]] = None,
38
42
  sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -46,6 +50,7 @@ class SecretBackendArgs:
46
50
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
47
51
  issued by this backend.
48
52
  :param pulumi.Input[str] description: A human-friendly description for this backend.
53
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
49
54
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
50
55
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
51
56
  :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
@@ -63,6 +68,19 @@ class SecretBackendArgs:
63
68
  not begin or end with a `/`. Defaults to `aws`.
64
69
  :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
65
70
  :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
71
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
72
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
73
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
74
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
75
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
76
+ a rotation when a scheduled token rotation occurs. The default rotation window is
77
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
78
+ :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
79
+ :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
80
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
81
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
82
+ :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
83
+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
66
84
 
67
85
  ```
68
86
  {{ if (eq .Type "STS") }}
@@ -72,12 +90,6 @@ class SecretBackendArgs:
72
90
  {{ end }}
73
91
 
74
92
  ```
75
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
76
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
77
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
78
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
79
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
80
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
81
93
  """
82
94
  if access_key is not None:
83
95
  pulumi.set(__self__, "access_key", access_key)
@@ -85,6 +97,8 @@ class SecretBackendArgs:
85
97
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
86
98
  if description is not None:
87
99
  pulumi.set(__self__, "description", description)
100
+ if disable_automated_rotation is not None:
101
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
88
102
  if disable_remount is not None:
89
103
  pulumi.set(__self__, "disable_remount", disable_remount)
90
104
  if iam_endpoint is not None:
@@ -107,6 +121,12 @@ class SecretBackendArgs:
107
121
  pulumi.set(__self__, "region", region)
108
122
  if role_arn is not None:
109
123
  pulumi.set(__self__, "role_arn", role_arn)
124
+ if rotation_period is not None:
125
+ pulumi.set(__self__, "rotation_period", rotation_period)
126
+ if rotation_schedule is not None:
127
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
128
+ if rotation_window is not None:
129
+ pulumi.set(__self__, "rotation_window", rotation_window)
110
130
  if secret_key is not None:
111
131
  pulumi.set(__self__, "secret_key", secret_key)
112
132
  if sts_endpoint is not None:
@@ -158,6 +178,18 @@ class SecretBackendArgs:
158
178
  def description(self, value: Optional[pulumi.Input[str]]):
159
179
  pulumi.set(self, "description", value)
160
180
 
181
+ @property
182
+ @pulumi.getter(name="disableAutomatedRotation")
183
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[bool]]:
184
+ """
185
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
186
+ """
187
+ return pulumi.get(self, "disable_automated_rotation")
188
+
189
+ @disable_automated_rotation.setter
190
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[bool]]):
191
+ pulumi.set(self, "disable_automated_rotation", value)
192
+
161
193
  @property
162
194
  @pulumi.getter(name="disableRemount")
163
195
  def disable_remount(self) -> Optional[pulumi.Input[bool]]:
@@ -289,15 +321,6 @@ class SecretBackendArgs:
289
321
  def role_arn(self) -> Optional[pulumi.Input[str]]:
290
322
  """
291
323
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
292
-
293
- ```
294
- {{ if (eq .Type "STS") }}
295
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
296
- {{ else }}
297
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
298
- {{ end }}
299
-
300
- ```
301
324
  """
302
325
  return pulumi.get(self, "role_arn")
303
326
 
@@ -305,6 +328,46 @@ class SecretBackendArgs:
305
328
  def role_arn(self, value: Optional[pulumi.Input[str]]):
306
329
  pulumi.set(self, "role_arn", value)
307
330
 
331
+ @property
332
+ @pulumi.getter(name="rotationPeriod")
333
+ def rotation_period(self) -> Optional[pulumi.Input[int]]:
334
+ """
335
+ The amount of time in seconds Vault should wait before rotating the root credential.
336
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
337
+ """
338
+ return pulumi.get(self, "rotation_period")
339
+
340
+ @rotation_period.setter
341
+ def rotation_period(self, value: Optional[pulumi.Input[int]]):
342
+ pulumi.set(self, "rotation_period", value)
343
+
344
+ @property
345
+ @pulumi.getter(name="rotationSchedule")
346
+ def rotation_schedule(self) -> Optional[pulumi.Input[str]]:
347
+ """
348
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
349
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
350
+ """
351
+ return pulumi.get(self, "rotation_schedule")
352
+
353
+ @rotation_schedule.setter
354
+ def rotation_schedule(self, value: Optional[pulumi.Input[str]]):
355
+ pulumi.set(self, "rotation_schedule", value)
356
+
357
+ @property
358
+ @pulumi.getter(name="rotationWindow")
359
+ def rotation_window(self) -> Optional[pulumi.Input[int]]:
360
+ """
361
+ The maximum amount of time in seconds allowed to complete
362
+ a rotation when a scheduled token rotation occurs. The default rotation window is
363
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
364
+ """
365
+ return pulumi.get(self, "rotation_window")
366
+
367
+ @rotation_window.setter
368
+ def rotation_window(self, value: Optional[pulumi.Input[int]]):
369
+ pulumi.set(self, "rotation_window", value)
370
+
308
371
  @property
309
372
  @pulumi.getter(name="secretKey")
310
373
  def secret_key(self) -> Optional[pulumi.Input[str]]:
@@ -370,6 +433,15 @@ class SecretBackendArgs:
370
433
  def username_template(self) -> Optional[pulumi.Input[str]]:
371
434
  """
372
435
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
436
+
437
+ ```
438
+ {{ if (eq .Type "STS") }}
439
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
440
+ {{ else }}
441
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
442
+ {{ end }}
443
+
444
+ ```
373
445
  """
374
446
  return pulumi.get(self, "username_template")
375
447
 
@@ -384,6 +456,7 @@ class _SecretBackendState:
384
456
  access_key: Optional[pulumi.Input[str]] = None,
385
457
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
386
458
  description: Optional[pulumi.Input[str]] = None,
459
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
387
460
  disable_remount: Optional[pulumi.Input[bool]] = None,
388
461
  iam_endpoint: Optional[pulumi.Input[str]] = None,
389
462
  identity_token_audience: Optional[pulumi.Input[str]] = None,
@@ -395,6 +468,9 @@ class _SecretBackendState:
395
468
  path: Optional[pulumi.Input[str]] = None,
396
469
  region: Optional[pulumi.Input[str]] = None,
397
470
  role_arn: Optional[pulumi.Input[str]] = None,
471
+ rotation_period: Optional[pulumi.Input[int]] = None,
472
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
473
+ rotation_window: Optional[pulumi.Input[int]] = None,
398
474
  secret_key: Optional[pulumi.Input[str]] = None,
399
475
  sts_endpoint: Optional[pulumi.Input[str]] = None,
400
476
  sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -408,6 +484,7 @@ class _SecretBackendState:
408
484
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
409
485
  issued by this backend.
410
486
  :param pulumi.Input[str] description: A human-friendly description for this backend.
487
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
411
488
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
412
489
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
413
490
  :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
@@ -425,6 +502,19 @@ class _SecretBackendState:
425
502
  not begin or end with a `/`. Defaults to `aws`.
426
503
  :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
427
504
  :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
505
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
506
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
507
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
508
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
509
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
510
+ a rotation when a scheduled token rotation occurs. The default rotation window is
511
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
512
+ :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
513
+ :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
514
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
515
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
516
+ :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
517
+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
428
518
 
429
519
  ```
430
520
  {{ if (eq .Type "STS") }}
@@ -434,12 +524,6 @@ class _SecretBackendState:
434
524
  {{ end }}
435
525
 
436
526
  ```
437
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
438
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
439
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
440
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
441
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
442
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
443
527
  """
444
528
  if access_key is not None:
445
529
  pulumi.set(__self__, "access_key", access_key)
@@ -447,6 +531,8 @@ class _SecretBackendState:
447
531
  pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
448
532
  if description is not None:
449
533
  pulumi.set(__self__, "description", description)
534
+ if disable_automated_rotation is not None:
535
+ pulumi.set(__self__, "disable_automated_rotation", disable_automated_rotation)
450
536
  if disable_remount is not None:
451
537
  pulumi.set(__self__, "disable_remount", disable_remount)
452
538
  if iam_endpoint is not None:
@@ -469,6 +555,12 @@ class _SecretBackendState:
469
555
  pulumi.set(__self__, "region", region)
470
556
  if role_arn is not None:
471
557
  pulumi.set(__self__, "role_arn", role_arn)
558
+ if rotation_period is not None:
559
+ pulumi.set(__self__, "rotation_period", rotation_period)
560
+ if rotation_schedule is not None:
561
+ pulumi.set(__self__, "rotation_schedule", rotation_schedule)
562
+ if rotation_window is not None:
563
+ pulumi.set(__self__, "rotation_window", rotation_window)
472
564
  if secret_key is not None:
473
565
  pulumi.set(__self__, "secret_key", secret_key)
474
566
  if sts_endpoint is not None:
@@ -520,6 +612,18 @@ class _SecretBackendState:
520
612
  def description(self, value: Optional[pulumi.Input[str]]):
521
613
  pulumi.set(self, "description", value)
522
614
 
615
+ @property
616
+ @pulumi.getter(name="disableAutomatedRotation")
617
+ def disable_automated_rotation(self) -> Optional[pulumi.Input[bool]]:
618
+ """
619
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
620
+ """
621
+ return pulumi.get(self, "disable_automated_rotation")
622
+
623
+ @disable_automated_rotation.setter
624
+ def disable_automated_rotation(self, value: Optional[pulumi.Input[bool]]):
625
+ pulumi.set(self, "disable_automated_rotation", value)
626
+
523
627
  @property
524
628
  @pulumi.getter(name="disableRemount")
525
629
  def disable_remount(self) -> Optional[pulumi.Input[bool]]:
@@ -651,15 +755,6 @@ class _SecretBackendState:
651
755
  def role_arn(self) -> Optional[pulumi.Input[str]]:
652
756
  """
653
757
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
654
-
655
- ```
656
- {{ if (eq .Type "STS") }}
657
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
658
- {{ else }}
659
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
660
- {{ end }}
661
-
662
- ```
663
758
  """
664
759
  return pulumi.get(self, "role_arn")
665
760
 
@@ -667,6 +762,46 @@ class _SecretBackendState:
667
762
  def role_arn(self, value: Optional[pulumi.Input[str]]):
668
763
  pulumi.set(self, "role_arn", value)
669
764
 
765
+ @property
766
+ @pulumi.getter(name="rotationPeriod")
767
+ def rotation_period(self) -> Optional[pulumi.Input[int]]:
768
+ """
769
+ The amount of time in seconds Vault should wait before rotating the root credential.
770
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
771
+ """
772
+ return pulumi.get(self, "rotation_period")
773
+
774
+ @rotation_period.setter
775
+ def rotation_period(self, value: Optional[pulumi.Input[int]]):
776
+ pulumi.set(self, "rotation_period", value)
777
+
778
+ @property
779
+ @pulumi.getter(name="rotationSchedule")
780
+ def rotation_schedule(self) -> Optional[pulumi.Input[str]]:
781
+ """
782
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
783
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
784
+ """
785
+ return pulumi.get(self, "rotation_schedule")
786
+
787
+ @rotation_schedule.setter
788
+ def rotation_schedule(self, value: Optional[pulumi.Input[str]]):
789
+ pulumi.set(self, "rotation_schedule", value)
790
+
791
+ @property
792
+ @pulumi.getter(name="rotationWindow")
793
+ def rotation_window(self) -> Optional[pulumi.Input[int]]:
794
+ """
795
+ The maximum amount of time in seconds allowed to complete
796
+ a rotation when a scheduled token rotation occurs. The default rotation window is
797
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
798
+ """
799
+ return pulumi.get(self, "rotation_window")
800
+
801
+ @rotation_window.setter
802
+ def rotation_window(self, value: Optional[pulumi.Input[int]]):
803
+ pulumi.set(self, "rotation_window", value)
804
+
670
805
  @property
671
806
  @pulumi.getter(name="secretKey")
672
807
  def secret_key(self) -> Optional[pulumi.Input[str]]:
@@ -732,6 +867,15 @@ class _SecretBackendState:
732
867
  def username_template(self) -> Optional[pulumi.Input[str]]:
733
868
  """
734
869
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
870
+
871
+ ```
872
+ {{ if (eq .Type "STS") }}
873
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
874
+ {{ else }}
875
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
876
+ {{ end }}
877
+
878
+ ```
735
879
  """
736
880
  return pulumi.get(self, "username_template")
737
881
 
@@ -748,6 +892,7 @@ class SecretBackend(pulumi.CustomResource):
748
892
  access_key: Optional[pulumi.Input[str]] = None,
749
893
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
750
894
  description: Optional[pulumi.Input[str]] = None,
895
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
751
896
  disable_remount: Optional[pulumi.Input[bool]] = None,
752
897
  iam_endpoint: Optional[pulumi.Input[str]] = None,
753
898
  identity_token_audience: Optional[pulumi.Input[str]] = None,
@@ -759,6 +904,9 @@ class SecretBackend(pulumi.CustomResource):
759
904
  path: Optional[pulumi.Input[str]] = None,
760
905
  region: Optional[pulumi.Input[str]] = None,
761
906
  role_arn: Optional[pulumi.Input[str]] = None,
907
+ rotation_period: Optional[pulumi.Input[int]] = None,
908
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
909
+ rotation_window: Optional[pulumi.Input[int]] = None,
762
910
  secret_key: Optional[pulumi.Input[str]] = None,
763
911
  sts_endpoint: Optional[pulumi.Input[str]] = None,
764
912
  sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -782,6 +930,7 @@ class SecretBackend(pulumi.CustomResource):
782
930
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
783
931
  issued by this backend.
784
932
  :param pulumi.Input[str] description: A human-friendly description for this backend.
933
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
785
934
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
786
935
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
787
936
  :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
@@ -799,6 +948,19 @@ class SecretBackend(pulumi.CustomResource):
799
948
  not begin or end with a `/`. Defaults to `aws`.
800
949
  :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
801
950
  :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
951
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
952
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
953
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
954
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
955
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
956
+ a rotation when a scheduled token rotation occurs. The default rotation window is
957
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
958
+ :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
959
+ :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
960
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
961
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
962
+ :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
963
+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
802
964
 
803
965
  ```
804
966
  {{ if (eq .Type "STS") }}
@@ -808,12 +970,6 @@ class SecretBackend(pulumi.CustomResource):
808
970
  {{ end }}
809
971
 
810
972
  ```
811
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
812
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
813
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
814
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
815
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
816
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
817
973
  """
818
974
  ...
819
975
  @overload
@@ -848,6 +1004,7 @@ class SecretBackend(pulumi.CustomResource):
848
1004
  access_key: Optional[pulumi.Input[str]] = None,
849
1005
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
850
1006
  description: Optional[pulumi.Input[str]] = None,
1007
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
851
1008
  disable_remount: Optional[pulumi.Input[bool]] = None,
852
1009
  iam_endpoint: Optional[pulumi.Input[str]] = None,
853
1010
  identity_token_audience: Optional[pulumi.Input[str]] = None,
@@ -859,6 +1016,9 @@ class SecretBackend(pulumi.CustomResource):
859
1016
  path: Optional[pulumi.Input[str]] = None,
860
1017
  region: Optional[pulumi.Input[str]] = None,
861
1018
  role_arn: Optional[pulumi.Input[str]] = None,
1019
+ rotation_period: Optional[pulumi.Input[int]] = None,
1020
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
1021
+ rotation_window: Optional[pulumi.Input[int]] = None,
862
1022
  secret_key: Optional[pulumi.Input[str]] = None,
863
1023
  sts_endpoint: Optional[pulumi.Input[str]] = None,
864
1024
  sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -877,6 +1037,7 @@ class SecretBackend(pulumi.CustomResource):
877
1037
  __props__.__dict__["access_key"] = None if access_key is None else pulumi.Output.secret(access_key)
878
1038
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
879
1039
  __props__.__dict__["description"] = description
1040
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
880
1041
  __props__.__dict__["disable_remount"] = disable_remount
881
1042
  __props__.__dict__["iam_endpoint"] = iam_endpoint
882
1043
  __props__.__dict__["identity_token_audience"] = identity_token_audience
@@ -888,6 +1049,9 @@ class SecretBackend(pulumi.CustomResource):
888
1049
  __props__.__dict__["path"] = path
889
1050
  __props__.__dict__["region"] = region
890
1051
  __props__.__dict__["role_arn"] = role_arn
1052
+ __props__.__dict__["rotation_period"] = rotation_period
1053
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1054
+ __props__.__dict__["rotation_window"] = rotation_window
891
1055
  __props__.__dict__["secret_key"] = None if secret_key is None else pulumi.Output.secret(secret_key)
892
1056
  __props__.__dict__["sts_endpoint"] = sts_endpoint
893
1057
  __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
@@ -909,6 +1073,7 @@ class SecretBackend(pulumi.CustomResource):
909
1073
  access_key: Optional[pulumi.Input[str]] = None,
910
1074
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
911
1075
  description: Optional[pulumi.Input[str]] = None,
1076
+ disable_automated_rotation: Optional[pulumi.Input[bool]] = None,
912
1077
  disable_remount: Optional[pulumi.Input[bool]] = None,
913
1078
  iam_endpoint: Optional[pulumi.Input[str]] = None,
914
1079
  identity_token_audience: Optional[pulumi.Input[str]] = None,
@@ -920,6 +1085,9 @@ class SecretBackend(pulumi.CustomResource):
920
1085
  path: Optional[pulumi.Input[str]] = None,
921
1086
  region: Optional[pulumi.Input[str]] = None,
922
1087
  role_arn: Optional[pulumi.Input[str]] = None,
1088
+ rotation_period: Optional[pulumi.Input[int]] = None,
1089
+ rotation_schedule: Optional[pulumi.Input[str]] = None,
1090
+ rotation_window: Optional[pulumi.Input[int]] = None,
923
1091
  secret_key: Optional[pulumi.Input[str]] = None,
924
1092
  sts_endpoint: Optional[pulumi.Input[str]] = None,
925
1093
  sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -938,6 +1106,7 @@ class SecretBackend(pulumi.CustomResource):
938
1106
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
939
1107
  issued by this backend.
940
1108
  :param pulumi.Input[str] description: A human-friendly description for this backend.
1109
+ :param pulumi.Input[bool] disable_automated_rotation: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
941
1110
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
942
1111
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
943
1112
  :param pulumi.Input[str] iam_endpoint: Specifies a custom HTTP IAM endpoint to use.
@@ -955,6 +1124,19 @@ class SecretBackend(pulumi.CustomResource):
955
1124
  not begin or end with a `/`. Defaults to `aws`.
956
1125
  :param pulumi.Input[str] region: The AWS region to make API calls against. Defaults to us-east-1.
957
1126
  :param pulumi.Input[str] role_arn: Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
1127
+ :param pulumi.Input[int] rotation_period: The amount of time in seconds Vault should wait before rotating the root credential.
1128
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1129
+ :param pulumi.Input[str] rotation_schedule: The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1130
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1131
+ :param pulumi.Input[int] rotation_window: The maximum amount of time in seconds allowed to complete
1132
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1133
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1134
+ :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
1135
+ :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
1136
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
1137
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
1138
+ :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
1139
+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
958
1140
 
959
1141
  ```
960
1142
  {{ if (eq .Type "STS") }}
@@ -964,12 +1146,6 @@ class SecretBackend(pulumi.CustomResource):
964
1146
  {{ end }}
965
1147
 
966
1148
  ```
967
- :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials.
968
- :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use.
969
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+
970
- :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+
971
- :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+
972
- :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
973
1149
  """
974
1150
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
975
1151
 
@@ -978,6 +1154,7 @@ class SecretBackend(pulumi.CustomResource):
978
1154
  __props__.__dict__["access_key"] = access_key
979
1155
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
980
1156
  __props__.__dict__["description"] = description
1157
+ __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
981
1158
  __props__.__dict__["disable_remount"] = disable_remount
982
1159
  __props__.__dict__["iam_endpoint"] = iam_endpoint
983
1160
  __props__.__dict__["identity_token_audience"] = identity_token_audience
@@ -989,6 +1166,9 @@ class SecretBackend(pulumi.CustomResource):
989
1166
  __props__.__dict__["path"] = path
990
1167
  __props__.__dict__["region"] = region
991
1168
  __props__.__dict__["role_arn"] = role_arn
1169
+ __props__.__dict__["rotation_period"] = rotation_period
1170
+ __props__.__dict__["rotation_schedule"] = rotation_schedule
1171
+ __props__.__dict__["rotation_window"] = rotation_window
992
1172
  __props__.__dict__["secret_key"] = secret_key
993
1173
  __props__.__dict__["sts_endpoint"] = sts_endpoint
994
1174
  __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints
@@ -1023,6 +1203,14 @@ class SecretBackend(pulumi.CustomResource):
1023
1203
  """
1024
1204
  return pulumi.get(self, "description")
1025
1205
 
1206
+ @property
1207
+ @pulumi.getter(name="disableAutomatedRotation")
1208
+ def disable_automated_rotation(self) -> pulumi.Output[Optional[bool]]:
1209
+ """
1210
+ Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
1211
+ """
1212
+ return pulumi.get(self, "disable_automated_rotation")
1213
+
1026
1214
  @property
1027
1215
  @pulumi.getter(name="disableRemount")
1028
1216
  def disable_remount(self) -> pulumi.Output[Optional[bool]]:
@@ -1114,17 +1302,36 @@ class SecretBackend(pulumi.CustomResource):
1114
1302
  def role_arn(self) -> pulumi.Output[Optional[str]]:
1115
1303
  """
1116
1304
  Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
1305
+ """
1306
+ return pulumi.get(self, "role_arn")
1117
1307
 
1118
- ```
1119
- {{ if (eq .Type "STS") }}
1120
- {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
1121
- {{ else }}
1122
- {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
1123
- {{ end }}
1308
+ @property
1309
+ @pulumi.getter(name="rotationPeriod")
1310
+ def rotation_period(self) -> pulumi.Output[Optional[int]]:
1311
+ """
1312
+ The amount of time in seconds Vault should wait before rotating the root credential.
1313
+ A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
1314
+ """
1315
+ return pulumi.get(self, "rotation_period")
1124
1316
 
1125
- ```
1317
+ @property
1318
+ @pulumi.getter(name="rotationSchedule")
1319
+ def rotation_schedule(self) -> pulumi.Output[Optional[str]]:
1126
1320
  """
1127
- return pulumi.get(self, "role_arn")
1321
+ The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
1322
+ defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
1323
+ """
1324
+ return pulumi.get(self, "rotation_schedule")
1325
+
1326
+ @property
1327
+ @pulumi.getter(name="rotationWindow")
1328
+ def rotation_window(self) -> pulumi.Output[Optional[int]]:
1329
+ """
1330
+ The maximum amount of time in seconds allowed to complete
1331
+ a rotation when a scheduled token rotation occurs. The default rotation window is
1332
+ unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
1333
+ """
1334
+ return pulumi.get(self, "rotation_window")
1128
1335
 
1129
1336
  @property
1130
1337
  @pulumi.getter(name="secretKey")
@@ -1171,6 +1378,15 @@ class SecretBackend(pulumi.CustomResource):
1171
1378
  def username_template(self) -> pulumi.Output[str]:
1172
1379
  """
1173
1380
  Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
1381
+
1382
+ ```
1383
+ {{ if (eq .Type "STS") }}
1384
+ {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
1385
+ {{ else }}
1386
+ {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
1387
+ {{ end }}
1388
+
1389
+ ```
1174
1390
  """
1175
1391
  return pulumi.get(self, "username_template")
1176
1392