pulumi-vault 6.6.0a1741836364__py3-none-any.whl → 6.7.0__py3-none-any.whl

pulumi_vault/azure/backend_role.py

@@ -2,6 +2,7 @@
 # *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
+import builtins
 import copy
 import warnings
 import sys
@@ -21,39 +22,41 @@ __all__ = ['BackendRoleArgs', 'BackendRole']
 @pulumi.input_type
 class BackendRoleArgs:
     def __init__(__self__, *,
-                 role: pulumi.Input[str],
-                 application_object_id: Optional[pulumi.Input[str]] = None,
+                 role: pulumi.Input[builtins.str],
+                 application_object_id: Optional[pulumi.Input[builtins.str]] = None,
                  azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]] = None,
                  azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 permanently_delete: Optional[pulumi.Input[bool]] = None,
-                 sign_in_audience: Optional[pulumi.Input[str]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None):
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[builtins.bool]] = None,
+                 sign_in_audience: Optional[pulumi.Input[builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None):
         """
         The set of arguments for constructing a BackendRole resource.
-        :param pulumi.Input[str] role: Name of the Azure role
-        :param pulumi.Input[str] application_object_id: Application Object ID for an existing service principal that will
+        :param pulumi.Input[builtins.str] role: Name of the Azure role
+        :param pulumi.Input[builtins.str] application_object_id: Application Object ID for an existing service principal that will
                be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
         :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]] azure_groups: List of Azure groups to be assigned to the generated service principal.
         :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]] azure_roles: List of Azure roles to be assigned to the generated service principal.
-        :param pulumi.Input[str] backend: Path to the mounted Azure auth backend
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the backend.
-        :param pulumi.Input[str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+        :param pulumi.Input[builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
                suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+        :param pulumi.Input[builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
                deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
-        :param pulumi.Input[str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+        :param pulumi.Input[builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
                Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
-        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
                Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         pulumi.set(__self__, "role", role)
@@ -67,6 +70,8 @@ class BackendRoleArgs:
             pulumi.set(__self__, "backend", backend)
         if description is not None:
             pulumi.set(__self__, "description", description)
+        if explicit_max_ttl is not None:
+            pulumi.set(__self__, "explicit_max_ttl", explicit_max_ttl)
         if max_ttl is not None:
             pulumi.set(__self__, "max_ttl", max_ttl)
         if namespace is not None:
@@ -82,19 +87,19 @@ class BackendRoleArgs:
 
     @property
     @pulumi.getter
-    def role(self) -> pulumi.Input[str]:
+    def role(self) -> pulumi.Input[builtins.str]:
         """
         Name of the Azure role
         """
         return pulumi.get(self, "role")
 
     @role.setter
-    def role(self, value: pulumi.Input[str]):
+    def role(self, value: pulumi.Input[builtins.str]):
         pulumi.set(self, "role", value)
 
     @property
     @pulumi.getter(name="applicationObjectId")
-    def application_object_id(self) -> Optional[pulumi.Input[str]]:
+    def application_object_id(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Application Object ID for an existing service principal that will
         be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
@@ -102,7 +107,7 @@ class BackendRoleArgs:
         return pulumi.get(self, "application_object_id")
 
     @application_object_id.setter
-    def application_object_id(self, value: Optional[pulumi.Input[str]]):
+    def application_object_id(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "application_object_id", value)
 
     @property
@@ -131,31 +136,43 @@ class BackendRoleArgs:
 
     @property
     @pulumi.getter
-    def backend(self) -> Optional[pulumi.Input[str]]:
+    def backend(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Path to the mounted Azure auth backend
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: Optional[pulumi.Input[str]]):
+    def backend(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Human-friendly description of the mount for the backend.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "description", value)
 
+    @property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+
+    @explicit_max_ttl.setter
+    def explicit_max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "explicit_max_ttl", value)
+
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> Optional[pulumi.Input[str]]:
+    def max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the maximum TTL for service principals generated using this role. Accepts time
         suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
@@ -163,12 +180,12 @@ class BackendRoleArgs:
         return pulumi.get(self, "max_ttl")
 
     @max_ttl.setter
-    def max_ttl(self, value: Optional[pulumi.Input[str]]):
+    def max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "max_ttl", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -178,12 +195,12 @@ class BackendRoleArgs:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter(name="permanentlyDelete")
-    def permanently_delete(self) -> Optional[pulumi.Input[bool]]:
+    def permanently_delete(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Indicates whether the applications and service principals created by Vault will be permanently
         deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
@@ -191,12 +208,12 @@ class BackendRoleArgs:
         return pulumi.get(self, "permanently_delete")
 
     @permanently_delete.setter
-    def permanently_delete(self, value: Optional[pulumi.Input[bool]]):
+    def permanently_delete(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "permanently_delete", value)
 
     @property
     @pulumi.getter(name="signInAudience")
-    def sign_in_audience(self) -> Optional[pulumi.Input[str]]:
+    def sign_in_audience(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the security principal types that are allowed to sign in to the application.
         Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
@@ -204,24 +221,24 @@ class BackendRoleArgs:
         return pulumi.get(self, "sign_in_audience")
 
     @sign_in_audience.setter
-    def sign_in_audience(self, value: Optional[pulumi.Input[str]]):
+    def sign_in_audience(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "sign_in_audience", value)
 
     @property
     @pulumi.getter
-    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         A list of Azure tags to attach to an application. Requires Vault 1.16+.
         """
         return pulumi.get(self, "tags")
 
     @tags.setter
-    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "tags", value)
 
     @property
     @pulumi.getter
-    def ttl(self) -> Optional[pulumi.Input[str]]:
+    def ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the default TTL for service principals generated using this role.
         Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
@@ -229,46 +246,48 @@ class BackendRoleArgs:
         return pulumi.get(self, "ttl")
 
     @ttl.setter
-    def ttl(self, value: Optional[pulumi.Input[str]]):
+    def ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "ttl", value)
 
 
 @pulumi.input_type
 class _BackendRoleState:
     def __init__(__self__, *,
-                 application_object_id: Optional[pulumi.Input[str]] = None,
+                 application_object_id: Optional[pulumi.Input[builtins.str]] = None,
                  azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]] = None,
                  azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 permanently_delete: Optional[pulumi.Input[bool]] = None,
-                 role: Optional[pulumi.Input[str]] = None,
-                 sign_in_audience: Optional[pulumi.Input[str]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None):
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[builtins.bool]] = None,
+                 role: Optional[pulumi.Input[builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None):
         """
         Input properties used for looking up and filtering BackendRole resources.
-        :param pulumi.Input[str] application_object_id: Application Object ID for an existing service principal that will
+        :param pulumi.Input[builtins.str] application_object_id: Application Object ID for an existing service principal that will
                be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
         :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]] azure_groups: List of Azure groups to be assigned to the generated service principal.
         :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]] azure_roles: List of Azure roles to be assigned to the generated service principal.
-        :param pulumi.Input[str] backend: Path to the mounted Azure auth backend
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the backend.
-        :param pulumi.Input[str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+        :param pulumi.Input[builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
                suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+        :param pulumi.Input[builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
                deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
-        :param pulumi.Input[str] role: Name of the Azure role
-        :param pulumi.Input[str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+        :param pulumi.Input[builtins.str] role: Name of the Azure role
+        :param pulumi.Input[builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
                Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
-        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
                Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         if application_object_id is not None:
@@ -281,6 +300,8 @@ class _BackendRoleState:
             pulumi.set(__self__, "backend", backend)
         if description is not None:
             pulumi.set(__self__, "description", description)
+        if explicit_max_ttl is not None:
+            pulumi.set(__self__, "explicit_max_ttl", explicit_max_ttl)
         if max_ttl is not None:
             pulumi.set(__self__, "max_ttl", max_ttl)
         if namespace is not None:
@@ -298,7 +319,7 @@ class _BackendRoleState:
 
     @property
     @pulumi.getter(name="applicationObjectId")
-    def application_object_id(self) -> Optional[pulumi.Input[str]]:
+    def application_object_id(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Application Object ID for an existing service principal that will
         be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
@@ -306,7 +327,7 @@ class _BackendRoleState:
         return pulumi.get(self, "application_object_id")
 
     @application_object_id.setter
-    def application_object_id(self, value: Optional[pulumi.Input[str]]):
+    def application_object_id(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "application_object_id", value)
 
     @property
@@ -335,31 +356,43 @@ class _BackendRoleState:
 
     @property
     @pulumi.getter
-    def backend(self) -> Optional[pulumi.Input[str]]:
+    def backend(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Path to the mounted Azure auth backend
         """
         return pulumi.get(self, "backend")
 
     @backend.setter
-    def backend(self, value: Optional[pulumi.Input[str]]):
+    def backend(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "backend", value)
 
     @property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Human-friendly description of the mount for the backend.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "description", value)
 
+    @property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+
+    @explicit_max_ttl.setter
+    def explicit_max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "explicit_max_ttl", value)
+
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> Optional[pulumi.Input[str]]:
+    def max_ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the maximum TTL for service principals generated using this role. Accepts time
         suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
@@ -367,12 +400,12 @@ class _BackendRoleState:
         return pulumi.get(self, "max_ttl")
 
     @max_ttl.setter
-    def max_ttl(self, value: Optional[pulumi.Input[str]]):
+    def max_ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "max_ttl", value)
 
     @property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[str]]:
+    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -382,12 +415,12 @@ class _BackendRoleState:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[str]]):
+    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "namespace", value)
 
     @property
     @pulumi.getter(name="permanentlyDelete")
-    def permanently_delete(self) -> Optional[pulumi.Input[bool]]:
+    def permanently_delete(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Indicates whether the applications and service principals created by Vault will be permanently
         deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
@@ -395,24 +428,24 @@ class _BackendRoleState:
         return pulumi.get(self, "permanently_delete")
 
     @permanently_delete.setter
-    def permanently_delete(self, value: Optional[pulumi.Input[bool]]):
+    def permanently_delete(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "permanently_delete", value)
 
     @property
     @pulumi.getter
-    def role(self) -> Optional[pulumi.Input[str]]:
+    def role(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Name of the Azure role
         """
         return pulumi.get(self, "role")
 
     @role.setter
-    def role(self, value: Optional[pulumi.Input[str]]):
+    def role(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "role", value)
 
     @property
     @pulumi.getter(name="signInAudience")
-    def sign_in_audience(self) -> Optional[pulumi.Input[str]]:
+    def sign_in_audience(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the security principal types that are allowed to sign in to the application.
         Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
@@ -420,24 +453,24 @@ class _BackendRoleState:
         return pulumi.get(self, "sign_in_audience")
 
     @sign_in_audience.setter
-    def sign_in_audience(self, value: Optional[pulumi.Input[str]]):
+    def sign_in_audience(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "sign_in_audience", value)
 
     @property
     @pulumi.getter
-    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         A list of Azure tags to attach to an application. Requires Vault 1.16+.
         """
         return pulumi.get(self, "tags")
 
     @tags.setter
-    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "tags", value)
 
     @property
     @pulumi.getter
-    def ttl(self) -> Optional[pulumi.Input[str]]:
+    def ttl(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Specifies the default TTL for service principals generated using this role.
         Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
@@ -445,7 +478,7 @@ class _BackendRoleState:
         return pulumi.get(self, "ttl")
 
     @ttl.setter
-    def ttl(self, value: Optional[pulumi.Input[str]]):
+    def ttl(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "ttl", value)
 
 
@@ -454,18 +487,19 @@ class BackendRole(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 application_object_id: Optional[pulumi.Input[str]] = None,
+                 application_object_id: Optional[pulumi.Input[builtins.str]] = None,
                  azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
                  azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 permanently_delete: Optional[pulumi.Input[bool]] = None,
-                 role: Optional[pulumi.Input[str]] = None,
-                 sign_in_audience: Optional[pulumi.Input[str]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[builtins.bool]] = None,
+                 role: Optional[pulumi.Input[builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         """
         ## Example Usage
@@ -503,25 +537,26 @@ class BackendRole(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] application_object_id: Application Object ID for an existing service principal that will
+        :param pulumi.Input[builtins.str] application_object_id: Application Object ID for an existing service principal that will
                be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
         :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]] azure_groups: List of Azure groups to be assigned to the generated service principal.
         :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]] azure_roles: List of Azure roles to be assigned to the generated service principal.
-        :param pulumi.Input[str] backend: Path to the mounted Azure auth backend
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the backend.
-        :param pulumi.Input[str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+        :param pulumi.Input[builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
                suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+        :param pulumi.Input[builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
                deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
-        :param pulumi.Input[str] role: Name of the Azure role
-        :param pulumi.Input[str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+        :param pulumi.Input[builtins.str] role: Name of the Azure role
+        :param pulumi.Input[builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
                Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
-        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
                Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         ...
@@ -579,18 +614,19 @@ class BackendRole(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 application_object_id: Optional[pulumi.Input[str]] = None,
+                 application_object_id: Optional[pulumi.Input[builtins.str]] = None,
                  azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
                  azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
-                 backend: Optional[pulumi.Input[str]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 max_ttl: Optional[pulumi.Input[str]] = None,
-                 namespace: Optional[pulumi.Input[str]] = None,
-                 permanently_delete: Optional[pulumi.Input[bool]] = None,
-                 role: Optional[pulumi.Input[str]] = None,
-                 sign_in_audience: Optional[pulumi.Input[str]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 ttl: Optional[pulumi.Input[str]] = None,
+                 backend: Optional[pulumi.Input[builtins.str]] = None,
+                 description: Optional[pulumi.Input[builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[builtins.bool]] = None,
+                 role: Optional[pulumi.Input[builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -605,6 +641,7 @@ class BackendRole(pulumi.CustomResource):
             __props__.__dict__["azure_roles"] = azure_roles
             __props__.__dict__["backend"] = backend
             __props__.__dict__["description"] = description
+            __props__.__dict__["explicit_max_ttl"] = explicit_max_ttl
             __props__.__dict__["max_ttl"] = max_ttl
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["permanently_delete"] = permanently_delete
@@ -624,18 +661,19 @@ class BackendRole(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            application_object_id: Optional[pulumi.Input[str]] = None,
+            application_object_id: Optional[pulumi.Input[builtins.str]] = None,
             azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
             azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
-            backend: Optional[pulumi.Input[str]] = None,
-            description: Optional[pulumi.Input[str]] = None,
-            max_ttl: Optional[pulumi.Input[str]] = None,
-            namespace: Optional[pulumi.Input[str]] = None,
-            permanently_delete: Optional[pulumi.Input[bool]] = None,
-            role: Optional[pulumi.Input[str]] = None,
-            sign_in_audience: Optional[pulumi.Input[str]] = None,
-            tags: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            ttl: Optional[pulumi.Input[str]] = None) -> 'BackendRole':
+            backend: Optional[pulumi.Input[builtins.str]] = None,
+            description: Optional[pulumi.Input[builtins.str]] = None,
+            explicit_max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+            max_ttl: Optional[pulumi.Input[builtins.str]] = None,
+            namespace: Optional[pulumi.Input[builtins.str]] = None,
+            permanently_delete: Optional[pulumi.Input[builtins.bool]] = None,
+            role: Optional[pulumi.Input[builtins.str]] = None,
+            sign_in_audience: Optional[pulumi.Input[builtins.str]] = None,
+            tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+            ttl: Optional[pulumi.Input[builtins.str]] = None) -> 'BackendRole':
         """
         Get an existing BackendRole resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -643,25 +681,26 @@ class BackendRole(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] application_object_id: Application Object ID for an existing service principal that will
+        :param pulumi.Input[builtins.str] application_object_id: Application Object ID for an existing service principal that will
                be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
         :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]] azure_groups: List of Azure groups to be assigned to the generated service principal.
         :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]] azure_roles: List of Azure roles to be assigned to the generated service principal.
-        :param pulumi.Input[str] backend: Path to the mounted Azure auth backend
-        :param pulumi.Input[str] description: Human-friendly description of the mount for the backend.
-        :param pulumi.Input[str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+        :param pulumi.Input[builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
                suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-        :param pulumi.Input[str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+        :param pulumi.Input[builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
                deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
-        :param pulumi.Input[str] role: Name of the Azure role
-        :param pulumi.Input[str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+        :param pulumi.Input[builtins.str] role: Name of the Azure role
+        :param pulumi.Input[builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
                Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
-        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
                Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -673,6 +712,7 @@ class BackendRole(pulumi.CustomResource):
         __props__.__dict__["azure_roles"] = azure_roles
         __props__.__dict__["backend"] = backend
         __props__.__dict__["description"] = description
+        __props__.__dict__["explicit_max_ttl"] = explicit_max_ttl
         __props__.__dict__["max_ttl"] = max_ttl
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["permanently_delete"] = permanently_delete
@@ -684,7 +724,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="applicationObjectId")
-    def application_object_id(self) -> pulumi.Output[Optional[str]]:
+    def application_object_id(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Application Object ID for an existing service principal that will
         be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
@@ -709,7 +749,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def backend(self) -> pulumi.Output[Optional[str]]:
+    def backend(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Path to the mounted Azure auth backend
         """
@@ -717,15 +757,23 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def description(self) -> pulumi.Output[Optional[str]]:
+    def description(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Human-friendly description of the mount for the backend.
         """
         return pulumi.get(self, "description")
 
+    @property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> pulumi.Output[Optional[builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+
     @property
     @pulumi.getter(name="maxTtl")
-    def max_ttl(self) -> pulumi.Output[Optional[str]]:
+    def max_ttl(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies the maximum TTL for service principals generated using this role. Accepts time
         suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
@@ -734,7 +782,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def namespace(self) -> pulumi.Output[Optional[str]]:
+    def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -745,7 +793,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="permanentlyDelete")
-    def permanently_delete(self) -> pulumi.Output[bool]:
+    def permanently_delete(self) -> pulumi.Output[builtins.bool]:
         """
         Indicates whether the applications and service principals created by Vault will be permanently
         deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
@@ -754,7 +802,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def role(self) -> pulumi.Output[str]:
+    def role(self) -> pulumi.Output[builtins.str]:
         """
         Name of the Azure role
         """
@@ -762,7 +810,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="signInAudience")
-    def sign_in_audience(self) -> pulumi.Output[Optional[str]]:
+    def sign_in_audience(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies the security principal types that are allowed to sign in to the application.
         Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
@@ -771,7 +819,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def tags(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def tags(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         A list of Azure tags to attach to an application. Requires Vault 1.16+.
         """
@@ -779,7 +827,7 @@ class BackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter
-    def ttl(self) -> pulumi.Output[Optional[str]]:
+    def ttl(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Specifies the default TTL for service principals generated using this role.
         Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.