pulumi-vault 6.7.0a1743576047__py3-none-any.whl → 6.7.0a1744183682__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +1 -0
- pulumi_vault/_inputs.py +554 -553
- pulumi_vault/ad/__init__.py +1 -0
- pulumi_vault/ad/get_access_credentials.py +20 -19
- pulumi_vault/ad/secret_backend.py +477 -476
- pulumi_vault/ad/secret_library.py +99 -98
- pulumi_vault/ad/secret_role.py +85 -84
- pulumi_vault/alicloud/__init__.py +1 -0
- pulumi_vault/alicloud/auth_backend_role.py +183 -182
- pulumi_vault/approle/__init__.py +1 -0
- pulumi_vault/approle/auth_backend_login.py +106 -105
- pulumi_vault/approle/auth_backend_role.py +239 -238
- pulumi_vault/approle/auth_backend_role_secret_id.py +162 -161
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -17
- pulumi_vault/audit.py +85 -84
- pulumi_vault/audit_request_header.py +43 -42
- pulumi_vault/auth_backend.py +106 -105
- pulumi_vault/aws/__init__.py +1 -0
- pulumi_vault/aws/auth_backend_cert.py +71 -70
- pulumi_vault/aws/auth_backend_client.py +253 -252
- pulumi_vault/aws/auth_backend_config_identity.py +85 -84
- pulumi_vault/aws/auth_backend_identity_whitelist.py +57 -56
- pulumi_vault/aws/auth_backend_login.py +209 -208
- pulumi_vault/aws/auth_backend_role.py +400 -399
- pulumi_vault/aws/auth_backend_role_tag.py +127 -126
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +57 -56
- pulumi_vault/aws/auth_backend_sts_role.py +71 -70
- pulumi_vault/aws/get_access_credentials.py +44 -43
- pulumi_vault/aws/get_static_access_credentials.py +13 -12
- pulumi_vault/aws/secret_backend.py +337 -336
- pulumi_vault/aws/secret_backend_role.py +211 -210
- pulumi_vault/aws/secret_backend_static_role.py +113 -112
- pulumi_vault/azure/__init__.py +1 -0
- pulumi_vault/azure/_inputs.py +21 -20
- pulumi_vault/azure/auth_backend_config.py +183 -182
- pulumi_vault/azure/auth_backend_role.py +253 -252
- pulumi_vault/azure/backend.py +239 -238
- pulumi_vault/azure/backend_role.py +141 -140
- pulumi_vault/azure/get_access_credentials.py +58 -57
- pulumi_vault/azure/outputs.py +11 -10
- pulumi_vault/cert_auth_backend_role.py +365 -364
- pulumi_vault/config/__init__.py +1 -0
- pulumi_vault/config/__init__.pyi +1 -0
- pulumi_vault/config/_inputs.py +11 -10
- pulumi_vault/config/outputs.py +287 -286
- pulumi_vault/config/ui_custom_message.py +113 -112
- pulumi_vault/config/vars.py +1 -0
- pulumi_vault/consul/__init__.py +1 -0
- pulumi_vault/consul/secret_backend.py +197 -196
- pulumi_vault/consul/secret_backend_role.py +183 -182
- pulumi_vault/database/__init__.py +1 -0
- pulumi_vault/database/_inputs.py +2525 -2524
- pulumi_vault/database/outputs.py +1529 -1528
- pulumi_vault/database/secret_backend_connection.py +169 -168
- pulumi_vault/database/secret_backend_role.py +169 -168
- pulumi_vault/database/secret_backend_static_role.py +179 -178
- pulumi_vault/database/secrets_mount.py +267 -266
- pulumi_vault/egp_policy.py +71 -70
- pulumi_vault/gcp/__init__.py +1 -0
- pulumi_vault/gcp/_inputs.py +82 -81
- pulumi_vault/gcp/auth_backend.py +260 -259
- pulumi_vault/gcp/auth_backend_role.py +281 -280
- pulumi_vault/gcp/get_auth_backend_role.py +70 -69
- pulumi_vault/gcp/outputs.py +50 -49
- pulumi_vault/gcp/secret_backend.py +232 -231
- pulumi_vault/gcp/secret_impersonated_account.py +92 -91
- pulumi_vault/gcp/secret_roleset.py +92 -91
- pulumi_vault/gcp/secret_static_account.py +92 -91
- pulumi_vault/generic/__init__.py +1 -0
- pulumi_vault/generic/endpoint.py +113 -112
- pulumi_vault/generic/get_secret.py +28 -27
- pulumi_vault/generic/secret.py +78 -77
- pulumi_vault/get_auth_backend.py +19 -18
- pulumi_vault/get_auth_backends.py +14 -13
- pulumi_vault/get_namespace.py +15 -14
- pulumi_vault/get_namespaces.py +8 -7
- pulumi_vault/get_nomad_access_token.py +19 -18
- pulumi_vault/get_policy_document.py +6 -5
- pulumi_vault/get_raft_autopilot_state.py +18 -17
- pulumi_vault/github/__init__.py +1 -0
- pulumi_vault/github/_inputs.py +42 -41
- pulumi_vault/github/auth_backend.py +232 -231
- pulumi_vault/github/outputs.py +26 -25
- pulumi_vault/github/team.py +57 -56
- pulumi_vault/github/user.py +57 -56
- pulumi_vault/identity/__init__.py +1 -0
- pulumi_vault/identity/entity.py +85 -84
- pulumi_vault/identity/entity_alias.py +71 -70
- pulumi_vault/identity/entity_policies.py +64 -63
- pulumi_vault/identity/get_entity.py +43 -42
- pulumi_vault/identity/get_group.py +50 -49
- pulumi_vault/identity/get_oidc_client_creds.py +14 -13
- pulumi_vault/identity/get_oidc_openid_config.py +24 -23
- pulumi_vault/identity/get_oidc_public_keys.py +13 -12
- pulumi_vault/identity/group.py +141 -140
- pulumi_vault/identity/group_alias.py +57 -56
- pulumi_vault/identity/group_member_entity_ids.py +57 -56
- pulumi_vault/identity/group_member_group_ids.py +57 -56
- pulumi_vault/identity/group_policies.py +64 -63
- pulumi_vault/identity/mfa_duo.py +148 -147
- pulumi_vault/identity/mfa_login_enforcement.py +120 -119
- pulumi_vault/identity/mfa_okta.py +134 -133
- pulumi_vault/identity/mfa_pingid.py +127 -126
- pulumi_vault/identity/mfa_totp.py +176 -175
- pulumi_vault/identity/oidc.py +29 -28
- pulumi_vault/identity/oidc_assignment.py +57 -56
- pulumi_vault/identity/oidc_client.py +127 -126
- pulumi_vault/identity/oidc_key.py +85 -84
- pulumi_vault/identity/oidc_key_allowed_client_id.py +43 -42
- pulumi_vault/identity/oidc_provider.py +92 -91
- pulumi_vault/identity/oidc_role.py +85 -84
- pulumi_vault/identity/oidc_scope.py +57 -56
- pulumi_vault/identity/outputs.py +32 -31
- pulumi_vault/jwt/__init__.py +1 -0
- pulumi_vault/jwt/_inputs.py +42 -41
- pulumi_vault/jwt/auth_backend.py +288 -287
- pulumi_vault/jwt/auth_backend_role.py +407 -406
- pulumi_vault/jwt/outputs.py +26 -25
- pulumi_vault/kmip/__init__.py +1 -0
- pulumi_vault/kmip/secret_backend.py +183 -182
- pulumi_vault/kmip/secret_role.py +295 -294
- pulumi_vault/kmip/secret_scope.py +57 -56
- pulumi_vault/kubernetes/__init__.py +1 -0
- pulumi_vault/kubernetes/auth_backend_config.py +141 -140
- pulumi_vault/kubernetes/auth_backend_role.py +225 -224
- pulumi_vault/kubernetes/get_auth_backend_config.py +47 -46
- pulumi_vault/kubernetes/get_auth_backend_role.py +70 -69
- pulumi_vault/kubernetes/get_service_account_token.py +38 -37
- pulumi_vault/kubernetes/secret_backend.py +316 -315
- pulumi_vault/kubernetes/secret_backend_role.py +197 -196
- pulumi_vault/kv/__init__.py +1 -0
- pulumi_vault/kv/_inputs.py +21 -20
- pulumi_vault/kv/get_secret.py +17 -16
- pulumi_vault/kv/get_secret_subkeys_v2.py +30 -29
- pulumi_vault/kv/get_secret_v2.py +29 -28
- pulumi_vault/kv/get_secrets_list.py +13 -12
- pulumi_vault/kv/get_secrets_list_v2.py +19 -18
- pulumi_vault/kv/outputs.py +13 -12
- pulumi_vault/kv/secret.py +50 -49
- pulumi_vault/kv/secret_backend_v2.py +71 -70
- pulumi_vault/kv/secret_v2.py +134 -133
- pulumi_vault/ldap/__init__.py +1 -0
- pulumi_vault/ldap/auth_backend.py +588 -587
- pulumi_vault/ldap/auth_backend_group.py +57 -56
- pulumi_vault/ldap/auth_backend_user.py +71 -70
- pulumi_vault/ldap/get_dynamic_credentials.py +17 -16
- pulumi_vault/ldap/get_static_credentials.py +18 -17
- pulumi_vault/ldap/secret_backend.py +554 -553
- pulumi_vault/ldap/secret_backend_dynamic_role.py +127 -126
- pulumi_vault/ldap/secret_backend_library_set.py +99 -98
- pulumi_vault/ldap/secret_backend_static_role.py +99 -98
- pulumi_vault/managed/__init__.py +1 -0
- pulumi_vault/managed/_inputs.py +229 -228
- pulumi_vault/managed/keys.py +15 -14
- pulumi_vault/managed/outputs.py +139 -138
- pulumi_vault/mfa_duo.py +113 -112
- pulumi_vault/mfa_okta.py +113 -112
- pulumi_vault/mfa_pingid.py +120 -119
- pulumi_vault/mfa_totp.py +127 -126
- pulumi_vault/mongodbatlas/__init__.py +1 -0
- pulumi_vault/mongodbatlas/secret_backend.py +64 -63
- pulumi_vault/mongodbatlas/secret_role.py +155 -154
- pulumi_vault/mount.py +274 -273
- pulumi_vault/namespace.py +64 -63
- pulumi_vault/nomad_secret_backend.py +211 -210
- pulumi_vault/nomad_secret_role.py +85 -84
- pulumi_vault/okta/__init__.py +1 -0
- pulumi_vault/okta/_inputs.py +26 -25
- pulumi_vault/okta/auth_backend.py +274 -273
- pulumi_vault/okta/auth_backend_group.py +57 -56
- pulumi_vault/okta/auth_backend_user.py +71 -70
- pulumi_vault/okta/outputs.py +16 -15
- pulumi_vault/outputs.py +56 -55
- pulumi_vault/password_policy.py +43 -42
- pulumi_vault/pkisecret/__init__.py +1 -0
- pulumi_vault/pkisecret/_inputs.py +31 -30
- pulumi_vault/pkisecret/backend_acme_eab.py +92 -91
- pulumi_vault/pkisecret/backend_config_acme.py +141 -140
- pulumi_vault/pkisecret/backend_config_auto_tidy.py +323 -322
- pulumi_vault/pkisecret/backend_config_cluster.py +57 -56
- pulumi_vault/pkisecret/backend_config_cmpv2.py +106 -105
- pulumi_vault/pkisecret/backend_config_est.py +120 -119
- pulumi_vault/pkisecret/get_backend_cert_metadata.py +22 -21
- pulumi_vault/pkisecret/get_backend_config_cmpv2.py +22 -21
- pulumi_vault/pkisecret/get_backend_config_est.py +19 -18
- pulumi_vault/pkisecret/get_backend_issuer.py +45 -44
- pulumi_vault/pkisecret/get_backend_issuers.py +15 -14
- pulumi_vault/pkisecret/get_backend_key.py +20 -19
- pulumi_vault/pkisecret/get_backend_keys.py +15 -14
- pulumi_vault/pkisecret/outputs.py +28 -27
- pulumi_vault/pkisecret/secret_backend_cert.py +337 -336
- pulumi_vault/pkisecret/secret_backend_config_ca.py +43 -42
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +57 -56
- pulumi_vault/pkisecret/secret_backend_config_urls.py +85 -84
- pulumi_vault/pkisecret/secret_backend_crl_config.py +197 -196
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +421 -420
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +57 -56
- pulumi_vault/pkisecret/secret_backend_issuer.py +232 -231
- pulumi_vault/pkisecret/secret_backend_key.py +120 -119
- pulumi_vault/pkisecret/secret_backend_role.py +715 -714
- pulumi_vault/pkisecret/secret_backend_root_cert.py +554 -553
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +526 -525
- pulumi_vault/pkisecret/secret_backend_sign.py +281 -280
- pulumi_vault/plugin.py +127 -126
- pulumi_vault/plugin_pinned_version.py +43 -42
- pulumi_vault/policy.py +43 -42
- pulumi_vault/provider.py +120 -119
- pulumi_vault/pulumi-plugin.json +1 -1
- pulumi_vault/quota_lease_count.py +85 -84
- pulumi_vault/quota_rate_limit.py +113 -112
- pulumi_vault/rabbitmq/__init__.py +1 -0
- pulumi_vault/rabbitmq/_inputs.py +41 -40
- pulumi_vault/rabbitmq/outputs.py +25 -24
- pulumi_vault/rabbitmq/secret_backend.py +169 -168
- pulumi_vault/rabbitmq/secret_backend_role.py +57 -56
- pulumi_vault/raft_autopilot.py +113 -112
- pulumi_vault/raft_snapshot_agent_config.py +393 -392
- pulumi_vault/rgp_policy.py +57 -56
- pulumi_vault/saml/__init__.py +1 -0
- pulumi_vault/saml/auth_backend.py +155 -154
- pulumi_vault/saml/auth_backend_role.py +239 -238
- pulumi_vault/secrets/__init__.py +1 -0
- pulumi_vault/secrets/_inputs.py +16 -15
- pulumi_vault/secrets/outputs.py +10 -9
- pulumi_vault/secrets/sync_association.py +71 -70
- pulumi_vault/secrets/sync_aws_destination.py +148 -147
- pulumi_vault/secrets/sync_azure_destination.py +148 -147
- pulumi_vault/secrets/sync_config.py +43 -42
- pulumi_vault/secrets/sync_gcp_destination.py +106 -105
- pulumi_vault/secrets/sync_gh_destination.py +134 -133
- pulumi_vault/secrets/sync_github_apps.py +64 -63
- pulumi_vault/secrets/sync_vercel_destination.py +120 -119
- pulumi_vault/ssh/__init__.py +1 -0
- pulumi_vault/ssh/_inputs.py +11 -10
- pulumi_vault/ssh/get_secret_backend_sign.py +52 -51
- pulumi_vault/ssh/outputs.py +7 -6
- pulumi_vault/ssh/secret_backend_ca.py +99 -98
- pulumi_vault/ssh/secret_backend_role.py +365 -364
- pulumi_vault/terraformcloud/__init__.py +1 -0
- pulumi_vault/terraformcloud/secret_backend.py +111 -110
- pulumi_vault/terraformcloud/secret_creds.py +74 -73
- pulumi_vault/terraformcloud/secret_role.py +93 -92
- pulumi_vault/token.py +246 -245
- pulumi_vault/tokenauth/__init__.py +1 -0
- pulumi_vault/tokenauth/auth_backend_role.py +267 -266
- pulumi_vault/transform/__init__.py +1 -0
- pulumi_vault/transform/alphabet.py +57 -56
- pulumi_vault/transform/get_decode.py +47 -46
- pulumi_vault/transform/get_encode.py +47 -46
- pulumi_vault/transform/role.py +57 -56
- pulumi_vault/transform/template.py +113 -112
- pulumi_vault/transform/transformation.py +141 -140
- pulumi_vault/transit/__init__.py +1 -0
- pulumi_vault/transit/get_decrypt.py +18 -17
- pulumi_vault/transit/get_encrypt.py +21 -20
- pulumi_vault/transit/get_sign.py +54 -53
- pulumi_vault/transit/get_verify.py +60 -59
- pulumi_vault/transit/secret_backend_key.py +274 -273
- pulumi_vault/transit/secret_cache_config.py +43 -42
- {pulumi_vault-6.7.0a1743576047.dist-info → pulumi_vault-6.7.0a1744183682.dist-info}/METADATA +1 -1
- pulumi_vault-6.7.0a1744183682.dist-info/RECORD +265 -0
- pulumi_vault-6.7.0a1743576047.dist-info/RECORD +0 -265
- {pulumi_vault-6.7.0a1743576047.dist-info → pulumi_vault-6.7.0a1744183682.dist-info}/WHEEL +0 -0
- {pulumi_vault-6.7.0a1743576047.dist-info → pulumi_vault-6.7.0a1744183682.dist-info}/top_level.txt +0 -0
pulumi_vault/jwt/auth_backend.py
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
|
3
3
|
# *** Do not edit by hand unless you're certain you know what you are doing! ***
|
4
4
|
|
5
|
+
import builtins
|
5
6
|
import copy
|
6
7
|
import warnings
|
7
8
|
import sys
|
@@ -21,57 +22,57 @@ __all__ = ['AuthBackendArgs', 'AuthBackend']
|
|
21
22
|
@pulumi.input_type
|
22
23
|
class AuthBackendArgs:
|
23
24
|
def __init__(__self__, *,
|
24
|
-
bound_issuer: Optional[pulumi.Input[str]] = None,
|
25
|
-
default_role: Optional[pulumi.Input[str]] = None,
|
26
|
-
description: Optional[pulumi.Input[str]] = None,
|
27
|
-
disable_remount: Optional[pulumi.Input[bool]] = None,
|
28
|
-
jwks_ca_pem: Optional[pulumi.Input[str]] = None,
|
29
|
-
jwks_url: Optional[pulumi.Input[str]] = None,
|
30
|
-
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
31
|
-
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
32
|
-
local: Optional[pulumi.Input[bool]] = None,
|
33
|
-
namespace: Optional[pulumi.Input[str]] = None,
|
34
|
-
namespace_in_state: Optional[pulumi.Input[bool]] = None,
|
35
|
-
oidc_client_id: Optional[pulumi.Input[str]] = None,
|
36
|
-
oidc_client_secret: Optional[pulumi.Input[str]] = None,
|
37
|
-
oidc_discovery_ca_pem: Optional[pulumi.Input[str]] = None,
|
38
|
-
oidc_discovery_url: Optional[pulumi.Input[str]] = None,
|
39
|
-
oidc_response_mode: Optional[pulumi.Input[str]] = None,
|
40
|
-
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
41
|
-
path: Optional[pulumi.Input[str]] = None,
|
42
|
-
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
25
|
+
bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
|
26
|
+
default_role: Optional[pulumi.Input[builtins.str]] = None,
|
27
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
28
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
29
|
+
jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
30
|
+
jwks_url: Optional[pulumi.Input[builtins.str]] = None,
|
31
|
+
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
32
|
+
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
33
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
34
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
35
|
+
namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
|
36
|
+
oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
|
37
|
+
oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
|
38
|
+
oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
39
|
+
oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
|
40
|
+
oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
|
41
|
+
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
42
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
43
|
+
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
|
43
44
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None,
|
44
|
-
type: Optional[pulumi.Input[str]] = None):
|
45
|
+
type: Optional[pulumi.Input[builtins.str]] = None):
|
45
46
|
"""
|
46
47
|
The set of arguments for constructing a AuthBackend resource.
|
47
|
-
:param pulumi.Input[str] bound_issuer: The value against which to match the iss claim in a JWT
|
48
|
-
:param pulumi.Input[str] default_role: The default role to use if none is provided during login
|
49
|
-
:param pulumi.Input[str] description: The description of the auth backend
|
50
|
-
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
48
|
+
:param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
|
49
|
+
:param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
|
50
|
+
:param pulumi.Input[builtins.str] description: The description of the auth backend
|
51
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
51
52
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
52
|
-
:param pulumi.Input[str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
53
|
-
:param pulumi.Input[str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
54
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
55
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
56
|
-
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
57
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
53
|
+
:param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
54
|
+
:param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
55
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
56
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
57
|
+
:param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
|
58
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
58
59
|
The value should not contain leading or trailing forward slashes.
|
59
60
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
60
61
|
*Available only for Vault Enterprise*.
|
61
|
-
:param pulumi.Input[bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
62
|
+
:param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
62
63
|
|
63
64
|
* tune - (Optional) Extra configuration block. Structure is documented below.
|
64
65
|
|
65
66
|
The `tune` block is used to tune the auth backend:
|
66
|
-
:param pulumi.Input[str] oidc_client_id: Client ID used for OIDC backends
|
67
|
-
:param pulumi.Input[str] oidc_client_secret: Client Secret used for OIDC backends
|
68
|
-
:param pulumi.Input[str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
69
|
-
:param pulumi.Input[str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
70
|
-
:param pulumi.Input[str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
71
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
72
|
-
:param pulumi.Input[str] path: Path to mount the JWT/OIDC auth backend
|
73
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
74
|
-
:param pulumi.Input[str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
67
|
+
:param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
|
68
|
+
:param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
|
69
|
+
:param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
70
|
+
:param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
71
|
+
:param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
72
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
73
|
+
:param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
|
74
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
75
|
+
:param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
75
76
|
"""
|
76
77
|
if bound_issuer is not None:
|
77
78
|
pulumi.set(__self__, "bound_issuer", bound_issuer)
|
@@ -118,43 +119,43 @@ class AuthBackendArgs:
|
|
118
119
|
|
119
120
|
@property
|
120
121
|
@pulumi.getter(name="boundIssuer")
|
121
|
-
def bound_issuer(self) -> Optional[pulumi.Input[str]]:
|
122
|
+
def bound_issuer(self) -> Optional[pulumi.Input[builtins.str]]:
|
122
123
|
"""
|
123
124
|
The value against which to match the iss claim in a JWT
|
124
125
|
"""
|
125
126
|
return pulumi.get(self, "bound_issuer")
|
126
127
|
|
127
128
|
@bound_issuer.setter
|
128
|
-
def bound_issuer(self, value: Optional[pulumi.Input[str]]):
|
129
|
+
def bound_issuer(self, value: Optional[pulumi.Input[builtins.str]]):
|
129
130
|
pulumi.set(self, "bound_issuer", value)
|
130
131
|
|
131
132
|
@property
|
132
133
|
@pulumi.getter(name="defaultRole")
|
133
|
-
def default_role(self) -> Optional[pulumi.Input[str]]:
|
134
|
+
def default_role(self) -> Optional[pulumi.Input[builtins.str]]:
|
134
135
|
"""
|
135
136
|
The default role to use if none is provided during login
|
136
137
|
"""
|
137
138
|
return pulumi.get(self, "default_role")
|
138
139
|
|
139
140
|
@default_role.setter
|
140
|
-
def default_role(self, value: Optional[pulumi.Input[str]]):
|
141
|
+
def default_role(self, value: Optional[pulumi.Input[builtins.str]]):
|
141
142
|
pulumi.set(self, "default_role", value)
|
142
143
|
|
143
144
|
@property
|
144
145
|
@pulumi.getter
|
145
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
146
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
146
147
|
"""
|
147
148
|
The description of the auth backend
|
148
149
|
"""
|
149
150
|
return pulumi.get(self, "description")
|
150
151
|
|
151
152
|
@description.setter
|
152
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
153
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
153
154
|
pulumi.set(self, "description", value)
|
154
155
|
|
155
156
|
@property
|
156
157
|
@pulumi.getter(name="disableRemount")
|
157
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
158
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
158
159
|
"""
|
159
160
|
If set, opts out of mount migration on path updates.
|
160
161
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -162,72 +163,72 @@ class AuthBackendArgs:
|
|
162
163
|
return pulumi.get(self, "disable_remount")
|
163
164
|
|
164
165
|
@disable_remount.setter
|
165
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
166
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
166
167
|
pulumi.set(self, "disable_remount", value)
|
167
168
|
|
168
169
|
@property
|
169
170
|
@pulumi.getter(name="jwksCaPem")
|
170
|
-
def jwks_ca_pem(self) -> Optional[pulumi.Input[str]]:
|
171
|
+
def jwks_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
|
171
172
|
"""
|
172
173
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
173
174
|
"""
|
174
175
|
return pulumi.get(self, "jwks_ca_pem")
|
175
176
|
|
176
177
|
@jwks_ca_pem.setter
|
177
|
-
def jwks_ca_pem(self, value: Optional[pulumi.Input[str]]):
|
178
|
+
def jwks_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
|
178
179
|
pulumi.set(self, "jwks_ca_pem", value)
|
179
180
|
|
180
181
|
@property
|
181
182
|
@pulumi.getter(name="jwksUrl")
|
182
|
-
def jwks_url(self) -> Optional[pulumi.Input[str]]:
|
183
|
+
def jwks_url(self) -> Optional[pulumi.Input[builtins.str]]:
|
183
184
|
"""
|
184
185
|
JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
185
186
|
"""
|
186
187
|
return pulumi.get(self, "jwks_url")
|
187
188
|
|
188
189
|
@jwks_url.setter
|
189
|
-
def jwks_url(self, value: Optional[pulumi.Input[str]]):
|
190
|
+
def jwks_url(self, value: Optional[pulumi.Input[builtins.str]]):
|
190
191
|
pulumi.set(self, "jwks_url", value)
|
191
192
|
|
192
193
|
@property
|
193
194
|
@pulumi.getter(name="jwtSupportedAlgs")
|
194
|
-
def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
195
|
+
def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
195
196
|
"""
|
196
197
|
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
197
198
|
"""
|
198
199
|
return pulumi.get(self, "jwt_supported_algs")
|
199
200
|
|
200
201
|
@jwt_supported_algs.setter
|
201
|
-
def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
202
|
+
def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
202
203
|
pulumi.set(self, "jwt_supported_algs", value)
|
203
204
|
|
204
205
|
@property
|
205
206
|
@pulumi.getter(name="jwtValidationPubkeys")
|
206
|
-
def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
207
|
+
def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
207
208
|
"""
|
208
209
|
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
209
210
|
"""
|
210
211
|
return pulumi.get(self, "jwt_validation_pubkeys")
|
211
212
|
|
212
213
|
@jwt_validation_pubkeys.setter
|
213
|
-
def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
214
|
+
def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
214
215
|
pulumi.set(self, "jwt_validation_pubkeys", value)
|
215
216
|
|
216
217
|
@property
|
217
218
|
@pulumi.getter
|
218
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
219
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
219
220
|
"""
|
220
221
|
Specifies if the auth method is local only.
|
221
222
|
"""
|
222
223
|
return pulumi.get(self, "local")
|
223
224
|
|
224
225
|
@local.setter
|
225
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
226
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
226
227
|
pulumi.set(self, "local", value)
|
227
228
|
|
228
229
|
@property
|
229
230
|
@pulumi.getter
|
230
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
231
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
231
232
|
"""
|
232
233
|
The namespace to provision the resource in.
|
233
234
|
The value should not contain leading or trailing forward slashes.
|
@@ -237,12 +238,12 @@ class AuthBackendArgs:
|
|
237
238
|
return pulumi.get(self, "namespace")
|
238
239
|
|
239
240
|
@namespace.setter
|
240
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
241
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
241
242
|
pulumi.set(self, "namespace", value)
|
242
243
|
|
243
244
|
@property
|
244
245
|
@pulumi.getter(name="namespaceInState")
|
245
|
-
def namespace_in_state(self) -> Optional[pulumi.Input[bool]]:
|
246
|
+
def namespace_in_state(self) -> Optional[pulumi.Input[builtins.bool]]:
|
246
247
|
"""
|
247
248
|
Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
248
249
|
|
@@ -253,103 +254,103 @@ class AuthBackendArgs:
|
|
253
254
|
return pulumi.get(self, "namespace_in_state")
|
254
255
|
|
255
256
|
@namespace_in_state.setter
|
256
|
-
def namespace_in_state(self, value: Optional[pulumi.Input[bool]]):
|
257
|
+
def namespace_in_state(self, value: Optional[pulumi.Input[builtins.bool]]):
|
257
258
|
pulumi.set(self, "namespace_in_state", value)
|
258
259
|
|
259
260
|
@property
|
260
261
|
@pulumi.getter(name="oidcClientId")
|
261
|
-
def oidc_client_id(self) -> Optional[pulumi.Input[str]]:
|
262
|
+
def oidc_client_id(self) -> Optional[pulumi.Input[builtins.str]]:
|
262
263
|
"""
|
263
264
|
Client ID used for OIDC backends
|
264
265
|
"""
|
265
266
|
return pulumi.get(self, "oidc_client_id")
|
266
267
|
|
267
268
|
@oidc_client_id.setter
|
268
|
-
def oidc_client_id(self, value: Optional[pulumi.Input[str]]):
|
269
|
+
def oidc_client_id(self, value: Optional[pulumi.Input[builtins.str]]):
|
269
270
|
pulumi.set(self, "oidc_client_id", value)
|
270
271
|
|
271
272
|
@property
|
272
273
|
@pulumi.getter(name="oidcClientSecret")
|
273
|
-
def oidc_client_secret(self) -> Optional[pulumi.Input[str]]:
|
274
|
+
def oidc_client_secret(self) -> Optional[pulumi.Input[builtins.str]]:
|
274
275
|
"""
|
275
276
|
Client Secret used for OIDC backends
|
276
277
|
"""
|
277
278
|
return pulumi.get(self, "oidc_client_secret")
|
278
279
|
|
279
280
|
@oidc_client_secret.setter
|
280
|
-
def oidc_client_secret(self, value: Optional[pulumi.Input[str]]):
|
281
|
+
def oidc_client_secret(self, value: Optional[pulumi.Input[builtins.str]]):
|
281
282
|
pulumi.set(self, "oidc_client_secret", value)
|
282
283
|
|
283
284
|
@property
|
284
285
|
@pulumi.getter(name="oidcDiscoveryCaPem")
|
285
|
-
def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[str]]:
|
286
|
+
def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
|
286
287
|
"""
|
287
288
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
288
289
|
"""
|
289
290
|
return pulumi.get(self, "oidc_discovery_ca_pem")
|
290
291
|
|
291
292
|
@oidc_discovery_ca_pem.setter
|
292
|
-
def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[str]]):
|
293
|
+
def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
|
293
294
|
pulumi.set(self, "oidc_discovery_ca_pem", value)
|
294
295
|
|
295
296
|
@property
|
296
297
|
@pulumi.getter(name="oidcDiscoveryUrl")
|
297
|
-
def oidc_discovery_url(self) -> Optional[pulumi.Input[str]]:
|
298
|
+
def oidc_discovery_url(self) -> Optional[pulumi.Input[builtins.str]]:
|
298
299
|
"""
|
299
300
|
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
300
301
|
"""
|
301
302
|
return pulumi.get(self, "oidc_discovery_url")
|
302
303
|
|
303
304
|
@oidc_discovery_url.setter
|
304
|
-
def oidc_discovery_url(self, value: Optional[pulumi.Input[str]]):
|
305
|
+
def oidc_discovery_url(self, value: Optional[pulumi.Input[builtins.str]]):
|
305
306
|
pulumi.set(self, "oidc_discovery_url", value)
|
306
307
|
|
307
308
|
@property
|
308
309
|
@pulumi.getter(name="oidcResponseMode")
|
309
|
-
def oidc_response_mode(self) -> Optional[pulumi.Input[str]]:
|
310
|
+
def oidc_response_mode(self) -> Optional[pulumi.Input[builtins.str]]:
|
310
311
|
"""
|
311
312
|
The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
312
313
|
"""
|
313
314
|
return pulumi.get(self, "oidc_response_mode")
|
314
315
|
|
315
316
|
@oidc_response_mode.setter
|
316
|
-
def oidc_response_mode(self, value: Optional[pulumi.Input[str]]):
|
317
|
+
def oidc_response_mode(self, value: Optional[pulumi.Input[builtins.str]]):
|
317
318
|
pulumi.set(self, "oidc_response_mode", value)
|
318
319
|
|
319
320
|
@property
|
320
321
|
@pulumi.getter(name="oidcResponseTypes")
|
321
|
-
def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
322
|
+
def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
322
323
|
"""
|
323
324
|
List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
324
325
|
"""
|
325
326
|
return pulumi.get(self, "oidc_response_types")
|
326
327
|
|
327
328
|
@oidc_response_types.setter
|
328
|
-
def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
329
|
+
def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
329
330
|
pulumi.set(self, "oidc_response_types", value)
|
330
331
|
|
331
332
|
@property
|
332
333
|
@pulumi.getter
|
333
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
334
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
334
335
|
"""
|
335
336
|
Path to mount the JWT/OIDC auth backend
|
336
337
|
"""
|
337
338
|
return pulumi.get(self, "path")
|
338
339
|
|
339
340
|
@path.setter
|
340
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
341
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
341
342
|
pulumi.set(self, "path", value)
|
342
343
|
|
343
344
|
@property
|
344
345
|
@pulumi.getter(name="providerConfig")
|
345
|
-
def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
346
|
+
def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
|
346
347
|
"""
|
347
348
|
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
348
349
|
"""
|
349
350
|
return pulumi.get(self, "provider_config")
|
350
351
|
|
351
352
|
@provider_config.setter
|
352
|
-
def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
353
|
+
def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
|
353
354
|
pulumi.set(self, "provider_config", value)
|
354
355
|
|
355
356
|
@property
|
@@ -363,73 +364,73 @@ class AuthBackendArgs:
|
|
363
364
|
|
364
365
|
@property
|
365
366
|
@pulumi.getter
|
366
|
-
def type(self) -> Optional[pulumi.Input[str]]:
|
367
|
+
def type(self) -> Optional[pulumi.Input[builtins.str]]:
|
367
368
|
"""
|
368
369
|
Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
369
370
|
"""
|
370
371
|
return pulumi.get(self, "type")
|
371
372
|
|
372
373
|
@type.setter
|
373
|
-
def type(self, value: Optional[pulumi.Input[str]]):
|
374
|
+
def type(self, value: Optional[pulumi.Input[builtins.str]]):
|
374
375
|
pulumi.set(self, "type", value)
|
375
376
|
|
376
377
|
|
377
378
|
@pulumi.input_type
|
378
379
|
class _AuthBackendState:
|
379
380
|
def __init__(__self__, *,
|
380
|
-
accessor: Optional[pulumi.Input[str]] = None,
|
381
|
-
bound_issuer: Optional[pulumi.Input[str]] = None,
|
382
|
-
default_role: Optional[pulumi.Input[str]] = None,
|
383
|
-
description: Optional[pulumi.Input[str]] = None,
|
384
|
-
disable_remount: Optional[pulumi.Input[bool]] = None,
|
385
|
-
jwks_ca_pem: Optional[pulumi.Input[str]] = None,
|
386
|
-
jwks_url: Optional[pulumi.Input[str]] = None,
|
387
|
-
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
388
|
-
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
389
|
-
local: Optional[pulumi.Input[bool]] = None,
|
390
|
-
namespace: Optional[pulumi.Input[str]] = None,
|
391
|
-
namespace_in_state: Optional[pulumi.Input[bool]] = None,
|
392
|
-
oidc_client_id: Optional[pulumi.Input[str]] = None,
|
393
|
-
oidc_client_secret: Optional[pulumi.Input[str]] = None,
|
394
|
-
oidc_discovery_ca_pem: Optional[pulumi.Input[str]] = None,
|
395
|
-
oidc_discovery_url: Optional[pulumi.Input[str]] = None,
|
396
|
-
oidc_response_mode: Optional[pulumi.Input[str]] = None,
|
397
|
-
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
398
|
-
path: Optional[pulumi.Input[str]] = None,
|
399
|
-
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
381
|
+
accessor: Optional[pulumi.Input[builtins.str]] = None,
|
382
|
+
bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
|
383
|
+
default_role: Optional[pulumi.Input[builtins.str]] = None,
|
384
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
385
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
386
|
+
jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
387
|
+
jwks_url: Optional[pulumi.Input[builtins.str]] = None,
|
388
|
+
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
389
|
+
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
390
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
391
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
392
|
+
namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
|
393
|
+
oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
|
394
|
+
oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
|
395
|
+
oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
396
|
+
oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
|
397
|
+
oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
|
398
|
+
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
399
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
400
|
+
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
|
400
401
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None,
|
401
|
-
type: Optional[pulumi.Input[str]] = None):
|
402
|
+
type: Optional[pulumi.Input[builtins.str]] = None):
|
402
403
|
"""
|
403
404
|
Input properties used for looking up and filtering AuthBackend resources.
|
404
|
-
:param pulumi.Input[str] accessor: The accessor for this auth method
|
405
|
-
:param pulumi.Input[str] bound_issuer: The value against which to match the iss claim in a JWT
|
406
|
-
:param pulumi.Input[str] default_role: The default role to use if none is provided during login
|
407
|
-
:param pulumi.Input[str] description: The description of the auth backend
|
408
|
-
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
405
|
+
:param pulumi.Input[builtins.str] accessor: The accessor for this auth method
|
406
|
+
:param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
|
407
|
+
:param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
|
408
|
+
:param pulumi.Input[builtins.str] description: The description of the auth backend
|
409
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
409
410
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
410
|
-
:param pulumi.Input[str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
411
|
-
:param pulumi.Input[str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
412
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
413
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
414
|
-
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
415
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
411
|
+
:param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
412
|
+
:param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
413
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
414
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
415
|
+
:param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
|
416
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
416
417
|
The value should not contain leading or trailing forward slashes.
|
417
418
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
418
419
|
*Available only for Vault Enterprise*.
|
419
|
-
:param pulumi.Input[bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
420
|
+
:param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
420
421
|
|
421
422
|
* tune - (Optional) Extra configuration block. Structure is documented below.
|
422
423
|
|
423
424
|
The `tune` block is used to tune the auth backend:
|
424
|
-
:param pulumi.Input[str] oidc_client_id: Client ID used for OIDC backends
|
425
|
-
:param pulumi.Input[str] oidc_client_secret: Client Secret used for OIDC backends
|
426
|
-
:param pulumi.Input[str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
427
|
-
:param pulumi.Input[str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
428
|
-
:param pulumi.Input[str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
429
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
430
|
-
:param pulumi.Input[str] path: Path to mount the JWT/OIDC auth backend
|
431
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
432
|
-
:param pulumi.Input[str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
425
|
+
:param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
|
426
|
+
:param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
|
427
|
+
:param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
428
|
+
:param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
429
|
+
:param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
430
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
431
|
+
:param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
|
432
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
433
|
+
:param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
433
434
|
"""
|
434
435
|
if accessor is not None:
|
435
436
|
pulumi.set(__self__, "accessor", accessor)
|
@@ -478,55 +479,55 @@ class _AuthBackendState:
|
|
478
479
|
|
479
480
|
@property
|
480
481
|
@pulumi.getter
|
481
|
-
def accessor(self) -> Optional[pulumi.Input[str]]:
|
482
|
+
def accessor(self) -> Optional[pulumi.Input[builtins.str]]:
|
482
483
|
"""
|
483
484
|
The accessor for this auth method
|
484
485
|
"""
|
485
486
|
return pulumi.get(self, "accessor")
|
486
487
|
|
487
488
|
@accessor.setter
|
488
|
-
def accessor(self, value: Optional[pulumi.Input[str]]):
|
489
|
+
def accessor(self, value: Optional[pulumi.Input[builtins.str]]):
|
489
490
|
pulumi.set(self, "accessor", value)
|
490
491
|
|
491
492
|
@property
|
492
493
|
@pulumi.getter(name="boundIssuer")
|
493
|
-
def bound_issuer(self) -> Optional[pulumi.Input[str]]:
|
494
|
+
def bound_issuer(self) -> Optional[pulumi.Input[builtins.str]]:
|
494
495
|
"""
|
495
496
|
The value against which to match the iss claim in a JWT
|
496
497
|
"""
|
497
498
|
return pulumi.get(self, "bound_issuer")
|
498
499
|
|
499
500
|
@bound_issuer.setter
|
500
|
-
def bound_issuer(self, value: Optional[pulumi.Input[str]]):
|
501
|
+
def bound_issuer(self, value: Optional[pulumi.Input[builtins.str]]):
|
501
502
|
pulumi.set(self, "bound_issuer", value)
|
502
503
|
|
503
504
|
@property
|
504
505
|
@pulumi.getter(name="defaultRole")
|
505
|
-
def default_role(self) -> Optional[pulumi.Input[str]]:
|
506
|
+
def default_role(self) -> Optional[pulumi.Input[builtins.str]]:
|
506
507
|
"""
|
507
508
|
The default role to use if none is provided during login
|
508
509
|
"""
|
509
510
|
return pulumi.get(self, "default_role")
|
510
511
|
|
511
512
|
@default_role.setter
|
512
|
-
def default_role(self, value: Optional[pulumi.Input[str]]):
|
513
|
+
def default_role(self, value: Optional[pulumi.Input[builtins.str]]):
|
513
514
|
pulumi.set(self, "default_role", value)
|
514
515
|
|
515
516
|
@property
|
516
517
|
@pulumi.getter
|
517
|
-
def description(self) -> Optional[pulumi.Input[str]]:
|
518
|
+
def description(self) -> Optional[pulumi.Input[builtins.str]]:
|
518
519
|
"""
|
519
520
|
The description of the auth backend
|
520
521
|
"""
|
521
522
|
return pulumi.get(self, "description")
|
522
523
|
|
523
524
|
@description.setter
|
524
|
-
def description(self, value: Optional[pulumi.Input[str]]):
|
525
|
+
def description(self, value: Optional[pulumi.Input[builtins.str]]):
|
525
526
|
pulumi.set(self, "description", value)
|
526
527
|
|
527
528
|
@property
|
528
529
|
@pulumi.getter(name="disableRemount")
|
529
|
-
def disable_remount(self) -> Optional[pulumi.Input[bool]]:
|
530
|
+
def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
|
530
531
|
"""
|
531
532
|
If set, opts out of mount migration on path updates.
|
532
533
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -534,72 +535,72 @@ class _AuthBackendState:
|
|
534
535
|
return pulumi.get(self, "disable_remount")
|
535
536
|
|
536
537
|
@disable_remount.setter
|
537
|
-
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
538
|
+
def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
|
538
539
|
pulumi.set(self, "disable_remount", value)
|
539
540
|
|
540
541
|
@property
|
541
542
|
@pulumi.getter(name="jwksCaPem")
|
542
|
-
def jwks_ca_pem(self) -> Optional[pulumi.Input[str]]:
|
543
|
+
def jwks_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
|
543
544
|
"""
|
544
545
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
545
546
|
"""
|
546
547
|
return pulumi.get(self, "jwks_ca_pem")
|
547
548
|
|
548
549
|
@jwks_ca_pem.setter
|
549
|
-
def jwks_ca_pem(self, value: Optional[pulumi.Input[str]]):
|
550
|
+
def jwks_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
|
550
551
|
pulumi.set(self, "jwks_ca_pem", value)
|
551
552
|
|
552
553
|
@property
|
553
554
|
@pulumi.getter(name="jwksUrl")
|
554
|
-
def jwks_url(self) -> Optional[pulumi.Input[str]]:
|
555
|
+
def jwks_url(self) -> Optional[pulumi.Input[builtins.str]]:
|
555
556
|
"""
|
556
557
|
JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
557
558
|
"""
|
558
559
|
return pulumi.get(self, "jwks_url")
|
559
560
|
|
560
561
|
@jwks_url.setter
|
561
|
-
def jwks_url(self, value: Optional[pulumi.Input[str]]):
|
562
|
+
def jwks_url(self, value: Optional[pulumi.Input[builtins.str]]):
|
562
563
|
pulumi.set(self, "jwks_url", value)
|
563
564
|
|
564
565
|
@property
|
565
566
|
@pulumi.getter(name="jwtSupportedAlgs")
|
566
|
-
def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
567
|
+
def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
567
568
|
"""
|
568
569
|
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
569
570
|
"""
|
570
571
|
return pulumi.get(self, "jwt_supported_algs")
|
571
572
|
|
572
573
|
@jwt_supported_algs.setter
|
573
|
-
def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
574
|
+
def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
574
575
|
pulumi.set(self, "jwt_supported_algs", value)
|
575
576
|
|
576
577
|
@property
|
577
578
|
@pulumi.getter(name="jwtValidationPubkeys")
|
578
|
-
def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
579
|
+
def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
579
580
|
"""
|
580
581
|
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
581
582
|
"""
|
582
583
|
return pulumi.get(self, "jwt_validation_pubkeys")
|
583
584
|
|
584
585
|
@jwt_validation_pubkeys.setter
|
585
|
-
def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
586
|
+
def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
586
587
|
pulumi.set(self, "jwt_validation_pubkeys", value)
|
587
588
|
|
588
589
|
@property
|
589
590
|
@pulumi.getter
|
590
|
-
def local(self) -> Optional[pulumi.Input[bool]]:
|
591
|
+
def local(self) -> Optional[pulumi.Input[builtins.bool]]:
|
591
592
|
"""
|
592
593
|
Specifies if the auth method is local only.
|
593
594
|
"""
|
594
595
|
return pulumi.get(self, "local")
|
595
596
|
|
596
597
|
@local.setter
|
597
|
-
def local(self, value: Optional[pulumi.Input[bool]]):
|
598
|
+
def local(self, value: Optional[pulumi.Input[builtins.bool]]):
|
598
599
|
pulumi.set(self, "local", value)
|
599
600
|
|
600
601
|
@property
|
601
602
|
@pulumi.getter
|
602
|
-
def namespace(self) -> Optional[pulumi.Input[str]]:
|
603
|
+
def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
|
603
604
|
"""
|
604
605
|
The namespace to provision the resource in.
|
605
606
|
The value should not contain leading or trailing forward slashes.
|
@@ -609,12 +610,12 @@ class _AuthBackendState:
|
|
609
610
|
return pulumi.get(self, "namespace")
|
610
611
|
|
611
612
|
@namespace.setter
|
612
|
-
def namespace(self, value: Optional[pulumi.Input[str]]):
|
613
|
+
def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
|
613
614
|
pulumi.set(self, "namespace", value)
|
614
615
|
|
615
616
|
@property
|
616
617
|
@pulumi.getter(name="namespaceInState")
|
617
|
-
def namespace_in_state(self) -> Optional[pulumi.Input[bool]]:
|
618
|
+
def namespace_in_state(self) -> Optional[pulumi.Input[builtins.bool]]:
|
618
619
|
"""
|
619
620
|
Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
620
621
|
|
@@ -625,103 +626,103 @@ class _AuthBackendState:
|
|
625
626
|
return pulumi.get(self, "namespace_in_state")
|
626
627
|
|
627
628
|
@namespace_in_state.setter
|
628
|
-
def namespace_in_state(self, value: Optional[pulumi.Input[bool]]):
|
629
|
+
def namespace_in_state(self, value: Optional[pulumi.Input[builtins.bool]]):
|
629
630
|
pulumi.set(self, "namespace_in_state", value)
|
630
631
|
|
631
632
|
@property
|
632
633
|
@pulumi.getter(name="oidcClientId")
|
633
|
-
def oidc_client_id(self) -> Optional[pulumi.Input[str]]:
|
634
|
+
def oidc_client_id(self) -> Optional[pulumi.Input[builtins.str]]:
|
634
635
|
"""
|
635
636
|
Client ID used for OIDC backends
|
636
637
|
"""
|
637
638
|
return pulumi.get(self, "oidc_client_id")
|
638
639
|
|
639
640
|
@oidc_client_id.setter
|
640
|
-
def oidc_client_id(self, value: Optional[pulumi.Input[str]]):
|
641
|
+
def oidc_client_id(self, value: Optional[pulumi.Input[builtins.str]]):
|
641
642
|
pulumi.set(self, "oidc_client_id", value)
|
642
643
|
|
643
644
|
@property
|
644
645
|
@pulumi.getter(name="oidcClientSecret")
|
645
|
-
def oidc_client_secret(self) -> Optional[pulumi.Input[str]]:
|
646
|
+
def oidc_client_secret(self) -> Optional[pulumi.Input[builtins.str]]:
|
646
647
|
"""
|
647
648
|
Client Secret used for OIDC backends
|
648
649
|
"""
|
649
650
|
return pulumi.get(self, "oidc_client_secret")
|
650
651
|
|
651
652
|
@oidc_client_secret.setter
|
652
|
-
def oidc_client_secret(self, value: Optional[pulumi.Input[str]]):
|
653
|
+
def oidc_client_secret(self, value: Optional[pulumi.Input[builtins.str]]):
|
653
654
|
pulumi.set(self, "oidc_client_secret", value)
|
654
655
|
|
655
656
|
@property
|
656
657
|
@pulumi.getter(name="oidcDiscoveryCaPem")
|
657
|
-
def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[str]]:
|
658
|
+
def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
|
658
659
|
"""
|
659
660
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
660
661
|
"""
|
661
662
|
return pulumi.get(self, "oidc_discovery_ca_pem")
|
662
663
|
|
663
664
|
@oidc_discovery_ca_pem.setter
|
664
|
-
def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[str]]):
|
665
|
+
def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
|
665
666
|
pulumi.set(self, "oidc_discovery_ca_pem", value)
|
666
667
|
|
667
668
|
@property
|
668
669
|
@pulumi.getter(name="oidcDiscoveryUrl")
|
669
|
-
def oidc_discovery_url(self) -> Optional[pulumi.Input[str]]:
|
670
|
+
def oidc_discovery_url(self) -> Optional[pulumi.Input[builtins.str]]:
|
670
671
|
"""
|
671
672
|
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
672
673
|
"""
|
673
674
|
return pulumi.get(self, "oidc_discovery_url")
|
674
675
|
|
675
676
|
@oidc_discovery_url.setter
|
676
|
-
def oidc_discovery_url(self, value: Optional[pulumi.Input[str]]):
|
677
|
+
def oidc_discovery_url(self, value: Optional[pulumi.Input[builtins.str]]):
|
677
678
|
pulumi.set(self, "oidc_discovery_url", value)
|
678
679
|
|
679
680
|
@property
|
680
681
|
@pulumi.getter(name="oidcResponseMode")
|
681
|
-
def oidc_response_mode(self) -> Optional[pulumi.Input[str]]:
|
682
|
+
def oidc_response_mode(self) -> Optional[pulumi.Input[builtins.str]]:
|
682
683
|
"""
|
683
684
|
The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
684
685
|
"""
|
685
686
|
return pulumi.get(self, "oidc_response_mode")
|
686
687
|
|
687
688
|
@oidc_response_mode.setter
|
688
|
-
def oidc_response_mode(self, value: Optional[pulumi.Input[str]]):
|
689
|
+
def oidc_response_mode(self, value: Optional[pulumi.Input[builtins.str]]):
|
689
690
|
pulumi.set(self, "oidc_response_mode", value)
|
690
691
|
|
691
692
|
@property
|
692
693
|
@pulumi.getter(name="oidcResponseTypes")
|
693
|
-
def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
694
|
+
def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
|
694
695
|
"""
|
695
696
|
List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
696
697
|
"""
|
697
698
|
return pulumi.get(self, "oidc_response_types")
|
698
699
|
|
699
700
|
@oidc_response_types.setter
|
700
|
-
def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
|
701
|
+
def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
|
701
702
|
pulumi.set(self, "oidc_response_types", value)
|
702
703
|
|
703
704
|
@property
|
704
705
|
@pulumi.getter
|
705
|
-
def path(self) -> Optional[pulumi.Input[str]]:
|
706
|
+
def path(self) -> Optional[pulumi.Input[builtins.str]]:
|
706
707
|
"""
|
707
708
|
Path to mount the JWT/OIDC auth backend
|
708
709
|
"""
|
709
710
|
return pulumi.get(self, "path")
|
710
711
|
|
711
712
|
@path.setter
|
712
|
-
def path(self, value: Optional[pulumi.Input[str]]):
|
713
|
+
def path(self, value: Optional[pulumi.Input[builtins.str]]):
|
713
714
|
pulumi.set(self, "path", value)
|
714
715
|
|
715
716
|
@property
|
716
717
|
@pulumi.getter(name="providerConfig")
|
717
|
-
def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
718
|
+
def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
|
718
719
|
"""
|
719
720
|
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
720
721
|
"""
|
721
722
|
return pulumi.get(self, "provider_config")
|
722
723
|
|
723
724
|
@provider_config.setter
|
724
|
-
def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
725
|
+
def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
|
725
726
|
pulumi.set(self, "provider_config", value)
|
726
727
|
|
727
728
|
@property
|
@@ -735,14 +736,14 @@ class _AuthBackendState:
|
|
735
736
|
|
736
737
|
@property
|
737
738
|
@pulumi.getter
|
738
|
-
def type(self) -> Optional[pulumi.Input[str]]:
|
739
|
+
def type(self) -> Optional[pulumi.Input[builtins.str]]:
|
739
740
|
"""
|
740
741
|
Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
741
742
|
"""
|
742
743
|
return pulumi.get(self, "type")
|
743
744
|
|
744
745
|
@type.setter
|
745
|
-
def type(self, value: Optional[pulumi.Input[str]]):
|
746
|
+
def type(self, value: Optional[pulumi.Input[builtins.str]]):
|
746
747
|
pulumi.set(self, "type", value)
|
747
748
|
|
748
749
|
|
@@ -751,27 +752,27 @@ class AuthBackend(pulumi.CustomResource):
|
|
751
752
|
def __init__(__self__,
|
752
753
|
resource_name: str,
|
753
754
|
opts: Optional[pulumi.ResourceOptions] = None,
|
754
|
-
bound_issuer: Optional[pulumi.Input[str]] = None,
|
755
|
-
default_role: Optional[pulumi.Input[str]] = None,
|
756
|
-
description: Optional[pulumi.Input[str]] = None,
|
757
|
-
disable_remount: Optional[pulumi.Input[bool]] = None,
|
758
|
-
jwks_ca_pem: Optional[pulumi.Input[str]] = None,
|
759
|
-
jwks_url: Optional[pulumi.Input[str]] = None,
|
760
|
-
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
761
|
-
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
762
|
-
local: Optional[pulumi.Input[bool]] = None,
|
763
|
-
namespace: Optional[pulumi.Input[str]] = None,
|
764
|
-
namespace_in_state: Optional[pulumi.Input[bool]] = None,
|
765
|
-
oidc_client_id: Optional[pulumi.Input[str]] = None,
|
766
|
-
oidc_client_secret: Optional[pulumi.Input[str]] = None,
|
767
|
-
oidc_discovery_ca_pem: Optional[pulumi.Input[str]] = None,
|
768
|
-
oidc_discovery_url: Optional[pulumi.Input[str]] = None,
|
769
|
-
oidc_response_mode: Optional[pulumi.Input[str]] = None,
|
770
|
-
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
771
|
-
path: Optional[pulumi.Input[str]] = None,
|
772
|
-
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
755
|
+
bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
|
756
|
+
default_role: Optional[pulumi.Input[builtins.str]] = None,
|
757
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
758
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
759
|
+
jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
760
|
+
jwks_url: Optional[pulumi.Input[builtins.str]] = None,
|
761
|
+
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
762
|
+
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
763
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
764
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
765
|
+
namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
|
766
|
+
oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
|
767
|
+
oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
|
768
|
+
oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
769
|
+
oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
|
770
|
+
oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
|
771
|
+
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
772
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
773
|
+
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
|
773
774
|
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
774
|
-
type: Optional[pulumi.Input[str]] = None,
|
775
|
+
type: Optional[pulumi.Input[builtins.str]] = None,
|
775
776
|
__props__=None):
|
776
777
|
"""
|
777
778
|
Provides a resource for managing an
|
@@ -845,34 +846,34 @@ class AuthBackend(pulumi.CustomResource):
|
|
845
846
|
|
846
847
|
:param str resource_name: The name of the resource.
|
847
848
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
848
|
-
:param pulumi.Input[str] bound_issuer: The value against which to match the iss claim in a JWT
|
849
|
-
:param pulumi.Input[str] default_role: The default role to use if none is provided during login
|
850
|
-
:param pulumi.Input[str] description: The description of the auth backend
|
851
|
-
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
849
|
+
:param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
|
850
|
+
:param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
|
851
|
+
:param pulumi.Input[builtins.str] description: The description of the auth backend
|
852
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
852
853
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
853
|
-
:param pulumi.Input[str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
854
|
-
:param pulumi.Input[str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
855
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
856
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
857
|
-
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
858
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
854
|
+
:param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
855
|
+
:param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
856
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
857
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
858
|
+
:param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
|
859
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
859
860
|
The value should not contain leading or trailing forward slashes.
|
860
861
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
861
862
|
*Available only for Vault Enterprise*.
|
862
|
-
:param pulumi.Input[bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
863
|
+
:param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
863
864
|
|
864
865
|
* tune - (Optional) Extra configuration block. Structure is documented below.
|
865
866
|
|
866
867
|
The `tune` block is used to tune the auth backend:
|
867
|
-
:param pulumi.Input[str] oidc_client_id: Client ID used for OIDC backends
|
868
|
-
:param pulumi.Input[str] oidc_client_secret: Client Secret used for OIDC backends
|
869
|
-
:param pulumi.Input[str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
870
|
-
:param pulumi.Input[str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
871
|
-
:param pulumi.Input[str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
872
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
873
|
-
:param pulumi.Input[str] path: Path to mount the JWT/OIDC auth backend
|
874
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
875
|
-
:param pulumi.Input[str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
868
|
+
:param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
|
869
|
+
:param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
|
870
|
+
:param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
871
|
+
:param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
872
|
+
:param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
873
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
874
|
+
:param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
|
875
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
876
|
+
:param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
876
877
|
"""
|
877
878
|
...
|
878
879
|
@overload
|
@@ -965,27 +966,27 @@ class AuthBackend(pulumi.CustomResource):
|
|
965
966
|
def _internal_init(__self__,
|
966
967
|
resource_name: str,
|
967
968
|
opts: Optional[pulumi.ResourceOptions] = None,
|
968
|
-
bound_issuer: Optional[pulumi.Input[str]] = None,
|
969
|
-
default_role: Optional[pulumi.Input[str]] = None,
|
970
|
-
description: Optional[pulumi.Input[str]] = None,
|
971
|
-
disable_remount: Optional[pulumi.Input[bool]] = None,
|
972
|
-
jwks_ca_pem: Optional[pulumi.Input[str]] = None,
|
973
|
-
jwks_url: Optional[pulumi.Input[str]] = None,
|
974
|
-
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
975
|
-
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
976
|
-
local: Optional[pulumi.Input[bool]] = None,
|
977
|
-
namespace: Optional[pulumi.Input[str]] = None,
|
978
|
-
namespace_in_state: Optional[pulumi.Input[bool]] = None,
|
979
|
-
oidc_client_id: Optional[pulumi.Input[str]] = None,
|
980
|
-
oidc_client_secret: Optional[pulumi.Input[str]] = None,
|
981
|
-
oidc_discovery_ca_pem: Optional[pulumi.Input[str]] = None,
|
982
|
-
oidc_discovery_url: Optional[pulumi.Input[str]] = None,
|
983
|
-
oidc_response_mode: Optional[pulumi.Input[str]] = None,
|
984
|
-
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
985
|
-
path: Optional[pulumi.Input[str]] = None,
|
986
|
-
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
969
|
+
bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
|
970
|
+
default_role: Optional[pulumi.Input[builtins.str]] = None,
|
971
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
972
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
973
|
+
jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
974
|
+
jwks_url: Optional[pulumi.Input[builtins.str]] = None,
|
975
|
+
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
976
|
+
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
977
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
978
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
979
|
+
namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
|
980
|
+
oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
|
981
|
+
oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
|
982
|
+
oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
983
|
+
oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
|
984
|
+
oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
|
985
|
+
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
986
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
987
|
+
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
|
987
988
|
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
988
|
-
type: Optional[pulumi.Input[str]] = None,
|
989
|
+
type: Optional[pulumi.Input[builtins.str]] = None,
|
989
990
|
__props__=None):
|
990
991
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
991
992
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -1029,28 +1030,28 @@ class AuthBackend(pulumi.CustomResource):
|
|
1029
1030
|
def get(resource_name: str,
|
1030
1031
|
id: pulumi.Input[str],
|
1031
1032
|
opts: Optional[pulumi.ResourceOptions] = None,
|
1032
|
-
accessor: Optional[pulumi.Input[str]] = None,
|
1033
|
-
bound_issuer: Optional[pulumi.Input[str]] = None,
|
1034
|
-
default_role: Optional[pulumi.Input[str]] = None,
|
1035
|
-
description: Optional[pulumi.Input[str]] = None,
|
1036
|
-
disable_remount: Optional[pulumi.Input[bool]] = None,
|
1037
|
-
jwks_ca_pem: Optional[pulumi.Input[str]] = None,
|
1038
|
-
jwks_url: Optional[pulumi.Input[str]] = None,
|
1039
|
-
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1040
|
-
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1041
|
-
local: Optional[pulumi.Input[bool]] = None,
|
1042
|
-
namespace: Optional[pulumi.Input[str]] = None,
|
1043
|
-
namespace_in_state: Optional[pulumi.Input[bool]] = None,
|
1044
|
-
oidc_client_id: Optional[pulumi.Input[str]] = None,
|
1045
|
-
oidc_client_secret: Optional[pulumi.Input[str]] = None,
|
1046
|
-
oidc_discovery_ca_pem: Optional[pulumi.Input[str]] = None,
|
1047
|
-
oidc_discovery_url: Optional[pulumi.Input[str]] = None,
|
1048
|
-
oidc_response_mode: Optional[pulumi.Input[str]] = None,
|
1049
|
-
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1050
|
-
path: Optional[pulumi.Input[str]] = None,
|
1051
|
-
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1033
|
+
accessor: Optional[pulumi.Input[builtins.str]] = None,
|
1034
|
+
bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
|
1035
|
+
default_role: Optional[pulumi.Input[builtins.str]] = None,
|
1036
|
+
description: Optional[pulumi.Input[builtins.str]] = None,
|
1037
|
+
disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
|
1038
|
+
jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
1039
|
+
jwks_url: Optional[pulumi.Input[builtins.str]] = None,
|
1040
|
+
jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1041
|
+
jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1042
|
+
local: Optional[pulumi.Input[builtins.bool]] = None,
|
1043
|
+
namespace: Optional[pulumi.Input[builtins.str]] = None,
|
1044
|
+
namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
|
1045
|
+
oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
|
1046
|
+
oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
|
1047
|
+
oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
|
1048
|
+
oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
|
1049
|
+
oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
|
1050
|
+
oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
|
1051
|
+
path: Optional[pulumi.Input[builtins.str]] = None,
|
1052
|
+
provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
|
1052
1053
|
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
1053
|
-
type: Optional[pulumi.Input[str]] = None) -> 'AuthBackend':
|
1054
|
+
type: Optional[pulumi.Input[builtins.str]] = None) -> 'AuthBackend':
|
1054
1055
|
"""
|
1055
1056
|
Get an existing AuthBackend resource's state with the given name, id, and optional extra
|
1056
1057
|
properties used to qualify the lookup.
|
@@ -1058,35 +1059,35 @@ class AuthBackend(pulumi.CustomResource):
|
|
1058
1059
|
:param str resource_name: The unique name of the resulting resource.
|
1059
1060
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
1060
1061
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
1061
|
-
:param pulumi.Input[str] accessor: The accessor for this auth method
|
1062
|
-
:param pulumi.Input[str] bound_issuer: The value against which to match the iss claim in a JWT
|
1063
|
-
:param pulumi.Input[str] default_role: The default role to use if none is provided during login
|
1064
|
-
:param pulumi.Input[str] description: The description of the auth backend
|
1065
|
-
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
1062
|
+
:param pulumi.Input[builtins.str] accessor: The accessor for this auth method
|
1063
|
+
:param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
|
1064
|
+
:param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
|
1065
|
+
:param pulumi.Input[builtins.str] description: The description of the auth backend
|
1066
|
+
:param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
|
1066
1067
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
1067
|
-
:param pulumi.Input[str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
1068
|
-
:param pulumi.Input[str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
1069
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
1070
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
1071
|
-
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
1072
|
-
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1068
|
+
:param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
1069
|
+
:param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
1070
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
1071
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
1072
|
+
:param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
|
1073
|
+
:param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
|
1073
1074
|
The value should not contain leading or trailing forward slashes.
|
1074
1075
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1075
1076
|
*Available only for Vault Enterprise*.
|
1076
|
-
:param pulumi.Input[bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
1077
|
+
:param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
1077
1078
|
|
1078
1079
|
* tune - (Optional) Extra configuration block. Structure is documented below.
|
1079
1080
|
|
1080
1081
|
The `tune` block is used to tune the auth backend:
|
1081
|
-
:param pulumi.Input[str] oidc_client_id: Client ID used for OIDC backends
|
1082
|
-
:param pulumi.Input[str] oidc_client_secret: Client Secret used for OIDC backends
|
1083
|
-
:param pulumi.Input[str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
1084
|
-
:param pulumi.Input[str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
1085
|
-
:param pulumi.Input[str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
1086
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
1087
|
-
:param pulumi.Input[str] path: Path to mount the JWT/OIDC auth backend
|
1088
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
1089
|
-
:param pulumi.Input[str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
1082
|
+
:param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
|
1083
|
+
:param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
|
1084
|
+
:param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
1085
|
+
:param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
1086
|
+
:param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
1087
|
+
:param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
1088
|
+
:param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
|
1089
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
1090
|
+
:param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
1090
1091
|
"""
|
1091
1092
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
1092
1093
|
|
@@ -1118,7 +1119,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1118
1119
|
|
1119
1120
|
@property
|
1120
1121
|
@pulumi.getter
|
1121
|
-
def accessor(self) -> pulumi.Output[str]:
|
1122
|
+
def accessor(self) -> pulumi.Output[builtins.str]:
|
1122
1123
|
"""
|
1123
1124
|
The accessor for this auth method
|
1124
1125
|
"""
|
@@ -1126,7 +1127,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1126
1127
|
|
1127
1128
|
@property
|
1128
1129
|
@pulumi.getter(name="boundIssuer")
|
1129
|
-
def bound_issuer(self) -> pulumi.Output[Optional[str]]:
|
1130
|
+
def bound_issuer(self) -> pulumi.Output[Optional[builtins.str]]:
|
1130
1131
|
"""
|
1131
1132
|
The value against which to match the iss claim in a JWT
|
1132
1133
|
"""
|
@@ -1134,7 +1135,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1134
1135
|
|
1135
1136
|
@property
|
1136
1137
|
@pulumi.getter(name="defaultRole")
|
1137
|
-
def default_role(self) -> pulumi.Output[Optional[str]]:
|
1138
|
+
def default_role(self) -> pulumi.Output[Optional[builtins.str]]:
|
1138
1139
|
"""
|
1139
1140
|
The default role to use if none is provided during login
|
1140
1141
|
"""
|
@@ -1142,7 +1143,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1142
1143
|
|
1143
1144
|
@property
|
1144
1145
|
@pulumi.getter
|
1145
|
-
def description(self) -> pulumi.Output[Optional[str]]:
|
1146
|
+
def description(self) -> pulumi.Output[Optional[builtins.str]]:
|
1146
1147
|
"""
|
1147
1148
|
The description of the auth backend
|
1148
1149
|
"""
|
@@ -1150,7 +1151,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1150
1151
|
|
1151
1152
|
@property
|
1152
1153
|
@pulumi.getter(name="disableRemount")
|
1153
|
-
def disable_remount(self) -> pulumi.Output[Optional[bool]]:
|
1154
|
+
def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1154
1155
|
"""
|
1155
1156
|
If set, opts out of mount migration on path updates.
|
1156
1157
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
@@ -1159,7 +1160,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1159
1160
|
|
1160
1161
|
@property
|
1161
1162
|
@pulumi.getter(name="jwksCaPem")
|
1162
|
-
def jwks_ca_pem(self) -> pulumi.Output[Optional[str]]:
|
1163
|
+
def jwks_ca_pem(self) -> pulumi.Output[Optional[builtins.str]]:
|
1163
1164
|
"""
|
1164
1165
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
|
1165
1166
|
"""
|
@@ -1167,7 +1168,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1167
1168
|
|
1168
1169
|
@property
|
1169
1170
|
@pulumi.getter(name="jwksUrl")
|
1170
|
-
def jwks_url(self) -> pulumi.Output[Optional[str]]:
|
1171
|
+
def jwks_url(self) -> pulumi.Output[Optional[builtins.str]]:
|
1171
1172
|
"""
|
1172
1173
|
JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
|
1173
1174
|
"""
|
@@ -1175,7 +1176,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1175
1176
|
|
1176
1177
|
@property
|
1177
1178
|
@pulumi.getter(name="jwtSupportedAlgs")
|
1178
|
-
def jwt_supported_algs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1179
|
+
def jwt_supported_algs(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
|
1179
1180
|
"""
|
1180
1181
|
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
|
1181
1182
|
"""
|
@@ -1183,7 +1184,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1183
1184
|
|
1184
1185
|
@property
|
1185
1186
|
@pulumi.getter(name="jwtValidationPubkeys")
|
1186
|
-
def jwt_validation_pubkeys(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1187
|
+
def jwt_validation_pubkeys(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
|
1187
1188
|
"""
|
1188
1189
|
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
|
1189
1190
|
"""
|
@@ -1191,7 +1192,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1191
1192
|
|
1192
1193
|
@property
|
1193
1194
|
@pulumi.getter
|
1194
|
-
def local(self) -> pulumi.Output[Optional[bool]]:
|
1195
|
+
def local(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1195
1196
|
"""
|
1196
1197
|
Specifies if the auth method is local only.
|
1197
1198
|
"""
|
@@ -1199,7 +1200,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1199
1200
|
|
1200
1201
|
@property
|
1201
1202
|
@pulumi.getter
|
1202
|
-
def namespace(self) -> pulumi.Output[Optional[str]]:
|
1203
|
+
def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
|
1203
1204
|
"""
|
1204
1205
|
The namespace to provision the resource in.
|
1205
1206
|
The value should not contain leading or trailing forward slashes.
|
@@ -1210,7 +1211,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1210
1211
|
|
1211
1212
|
@property
|
1212
1213
|
@pulumi.getter(name="namespaceInState")
|
1213
|
-
def namespace_in_state(self) -> pulumi.Output[Optional[bool]]:
|
1214
|
+
def namespace_in_state(self) -> pulumi.Output[Optional[builtins.bool]]:
|
1214
1215
|
"""
|
1215
1216
|
Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
|
1216
1217
|
|
@@ -1222,7 +1223,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1222
1223
|
|
1223
1224
|
@property
|
1224
1225
|
@pulumi.getter(name="oidcClientId")
|
1225
|
-
def oidc_client_id(self) -> pulumi.Output[Optional[str]]:
|
1226
|
+
def oidc_client_id(self) -> pulumi.Output[Optional[builtins.str]]:
|
1226
1227
|
"""
|
1227
1228
|
Client ID used for OIDC backends
|
1228
1229
|
"""
|
@@ -1230,7 +1231,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1230
1231
|
|
1231
1232
|
@property
|
1232
1233
|
@pulumi.getter(name="oidcClientSecret")
|
1233
|
-
def oidc_client_secret(self) -> pulumi.Output[Optional[str]]:
|
1234
|
+
def oidc_client_secret(self) -> pulumi.Output[Optional[builtins.str]]:
|
1234
1235
|
"""
|
1235
1236
|
Client Secret used for OIDC backends
|
1236
1237
|
"""
|
@@ -1238,7 +1239,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1238
1239
|
|
1239
1240
|
@property
|
1240
1241
|
@pulumi.getter(name="oidcDiscoveryCaPem")
|
1241
|
-
def oidc_discovery_ca_pem(self) -> pulumi.Output[Optional[str]]:
|
1242
|
+
def oidc_discovery_ca_pem(self) -> pulumi.Output[Optional[builtins.str]]:
|
1242
1243
|
"""
|
1243
1244
|
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
|
1244
1245
|
"""
|
@@ -1246,7 +1247,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1246
1247
|
|
1247
1248
|
@property
|
1248
1249
|
@pulumi.getter(name="oidcDiscoveryUrl")
|
1249
|
-
def oidc_discovery_url(self) -> pulumi.Output[Optional[str]]:
|
1250
|
+
def oidc_discovery_url(self) -> pulumi.Output[Optional[builtins.str]]:
|
1250
1251
|
"""
|
1251
1252
|
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
|
1252
1253
|
"""
|
@@ -1254,7 +1255,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1254
1255
|
|
1255
1256
|
@property
|
1256
1257
|
@pulumi.getter(name="oidcResponseMode")
|
1257
|
-
def oidc_response_mode(self) -> pulumi.Output[Optional[str]]:
|
1258
|
+
def oidc_response_mode(self) -> pulumi.Output[Optional[builtins.str]]:
|
1258
1259
|
"""
|
1259
1260
|
The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
|
1260
1261
|
"""
|
@@ -1262,7 +1263,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1262
1263
|
|
1263
1264
|
@property
|
1264
1265
|
@pulumi.getter(name="oidcResponseTypes")
|
1265
|
-
def oidc_response_types(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1266
|
+
def oidc_response_types(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
|
1266
1267
|
"""
|
1267
1268
|
List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
|
1268
1269
|
"""
|
@@ -1270,7 +1271,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1270
1271
|
|
1271
1272
|
@property
|
1272
1273
|
@pulumi.getter
|
1273
|
-
def path(self) -> pulumi.Output[Optional[str]]:
|
1274
|
+
def path(self) -> pulumi.Output[Optional[builtins.str]]:
|
1274
1275
|
"""
|
1275
1276
|
Path to mount the JWT/OIDC auth backend
|
1276
1277
|
"""
|
@@ -1278,7 +1279,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1278
1279
|
|
1279
1280
|
@property
|
1280
1281
|
@pulumi.getter(name="providerConfig")
|
1281
|
-
def provider_config(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
1282
|
+
def provider_config(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
|
1282
1283
|
"""
|
1283
1284
|
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
|
1284
1285
|
"""
|
@@ -1291,7 +1292,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
1291
1292
|
|
1292
1293
|
@property
|
1293
1294
|
@pulumi.getter
|
1294
|
-
def type(self) -> pulumi.Output[Optional[str]]:
|
1295
|
+
def type(self) -> pulumi.Output[Optional[builtins.str]]:
|
1295
1296
|
"""
|
1296
1297
|
Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
|
1297
1298
|
"""
|