pulumi-vault 6.8.0a1750231010__py3-none-any.whl → 7.0.0__py3-none-any.whl

pulumi_vault/database/secret_backend_connection.py

@@ -1099,6 +1099,13 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported for all DBs that support username/password:
+
+        * `password_wo` - (Optional) The password for the user. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         Database secret backend connections can be imported using the `backend`, `/config/`, and the `name` e.g.
@@ -1181,6 +1188,13 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported for all DBs that support username/password:
+
+        * `password_wo` - (Optional) The password for the user. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         Database secret backend connections can be imported using the `backend`, `/config/`, and the `name` e.g.

pulumi_vault/database/secrets_mount.py

@@ -1388,6 +1388,13 @@ class SecretsMount(pulumi.CustomResource):
             ])
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported for all DBs that support username/password:
+
+        * `password_wo` - (Optional) The password for the user. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         Database secret backend connections can be imported using the `path` e.g.
@@ -1508,6 +1515,13 @@ class SecretsMount(pulumi.CustomResource):
             ])
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported for all DBs that support username/password:
+
+        * `password_wo` - (Optional) The password for the user. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         Database secret backend connections can be imported using the `path` e.g.

pulumi_vault/gcp/secret_backend.py

@@ -21,6 +21,7 @@ __all__ = ['SecretBackendArgs', 'SecretBackend']
 class SecretBackendArgs:
     def __init__(__self__, *,
                  credentials: Optional[pulumi.Input[builtins.str]] = None,
+                 credentials_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
                  description: Optional[pulumi.Input[builtins.str]] = None,
                  disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
@@ -39,6 +40,7 @@ class SecretBackendArgs:
         """
         The set of arguments for constructing a SecretBackend resource.
         :param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
+        :param pulumi.Input[builtins.int] credentials_wo_version: The version of the `credentials_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
@@ -74,6 +76,8 @@ class SecretBackendArgs:
         """
         if credentials is not None:
             pulumi.set(__self__, "credentials", credentials)
+        if credentials_wo_version is not None:
+            pulumi.set(__self__, "credentials_wo_version", credentials_wo_version)
         if default_lease_ttl_seconds is not None:
             pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
         if description is not None:
@@ -117,6 +121,18 @@ class SecretBackendArgs:
     def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "credentials", value)
 
+    @property
+    @pulumi.getter(name="credentialsWoVersion")
+    def credentials_wo_version(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The version of the `credentials_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "credentials_wo_version")
+
+    @credentials_wo_version.setter
+    def credentials_wo_version(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "credentials_wo_version", value)
+
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
     def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
@@ -320,6 +336,7 @@ class _SecretBackendState:
     def __init__(__self__, *,
                  accessor: Optional[pulumi.Input[builtins.str]] = None,
                  credentials: Optional[pulumi.Input[builtins.str]] = None,
+                 credentials_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
                  description: Optional[pulumi.Input[builtins.str]] = None,
                  disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
@@ -339,6 +356,7 @@ class _SecretBackendState:
         Input properties used for looking up and filtering SecretBackend resources.
         :param pulumi.Input[builtins.str] accessor: The accessor of the created GCP mount.
         :param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
+        :param pulumi.Input[builtins.int] credentials_wo_version: The version of the `credentials_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
@@ -376,6 +394,8 @@ class _SecretBackendState:
             pulumi.set(__self__, "accessor", accessor)
         if credentials is not None:
             pulumi.set(__self__, "credentials", credentials)
+        if credentials_wo_version is not None:
+            pulumi.set(__self__, "credentials_wo_version", credentials_wo_version)
         if default_lease_ttl_seconds is not None:
             pulumi.set(__self__, "default_lease_ttl_seconds", default_lease_ttl_seconds)
         if description is not None:
@@ -431,6 +451,18 @@ class _SecretBackendState:
     def credentials(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "credentials", value)
 
+    @property
+    @pulumi.getter(name="credentialsWoVersion")
+    def credentials_wo_version(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The version of the `credentials_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "credentials_wo_version")
+
+    @credentials_wo_version.setter
+    def credentials_wo_version(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "credentials_wo_version", value)
+
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
     def default_lease_ttl_seconds(self) -> Optional[pulumi.Input[builtins.int]]:
@@ -636,6 +668,7 @@ class SecretBackend(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  credentials: Optional[pulumi.Input[builtins.str]] = None,
+                 credentials_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
                  description: Optional[pulumi.Input[builtins.str]] = None,
                  disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
@@ -680,9 +713,17 @@ class SecretBackend(pulumi.CustomResource):
             rotation_window=3600)
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported:
+
+        * `credentials_wo` - (Optional) The GCP service account credentials in JSON format. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
+        :param pulumi.Input[builtins.int] credentials_wo_version: The version of the `credentials_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
@@ -750,6 +791,13 @@ class SecretBackend(pulumi.CustomResource):
             rotation_window=3600)
         ```
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported:
+
+        * `credentials_wo` - (Optional) The GCP service account credentials in JSON format. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         :param str resource_name: The name of the resource.
         :param SecretBackendArgs args: The arguments to use to populate this resource's properties.
         :param pulumi.ResourceOptions opts: Options for the resource.
@@ -766,6 +814,7 @@ class SecretBackend(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  credentials: Optional[pulumi.Input[builtins.str]] = None,
+                 credentials_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
                  description: Optional[pulumi.Input[builtins.str]] = None,
                  disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
@@ -791,6 +840,7 @@ class SecretBackend(pulumi.CustomResource):
             __props__ = SecretBackendArgs.__new__(SecretBackendArgs)
 
             __props__.__dict__["credentials"] = None if credentials is None else pulumi.Output.secret(credentials)
+            __props__.__dict__["credentials_wo_version"] = credentials_wo_version
             __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
@@ -821,6 +871,7 @@ class SecretBackend(pulumi.CustomResource):
             opts: Optional[pulumi.ResourceOptions] = None,
             accessor: Optional[pulumi.Input[builtins.str]] = None,
             credentials: Optional[pulumi.Input[builtins.str]] = None,
+            credentials_wo_version: Optional[pulumi.Input[builtins.int]] = None,
             default_lease_ttl_seconds: Optional[pulumi.Input[builtins.int]] = None,
             description: Optional[pulumi.Input[builtins.str]] = None,
             disable_automated_rotation: Optional[pulumi.Input[builtins.bool]] = None,
@@ -845,6 +896,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[builtins.str] accessor: The accessor of the created GCP mount.
         :param pulumi.Input[builtins.str] credentials: JSON-encoded credentials to use to connect to GCP
+        :param pulumi.Input[builtins.int] credentials_wo_version: The version of the `credentials_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[builtins.str] description: A human-friendly description for this backend.
@@ -884,6 +936,7 @@ class SecretBackend(pulumi.CustomResource):
 
         __props__.__dict__["accessor"] = accessor
         __props__.__dict__["credentials"] = credentials
+        __props__.__dict__["credentials_wo_version"] = credentials_wo_version
         __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_automated_rotation"] = disable_automated_rotation
@@ -917,6 +970,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "credentials")
 
+    @property
+    @pulumi.getter(name="credentialsWoVersion")
+    def credentials_wo_version(self) -> pulumi.Output[Optional[builtins.int]]:
+        """
+        The version of the `credentials_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "credentials_wo_version")
+
     @property
     @pulumi.getter(name="defaultLeaseTtlSeconds")
     def default_lease_ttl_seconds(self) -> pulumi.Output[Optional[builtins.int]]:

pulumi_vault/kv/_inputs.py

@@ -30,10 +30,10 @@ if not MYPY:
         """
         data: NotRequired[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]
         """
-        A mapping whose keys are the top-level data keys returned from
-        Vault and whose values are the corresponding values. This map can only
-        represent string data, so any non-string values returned from Vault are
-        serialized as JSON.
+        **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+        secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only represent string data,
+        so any non-string values returned from Vault are serialized as JSON.
         """
         delete_version_after: NotRequired[pulumi.Input[builtins.int]]
         """
@@ -55,10 +55,10 @@ class SecretV2CustomMetadataArgs:
                  max_versions: Optional[pulumi.Input[builtins.int]] = None):
         """
         :param pulumi.Input[builtins.bool] cas_required: If true, all keys will require the cas parameter to be set on all write requests.
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: A mapping whose keys are the top-level data keys returned from
-               Vault and whose values are the corresponding values. This map can only
-               represent string data, so any non-string values returned from Vault are
-               serialized as JSON.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+               secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+               Vault and whose values are the corresponding values. This map can only represent string data,
+               so any non-string values returned from Vault are serialized as JSON.
         :param pulumi.Input[builtins.int] delete_version_after: If set, specifies the length of time before a version is deleted.
         :param pulumi.Input[builtins.int] max_versions: The number of versions to keep per key.
         """
@@ -87,10 +87,10 @@ class SecretV2CustomMetadataArgs:
     @pulumi.getter
     def data(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
-        A mapping whose keys are the top-level data keys returned from
-        Vault and whose values are the corresponding values. This map can only
-        represent string data, so any non-string values returned from Vault are
-        serialized as JSON.
+        **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+        secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only represent string data,
+        so any non-string values returned from Vault are serialized as JSON.
         """
         return pulumi.get(self, "data")
 

pulumi_vault/kv/outputs.py

@@ -49,10 +49,10 @@ class SecretV2CustomMetadata(dict):
                  max_versions: Optional[builtins.int] = None):
         """
         :param builtins.bool cas_required: If true, all keys will require the cas parameter to be set on all write requests.
-        :param Mapping[str, builtins.str] data: A mapping whose keys are the top-level data keys returned from
-               Vault and whose values are the corresponding values. This map can only
-               represent string data, so any non-string values returned from Vault are
-               serialized as JSON.
+        :param Mapping[str, builtins.str] data: **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+               secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+               Vault and whose values are the corresponding values. This map can only represent string data,
+               so any non-string values returned from Vault are serialized as JSON.
         :param builtins.int delete_version_after: If set, specifies the length of time before a version is deleted.
         :param builtins.int max_versions: The number of versions to keep per key.
         """
@@ -77,10 +77,10 @@ class SecretV2CustomMetadata(dict):
     @pulumi.getter
     def data(self) -> Optional[Mapping[str, builtins.str]]:
         """
-        A mapping whose keys are the top-level data keys returned from
-        Vault and whose values are the corresponding values. This map can only
-        represent string data, so any non-string values returned from Vault are
-        serialized as JSON.
+        **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+        secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only represent string data,
+        so any non-string values returned from Vault are serialized as JSON.
         """
         return pulumi.get(self, "data")
 

pulumi_vault/kv/secret_v2.py

@@ -22,10 +22,11 @@ __all__ = ['SecretV2Args', 'SecretV2']
 @pulumi.input_type
 class SecretV2Args:
     def __init__(__self__, *,
-                 data_json: pulumi.Input[builtins.str],
                  mount: pulumi.Input[builtins.str],
                  cas: Optional[pulumi.Input[builtins.int]] = None,
                  custom_metadata: Optional[pulumi.Input['SecretV2CustomMetadataArgs']] = None,
+                 data_json: Optional[pulumi.Input[builtins.str]] = None,
+                 data_json_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  delete_all_versions: Optional[pulumi.Input[builtins.bool]] = None,
                  disable_read: Optional[pulumi.Input[builtins.bool]] = None,
                  name: Optional[pulumi.Input[builtins.str]] = None,
@@ -33,8 +34,6 @@ class SecretV2Args:
                  options: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None):
         """
         The set of arguments for constructing a SecretV2 resource.
-        :param pulumi.Input[builtins.str] data_json: JSON-encoded string that will be
-               written as the secret data at the given path.
         :param pulumi.Input[builtins.str] mount: Path where KV-V2 engine is mounted.
         :param pulumi.Input[builtins.int] cas: This flag is required if `cas_required` is set to true
                on either the secret or the engine's config. In order for a
@@ -43,6 +42,9 @@ class SecretV2Args:
         :param pulumi.Input['SecretV2CustomMetadataArgs'] custom_metadata: A nested block that allows configuring metadata for the
                KV secret. Refer to the
                Configuration Options for more info.
+        :param pulumi.Input[builtins.str] data_json: JSON-encoded string that will be
+               written as the secret data at the given path.
+        :param pulumi.Input[builtins.int] data_json_wo_version: The version of the `data_json_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.bool] delete_all_versions: If set to true, permanently deletes all
                versions for the specified key.
         :param pulumi.Input[builtins.bool] disable_read: If set to true, disables reading secret from Vault;
@@ -57,12 +59,15 @@ class SecretV2Args:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] options: An object that holds option settings.
         """
-        pulumi.set(__self__, "data_json", data_json)
         pulumi.set(__self__, "mount", mount)
         if cas is not None:
             pulumi.set(__self__, "cas", cas)
         if custom_metadata is not None:
             pulumi.set(__self__, "custom_metadata", custom_metadata)
+        if data_json is not None:
+            pulumi.set(__self__, "data_json", data_json)
+        if data_json_wo_version is not None:
+            pulumi.set(__self__, "data_json_wo_version", data_json_wo_version)
         if delete_all_versions is not None:
             pulumi.set(__self__, "delete_all_versions", delete_all_versions)
         if disable_read is not None:
@@ -74,19 +79,6 @@ class SecretV2Args:
         if options is not None:
             pulumi.set(__self__, "options", options)
 
-    @property
-    @pulumi.getter(name="dataJson")
-    def data_json(self) -> pulumi.Input[builtins.str]:
-        """
-        JSON-encoded string that will be
-        written as the secret data at the given path.
-        """
-        return pulumi.get(self, "data_json")
-
-    @data_json.setter
-    def data_json(self, value: pulumi.Input[builtins.str]):
-        pulumi.set(self, "data_json", value)
-
     @property
     @pulumi.getter
     def mount(self) -> pulumi.Input[builtins.str]:
@@ -128,6 +120,31 @@ class SecretV2Args:
     def custom_metadata(self, value: Optional[pulumi.Input['SecretV2CustomMetadataArgs']]):
         pulumi.set(self, "custom_metadata", value)
 
+    @property
+    @pulumi.getter(name="dataJson")
+    def data_json(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        JSON-encoded string that will be
+        written as the secret data at the given path.
+        """
+        return pulumi.get(self, "data_json")
+
+    @data_json.setter
+    def data_json(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "data_json", value)
+
+    @property
+    @pulumi.getter(name="dataJsonWoVersion")
+    def data_json_wo_version(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The version of the `data_json_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "data_json_wo_version")
+
+    @data_json_wo_version.setter
+    def data_json_wo_version(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "data_json_wo_version", value)
+
     @property
     @pulumi.getter(name="deleteAllVersions")
     def delete_all_versions(self) -> Optional[pulumi.Input[builtins.bool]]:
@@ -204,6 +221,7 @@ class _SecretV2State:
                  custom_metadata: Optional[pulumi.Input['SecretV2CustomMetadataArgs']] = None,
                  data: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
                  data_json: Optional[pulumi.Input[builtins.str]] = None,
+                 data_json_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  delete_all_versions: Optional[pulumi.Input[builtins.bool]] = None,
                  disable_read: Optional[pulumi.Input[builtins.bool]] = None,
                  metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
@@ -221,12 +239,13 @@ class _SecretV2State:
         :param pulumi.Input['SecretV2CustomMetadataArgs'] custom_metadata: A nested block that allows configuring metadata for the
                KV secret. Refer to the
                Configuration Options for more info.
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: A mapping whose keys are the top-level data keys returned from
-               Vault and whose values are the corresponding values. This map can only
-               represent string data, so any non-string values returned from Vault are
-               serialized as JSON.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+               secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+               Vault and whose values are the corresponding values. This map can only represent string data,
+               so any non-string values returned from Vault are serialized as JSON.
         :param pulumi.Input[builtins.str] data_json: JSON-encoded string that will be
                written as the secret data at the given path.
+        :param pulumi.Input[builtins.int] data_json_wo_version: The version of the `data_json_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.bool] delete_all_versions: If set to true, permanently deletes all
                versions for the specified key.
         :param pulumi.Input[builtins.bool] disable_read: If set to true, disables reading secret from Vault;
@@ -248,10 +267,15 @@ class _SecretV2State:
             pulumi.set(__self__, "cas", cas)
         if custom_metadata is not None:
             pulumi.set(__self__, "custom_metadata", custom_metadata)
+        if data is not None:
+            warnings.warn("""Deprecated. Will no longer be set on a read.""", DeprecationWarning)
+            pulumi.log.warn("""data is deprecated: Deprecated. Will no longer be set on a read.""")
         if data is not None:
             pulumi.set(__self__, "data", data)
         if data_json is not None:
             pulumi.set(__self__, "data_json", data_json)
+        if data_json_wo_version is not None:
+            pulumi.set(__self__, "data_json_wo_version", data_json_wo_version)
         if delete_all_versions is not None:
             pulumi.set(__self__, "delete_all_versions", delete_all_versions)
         if disable_read is not None:
@@ -300,12 +324,13 @@ class _SecretV2State:
 
     @property
     @pulumi.getter
+    @_utilities.deprecated("""Deprecated. Will no longer be set on a read.""")
     def data(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
-        A mapping whose keys are the top-level data keys returned from
-        Vault and whose values are the corresponding values. This map can only
-        represent string data, so any non-string values returned from Vault are
-        serialized as JSON.
+        **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+        secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only represent string data,
+        so any non-string values returned from Vault are serialized as JSON.
         """
         return pulumi.get(self, "data")
 
@@ -326,6 +351,18 @@ class _SecretV2State:
     def data_json(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "data_json", value)
 
+    @property
+    @pulumi.getter(name="dataJsonWoVersion")
+    def data_json_wo_version(self) -> Optional[pulumi.Input[builtins.int]]:
+        """
+        The version of the `data_json_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "data_json_wo_version")
+
+    @data_json_wo_version.setter
+    def data_json_wo_version(self, value: Optional[pulumi.Input[builtins.int]]):
+        pulumi.set(self, "data_json_wo_version", value)
+
     @property
     @pulumi.getter(name="deleteAllVersions")
     def delete_all_versions(self) -> Optional[pulumi.Input[builtins.bool]]:
@@ -440,6 +477,7 @@ class SecretV2(pulumi.CustomResource):
                  cas: Optional[pulumi.Input[builtins.int]] = None,
                  custom_metadata: Optional[pulumi.Input[Union['SecretV2CustomMetadataArgs', 'SecretV2CustomMetadataArgsDict']]] = None,
                  data_json: Optional[pulumi.Input[builtins.str]] = None,
+                 data_json_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  delete_all_versions: Optional[pulumi.Input[builtins.bool]] = None,
                  disable_read: Optional[pulumi.Input[builtins.bool]] = None,
                  mount: Optional[pulumi.Input[builtins.str]] = None,
@@ -504,6 +542,13 @@ class SecretV2(pulumi.CustomResource):
 
         * `data` - (Optional) A string to string map describing the secret.
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported:
+
+        * `data_json_wo` - (Optional) JSON-encoded secret data to write to Vault. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         KV-V2 secrets can be imported using the `path`, e.g.
@@ -523,6 +568,7 @@ class SecretV2(pulumi.CustomResource):
                Configuration Options for more info.
         :param pulumi.Input[builtins.str] data_json: JSON-encoded string that will be
                written as the secret data at the given path.
+        :param pulumi.Input[builtins.int] data_json_wo_version: The version of the `data_json_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.bool] delete_all_versions: If set to true, permanently deletes all
                versions for the specified key.
         :param pulumi.Input[builtins.bool] disable_read: If set to true, disables reading secret from Vault;
@@ -601,6 +647,13 @@ class SecretV2(pulumi.CustomResource):
 
         * `data` - (Optional) A string to string map describing the secret.
 
+        ## Ephemeral Attributes Reference
+
+        The following write-only attributes are supported:
+
+        * `data_json_wo` - (Optional) JSON-encoded secret data to write to Vault. Can be updated.
+          **Note**: This property is write-only and will not be read from the API.
+
         ## Import
 
         KV-V2 secrets can be imported using the `path`, e.g.
@@ -627,6 +680,7 @@ class SecretV2(pulumi.CustomResource):
                  cas: Optional[pulumi.Input[builtins.int]] = None,
                  custom_metadata: Optional[pulumi.Input[Union['SecretV2CustomMetadataArgs', 'SecretV2CustomMetadataArgsDict']]] = None,
                  data_json: Optional[pulumi.Input[builtins.str]] = None,
+                 data_json_wo_version: Optional[pulumi.Input[builtins.int]] = None,
                  delete_all_versions: Optional[pulumi.Input[builtins.bool]] = None,
                  disable_read: Optional[pulumi.Input[builtins.bool]] = None,
                  mount: Optional[pulumi.Input[builtins.str]] = None,
@@ -644,9 +698,8 @@ class SecretV2(pulumi.CustomResource):
 
             __props__.__dict__["cas"] = cas
             __props__.__dict__["custom_metadata"] = custom_metadata
-            if data_json is None and not opts.urn:
-                raise TypeError("Missing required property 'data_json'")
             __props__.__dict__["data_json"] = None if data_json is None else pulumi.Output.secret(data_json)
+            __props__.__dict__["data_json_wo_version"] = data_json_wo_version
             __props__.__dict__["delete_all_versions"] = delete_all_versions
             __props__.__dict__["disable_read"] = disable_read
             if mount is None and not opts.urn:
@@ -674,6 +727,7 @@ class SecretV2(pulumi.CustomResource):
             custom_metadata: Optional[pulumi.Input[Union['SecretV2CustomMetadataArgs', 'SecretV2CustomMetadataArgsDict']]] = None,
             data: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
             data_json: Optional[pulumi.Input[builtins.str]] = None,
+            data_json_wo_version: Optional[pulumi.Input[builtins.int]] = None,
             delete_all_versions: Optional[pulumi.Input[builtins.bool]] = None,
             disable_read: Optional[pulumi.Input[builtins.bool]] = None,
             metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
@@ -696,12 +750,13 @@ class SecretV2(pulumi.CustomResource):
         :param pulumi.Input[Union['SecretV2CustomMetadataArgs', 'SecretV2CustomMetadataArgsDict']] custom_metadata: A nested block that allows configuring metadata for the
                KV secret. Refer to the
                Configuration Options for more info.
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: A mapping whose keys are the top-level data keys returned from
-               Vault and whose values are the corresponding values. This map can only
-               represent string data, so any non-string values returned from Vault are
-               serialized as JSON.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] data: **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+               secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+               Vault and whose values are the corresponding values. This map can only represent string data,
+               so any non-string values returned from Vault are serialized as JSON.
         :param pulumi.Input[builtins.str] data_json: JSON-encoded string that will be
                written as the secret data at the given path.
+        :param pulumi.Input[builtins.int] data_json_wo_version: The version of the `data_json_wo`. For more info see updating write-only attributes.
         :param pulumi.Input[builtins.bool] delete_all_versions: If set to true, permanently deletes all
                versions for the specified key.
         :param pulumi.Input[builtins.bool] disable_read: If set to true, disables reading secret from Vault;
@@ -727,6 +782,7 @@ class SecretV2(pulumi.CustomResource):
         __props__.__dict__["custom_metadata"] = custom_metadata
         __props__.__dict__["data"] = data
         __props__.__dict__["data_json"] = data_json
+        __props__.__dict__["data_json_wo_version"] = data_json_wo_version
         __props__.__dict__["delete_all_versions"] = delete_all_versions
         __props__.__dict__["disable_read"] = disable_read
         __props__.__dict__["metadata"] = metadata
@@ -760,24 +816,33 @@ class SecretV2(pulumi.CustomResource):
 
     @property
     @pulumi.getter
+    @_utilities.deprecated("""Deprecated. Will no longer be set on a read.""")
     def data(self) -> pulumi.Output[Mapping[str, builtins.str]]:
         """
-        A mapping whose keys are the top-level data keys returned from
-        Vault and whose values are the corresponding values. This map can only
-        represent string data, so any non-string values returned from Vault are
-        serialized as JSON.
+        **Deprecated. Please use new ephemeral resource `kv.SecretV2` to read back
+        secret data from Vault**. A mapping whose keys are the top-level data keys returned from
+        Vault and whose values are the corresponding values. This map can only represent string data,
+        so any non-string values returned from Vault are serialized as JSON.
         """
         return pulumi.get(self, "data")
 
     @property
     @pulumi.getter(name="dataJson")
-    def data_json(self) -> pulumi.Output[builtins.str]:
+    def data_json(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         JSON-encoded string that will be
         written as the secret data at the given path.
         """
         return pulumi.get(self, "data_json")
 
+    @property
+    @pulumi.getter(name="dataJsonWoVersion")
+    def data_json_wo_version(self) -> pulumi.Output[Optional[builtins.int]]:
+        """
+        The version of the `data_json_wo`. For more info see updating write-only attributes.
+        """
+        return pulumi.get(self, "data_json_wo_version")
+
     @property
     @pulumi.getter(name="deleteAllVersions")
     def delete_all_versions(self) -> pulumi.Output[Optional[builtins.bool]]: