pulumi-vault 7.0.0a1750489873__py3-none-any.whl → 7.1.0a1752118888__py3-none-any.whl

pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py

@@ -33,6 +33,7 @@ class SecretBackendRootSignIntermediateArgs:
                  format: Optional[pulumi.Input[builtins.str]] = None,
                  ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  locality: Optional[pulumi.Input[builtins.str]] = None,
                  max_path_length: Optional[pulumi.Input[builtins.int]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
@@ -73,6 +74,7 @@ class SecretBackendRootSignIntermediateArgs:
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
         :param pulumi.Input[builtins.str] locality: The locality
         :param pulumi.Input[builtins.int] max_path_length: The maximum path length to encode in the generated certificate
         :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
@@ -94,12 +96,12 @@ class SecretBackendRootSignIntermediateArgs:
         :param pulumi.Input[builtins.str] province: The province
         :param pulumi.Input[builtins.bool] revoke: If set to `true`, the certificate will be revoked on resource destruction.
         :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
-        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         :param pulumi.Input[builtins.str] street_address: The street address
         :param pulumi.Input[builtins.str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] uri_sans: List of alternative URIs
         :param pulumi.Input[builtins.bool] use_csr_values: Preserve CSR values
-        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         pulumi.set(__self__, "backend", backend)
         pulumi.set(__self__, "common_name", common_name)
@@ -124,6 +126,8 @@ class SecretBackendRootSignIntermediateArgs:
             pulumi.set(__self__, "ip_sans", ip_sans)
         if issuer_ref is not None:
             pulumi.set(__self__, "issuer_ref", issuer_ref)
+        if key_usages is not None:
+            pulumi.set(__self__, "key_usages", key_usages)
         if locality is not None:
             pulumi.set(__self__, "locality", locality)
         if max_path_length is not None:
@@ -328,6 +332,18 @@ class SecretBackendRootSignIntermediateArgs:
     def issuer_ref(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "issuer_ref", value)
 
+    @property
+    @pulumi.getter(name="keyUsages")
+    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+        """
+        Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
+        """
+        return pulumi.get(self, "key_usages")
+
+    @key_usages.setter
+    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+        pulumi.set(self, "key_usages", value)
+
     @property
     @pulumi.getter
     def locality(self) -> Optional[pulumi.Input[builtins.str]]:
@@ -529,7 +545,7 @@ class SecretBackendRootSignIntermediateArgs:
     @pulumi.getter
     def skid(self) -> Optional[pulumi.Input[builtins.str]]:
         """
-        Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         """
         return pulumi.get(self, "skid")
 
@@ -589,7 +605,7 @@ class SecretBackendRootSignIntermediateArgs:
     @pulumi.getter(name="usePss")
     def use_pss(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
-        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         return pulumi.get(self, "use_pss")
 
@@ -618,6 +634,7 @@ class _SecretBackendRootSignIntermediateState:
                  ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
                  issuing_ca: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  locality: Optional[pulumi.Input[builtins.str]] = None,
                  max_path_length: Optional[pulumi.Input[builtins.int]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
@@ -664,6 +681,7 @@ class _SecretBackendRootSignIntermediateState:
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
         :param pulumi.Input[builtins.str] issuing_ca: The issuing CA certificate in the `format` specified.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
         :param pulumi.Input[builtins.str] locality: The locality
         :param pulumi.Input[builtins.int] max_path_length: The maximum path length to encode in the generated certificate
         :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
@@ -686,12 +704,12 @@ class _SecretBackendRootSignIntermediateState:
         :param pulumi.Input[builtins.bool] revoke: If set to `true`, the certificate will be revoked on resource destruction.
         :param pulumi.Input[builtins.str] serial_number: The certificate's serial number, hex formatted.
         :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
-        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         :param pulumi.Input[builtins.str] street_address: The street address
         :param pulumi.Input[builtins.str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] uri_sans: List of alternative URIs
         :param pulumi.Input[builtins.bool] use_csr_values: Preserve CSR values
-        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         if alt_names is not None:
             pulumi.set(__self__, "alt_names", alt_names)
@@ -727,6 +745,8 @@ class _SecretBackendRootSignIntermediateState:
             pulumi.set(__self__, "issuer_ref", issuer_ref)
         if issuing_ca is not None:
             pulumi.set(__self__, "issuing_ca", issuing_ca)
+        if key_usages is not None:
+            pulumi.set(__self__, "key_usages", key_usages)
         if locality is not None:
             pulumi.set(__self__, "locality", locality)
         if max_path_length is not None:
@@ -982,6 +1002,18 @@ class _SecretBackendRootSignIntermediateState:
     def issuing_ca(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "issuing_ca", value)
 
+    @property
+    @pulumi.getter(name="keyUsages")
+    def key_usages(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+        """
+        Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
+        """
+        return pulumi.get(self, "key_usages")
+
+    @key_usages.setter
+    def key_usages(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+        pulumi.set(self, "key_usages", value)
+
     @property
     @pulumi.getter
     def locality(self) -> Optional[pulumi.Input[builtins.str]]:
@@ -1195,7 +1227,7 @@ class _SecretBackendRootSignIntermediateState:
     @pulumi.getter
     def skid(self) -> Optional[pulumi.Input[builtins.str]]:
         """
-        Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         """
         return pulumi.get(self, "skid")
 
@@ -1255,7 +1287,7 @@ class _SecretBackendRootSignIntermediateState:
     @pulumi.getter(name="usePss")
     def use_pss(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
-        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         return pulumi.get(self, "use_pss")
 
@@ -1283,6 +1315,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
                  format: Optional[pulumi.Input[builtins.str]] = None,
                  ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  locality: Optional[pulumi.Input[builtins.str]] = None,
                  max_path_length: Optional[pulumi.Input[builtins.int]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
@@ -1343,6 +1376,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
                be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
         :param pulumi.Input[builtins.str] locality: The locality
         :param pulumi.Input[builtins.int] max_path_length: The maximum path length to encode in the generated certificate
         :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
@@ -1364,12 +1398,12 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
         :param pulumi.Input[builtins.str] province: The province
         :param pulumi.Input[builtins.bool] revoke: If set to `true`, the certificate will be revoked on resource destruction.
         :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
-        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         :param pulumi.Input[builtins.str] street_address: The street address
         :param pulumi.Input[builtins.str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] uri_sans: List of alternative URIs
         :param pulumi.Input[builtins.bool] use_csr_values: Preserve CSR values
-        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         ...
     @overload
@@ -1424,6 +1458,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
                  format: Optional[pulumi.Input[builtins.str]] = None,
                  ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
+                 key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
                  locality: Optional[pulumi.Input[builtins.str]] = None,
                  max_path_length: Optional[pulumi.Input[builtins.int]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
@@ -1474,6 +1509,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
             __props__.__dict__["format"] = format
             __props__.__dict__["ip_sans"] = ip_sans
             __props__.__dict__["issuer_ref"] = issuer_ref
+            __props__.__dict__["key_usages"] = key_usages
             __props__.__dict__["locality"] = locality
             __props__.__dict__["max_path_length"] = max_path_length
             __props__.__dict__["namespace"] = namespace
@@ -1528,6 +1564,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
             ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
             issuer_ref: Optional[pulumi.Input[builtins.str]] = None,
             issuing_ca: Optional[pulumi.Input[builtins.str]] = None,
+            key_usages: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
             locality: Optional[pulumi.Input[builtins.str]] = None,
             max_path_length: Optional[pulumi.Input[builtins.int]] = None,
             namespace: Optional[pulumi.Input[builtins.str]] = None,
@@ -1579,6 +1616,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
                the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
                overriding the role's `issuer_ref` value.
         :param pulumi.Input[builtins.str] issuing_ca: The issuing CA certificate in the `format` specified.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] key_usages: Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
         :param pulumi.Input[builtins.str] locality: The locality
         :param pulumi.Input[builtins.int] max_path_length: The maximum path length to encode in the generated certificate
         :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
@@ -1601,12 +1639,12 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
         :param pulumi.Input[builtins.bool] revoke: If set to `true`, the certificate will be revoked on resource destruction.
         :param pulumi.Input[builtins.str] serial_number: The certificate's serial number, hex formatted.
         :param pulumi.Input[builtins.int] signature_bits: The number of bits to use in the signature algorithm
-        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        :param pulumi.Input[builtins.str] skid: Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         :param pulumi.Input[builtins.str] street_address: The street address
         :param pulumi.Input[builtins.str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] uri_sans: List of alternative URIs
         :param pulumi.Input[builtins.bool] use_csr_values: Preserve CSR values
-        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        :param pulumi.Input[builtins.bool] use_pss: Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -1629,6 +1667,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
         __props__.__dict__["ip_sans"] = ip_sans
         __props__.__dict__["issuer_ref"] = issuer_ref
         __props__.__dict__["issuing_ca"] = issuing_ca
+        __props__.__dict__["key_usages"] = key_usages
         __props__.__dict__["locality"] = locality
         __props__.__dict__["max_path_length"] = max_path_length
         __props__.__dict__["namespace"] = namespace
@@ -1794,6 +1833,14 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
         """
         return pulumi.get(self, "issuing_ca")
 
+    @property
+    @pulumi.getter(name="keyUsages")
+    def key_usages(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
+        """
+        Specify the key usages to be added to the existing set of key usages ("CRL", "CertSign") on the generated certificate.
+        """
+        return pulumi.get(self, "key_usages")
+
     @property
     @pulumi.getter
     def locality(self) -> pulumi.Output[Optional[builtins.str]]:
@@ -1939,7 +1986,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
     @pulumi.getter
     def skid(self) -> pulumi.Output[Optional[builtins.str]]:
         """
-        Value for the Subject Key Identifier field (RFC 5280 Section 4.2.1.2). Specified as a string in hex format.
+        Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.
         """
         return pulumi.get(self, "skid")
 
@@ -1979,7 +2026,7 @@ class SecretBackendRootSignIntermediate(pulumi.CustomResource):
     @pulumi.getter(name="usePss")
     def use_pss(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
-        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used.
+        Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
         """
         return pulumi.get(self, "use_pss")
 

pulumi_vault/pulumi-plugin.json

@@ -1,5 +1,5 @@
 {
   "resource": true,
   "name": "vault",
-  "version": "7.0.0-alpha.1750489873"
+  "version": "7.1.0-alpha.1752118888"
 }

pulumi_vault/quota_rate_limit.py

@@ -22,18 +22,27 @@ class QuotaRateLimitArgs:
     def __init__(__self__, *,
                  rate: pulumi.Input[builtins.float],
                  block_interval: Optional[pulumi.Input[builtins.int]] = None,
+                 group_by: Optional[pulumi.Input[builtins.str]] = None,
                  inheritable: Optional[pulumi.Input[builtins.bool]] = None,
                  interval: Optional[pulumi.Input[builtins.int]] = None,
                  name: Optional[pulumi.Input[builtins.str]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
                  path: Optional[pulumi.Input[builtins.str]] = None,
-                 role: Optional[pulumi.Input[builtins.str]] = None):
+                 role: Optional[pulumi.Input[builtins.str]] = None,
+                 secondary_rate: Optional[pulumi.Input[builtins.float]] = None):
         """
         The set of arguments for constructing a QuotaRateLimit resource.
         :param pulumi.Input[builtins.float] rate: The maximum number of requests at any given second to be allowed by the quota
                rule. The `rate` must be positive.
         :param pulumi.Input[builtins.int] block_interval: If set, when a client reaches a rate limit threshold, the client will
                be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+        :param pulumi.Input[builtins.str] group_by: Attribute used to group requests for rate limiting. Limits are enforced independently for each
+               group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+               `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+               that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+               requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+               connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+               the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
         :param pulumi.Input[builtins.bool] inheritable: If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.
         :param pulumi.Input[builtins.int] interval: The duration in seconds to enforce rate limiting for.
         :param pulumi.Input[builtins.str] name: Name of the rate limit quota
@@ -48,10 +57,15 @@ class QuotaRateLimitArgs:
                `auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to
                a namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**
         :param pulumi.Input[builtins.str] role: If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+        :param pulumi.Input[builtins.float] secondary_rate: Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+               the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+               that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
         """
         pulumi.set(__self__, "rate", rate)
         if block_interval is not None:
             pulumi.set(__self__, "block_interval", block_interval)
+        if group_by is not None:
+            pulumi.set(__self__, "group_by", group_by)
         if inheritable is not None:
             pulumi.set(__self__, "inheritable", inheritable)
         if interval is not None:
@@ -64,6 +78,8 @@ class QuotaRateLimitArgs:
             pulumi.set(__self__, "path", path)
         if role is not None:
             pulumi.set(__self__, "role", role)
+        if secondary_rate is not None:
+            pulumi.set(__self__, "secondary_rate", secondary_rate)
 
     @property
     @pulumi.getter
@@ -91,6 +107,24 @@ class QuotaRateLimitArgs:
     def block_interval(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "block_interval", value)
 
+    @property
+    @pulumi.getter(name="groupBy")
+    def group_by(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Attribute used to group requests for rate limiting. Limits are enforced independently for each
+        group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+        `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+        that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+        requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+        connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+        the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
+        """
+        return pulumi.get(self, "group_by")
+
+    @group_by.setter
+    def group_by(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "group_by", value)
+
     @property
     @pulumi.getter
     def inheritable(self) -> Optional[pulumi.Input[builtins.bool]]:
@@ -171,22 +205,45 @@ class QuotaRateLimitArgs:
     def role(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "role", value)
 
+    @property
+    @pulumi.getter(name="secondaryRate")
+    def secondary_rate(self) -> Optional[pulumi.Input[builtins.float]]:
+        """
+        Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+        the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+        that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
+        """
+        return pulumi.get(self, "secondary_rate")
+
+    @secondary_rate.setter
+    def secondary_rate(self, value: Optional[pulumi.Input[builtins.float]]):
+        pulumi.set(self, "secondary_rate", value)
+
 
 @pulumi.input_type
 class _QuotaRateLimitState:
     def __init__(__self__, *,
                  block_interval: Optional[pulumi.Input[builtins.int]] = None,
+                 group_by: Optional[pulumi.Input[builtins.str]] = None,
                  inheritable: Optional[pulumi.Input[builtins.bool]] = None,
                  interval: Optional[pulumi.Input[builtins.int]] = None,
                  name: Optional[pulumi.Input[builtins.str]] = None,
                  namespace: Optional[pulumi.Input[builtins.str]] = None,
                  path: Optional[pulumi.Input[builtins.str]] = None,
                  rate: Optional[pulumi.Input[builtins.float]] = None,
-                 role: Optional[pulumi.Input[builtins.str]] = None):
+                 role: Optional[pulumi.Input[builtins.str]] = None,
+                 secondary_rate: Optional[pulumi.Input[builtins.float]] = None):
         """
         Input properties used for looking up and filtering QuotaRateLimit resources.
         :param pulumi.Input[builtins.int] block_interval: If set, when a client reaches a rate limit threshold, the client will
                be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+        :param pulumi.Input[builtins.str] group_by: Attribute used to group requests for rate limiting. Limits are enforced independently for each
+               group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+               `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+               that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+               requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+               connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+               the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
         :param pulumi.Input[builtins.bool] inheritable: If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.
         :param pulumi.Input[builtins.int] interval: The duration in seconds to enforce rate limiting for.
         :param pulumi.Input[builtins.str] name: Name of the rate limit quota
@@ -203,9 +260,14 @@ class _QuotaRateLimitState:
         :param pulumi.Input[builtins.float] rate: The maximum number of requests at any given second to be allowed by the quota
                rule. The `rate` must be positive.
         :param pulumi.Input[builtins.str] role: If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+        :param pulumi.Input[builtins.float] secondary_rate: Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+               the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+               that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
         """
         if block_interval is not None:
             pulumi.set(__self__, "block_interval", block_interval)
+        if group_by is not None:
+            pulumi.set(__self__, "group_by", group_by)
         if inheritable is not None:
             pulumi.set(__self__, "inheritable", inheritable)
         if interval is not None:
@@ -220,6 +282,8 @@ class _QuotaRateLimitState:
             pulumi.set(__self__, "rate", rate)
         if role is not None:
             pulumi.set(__self__, "role", role)
+        if secondary_rate is not None:
+            pulumi.set(__self__, "secondary_rate", secondary_rate)
 
     @property
     @pulumi.getter(name="blockInterval")
@@ -234,6 +298,24 @@ class _QuotaRateLimitState:
     def block_interval(self, value: Optional[pulumi.Input[builtins.int]]):
         pulumi.set(self, "block_interval", value)
 
+    @property
+    @pulumi.getter(name="groupBy")
+    def group_by(self) -> Optional[pulumi.Input[builtins.str]]:
+        """
+        Attribute used to group requests for rate limiting. Limits are enforced independently for each
+        group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+        `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+        that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+        requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+        connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+        the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
+        """
+        return pulumi.get(self, "group_by")
+
+    @group_by.setter
+    def group_by(self, value: Optional[pulumi.Input[builtins.str]]):
+        pulumi.set(self, "group_by", value)
+
     @property
     @pulumi.getter
     def inheritable(self) -> Optional[pulumi.Input[builtins.bool]]:
@@ -327,6 +409,20 @@ class _QuotaRateLimitState:
     def role(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "role", value)
 
+    @property
+    @pulumi.getter(name="secondaryRate")
+    def secondary_rate(self) -> Optional[pulumi.Input[builtins.float]]:
+        """
+        Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+        the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+        that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
+        """
+        return pulumi.get(self, "secondary_rate")
+
+    @secondary_rate.setter
+    def secondary_rate(self, value: Optional[pulumi.Input[builtins.float]]):
+        pulumi.set(self, "secondary_rate", value)
+
 
 @pulumi.type_token("vault:index/quotaRateLimit:QuotaRateLimit")
 class QuotaRateLimit(pulumi.CustomResource):
@@ -335,6 +431,7 @@ class QuotaRateLimit(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  block_interval: Optional[pulumi.Input[builtins.int]] = None,
+                 group_by: Optional[pulumi.Input[builtins.str]] = None,
                  inheritable: Optional[pulumi.Input[builtins.bool]] = None,
                  interval: Optional[pulumi.Input[builtins.int]] = None,
                  name: Optional[pulumi.Input[builtins.str]] = None,
@@ -342,6 +439,7 @@ class QuotaRateLimit(pulumi.CustomResource):
                  path: Optional[pulumi.Input[builtins.str]] = None,
                  rate: Optional[pulumi.Input[builtins.float]] = None,
                  role: Optional[pulumi.Input[builtins.str]] = None,
+                 secondary_rate: Optional[pulumi.Input[builtins.float]] = None,
                  __props__=None):
         """
         Manage rate limit quotas which enforce API rate limiting using a token bucket algorithm.
@@ -375,6 +473,13 @@ class QuotaRateLimit(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[builtins.int] block_interval: If set, when a client reaches a rate limit threshold, the client will
                be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+        :param pulumi.Input[builtins.str] group_by: Attribute used to group requests for rate limiting. Limits are enforced independently for each
+               group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+               `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+               that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+               requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+               connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+               the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
         :param pulumi.Input[builtins.bool] inheritable: If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.
         :param pulumi.Input[builtins.int] interval: The duration in seconds to enforce rate limiting for.
         :param pulumi.Input[builtins.str] name: Name of the rate limit quota
@@ -391,6 +496,9 @@ class QuotaRateLimit(pulumi.CustomResource):
         :param pulumi.Input[builtins.float] rate: The maximum number of requests at any given second to be allowed by the quota
                rule. The `rate` must be positive.
         :param pulumi.Input[builtins.str] role: If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+        :param pulumi.Input[builtins.float] secondary_rate: Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+               the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+               that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
         """
         ...
     @overload
@@ -442,6 +550,7 @@ class QuotaRateLimit(pulumi.CustomResource):
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
                  block_interval: Optional[pulumi.Input[builtins.int]] = None,
+                 group_by: Optional[pulumi.Input[builtins.str]] = None,
                  inheritable: Optional[pulumi.Input[builtins.bool]] = None,
                  interval: Optional[pulumi.Input[builtins.int]] = None,
                  name: Optional[pulumi.Input[builtins.str]] = None,
@@ -449,6 +558,7 @@ class QuotaRateLimit(pulumi.CustomResource):
                  path: Optional[pulumi.Input[builtins.str]] = None,
                  rate: Optional[pulumi.Input[builtins.float]] = None,
                  role: Optional[pulumi.Input[builtins.str]] = None,
+                 secondary_rate: Optional[pulumi.Input[builtins.float]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -459,6 +569,7 @@ class QuotaRateLimit(pulumi.CustomResource):
             __props__ = QuotaRateLimitArgs.__new__(QuotaRateLimitArgs)
 
             __props__.__dict__["block_interval"] = block_interval
+            __props__.__dict__["group_by"] = group_by
             __props__.__dict__["inheritable"] = inheritable
             __props__.__dict__["interval"] = interval
             __props__.__dict__["name"] = name
@@ -468,6 +579,7 @@ class QuotaRateLimit(pulumi.CustomResource):
                 raise TypeError("Missing required property 'rate'")
             __props__.__dict__["rate"] = rate
             __props__.__dict__["role"] = role
+            __props__.__dict__["secondary_rate"] = secondary_rate
         super(QuotaRateLimit, __self__).__init__(
             'vault:index/quotaRateLimit:QuotaRateLimit',
             resource_name,
@@ -479,13 +591,15 @@ class QuotaRateLimit(pulumi.CustomResource):
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
             block_interval: Optional[pulumi.Input[builtins.int]] = None,
+            group_by: Optional[pulumi.Input[builtins.str]] = None,
             inheritable: Optional[pulumi.Input[builtins.bool]] = None,
             interval: Optional[pulumi.Input[builtins.int]] = None,
             name: Optional[pulumi.Input[builtins.str]] = None,
             namespace: Optional[pulumi.Input[builtins.str]] = None,
             path: Optional[pulumi.Input[builtins.str]] = None,
             rate: Optional[pulumi.Input[builtins.float]] = None,
-            role: Optional[pulumi.Input[builtins.str]] = None) -> 'QuotaRateLimit':
+            role: Optional[pulumi.Input[builtins.str]] = None,
+            secondary_rate: Optional[pulumi.Input[builtins.float]] = None) -> 'QuotaRateLimit':
         """
         Get an existing QuotaRateLimit resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -495,6 +609,13 @@ class QuotaRateLimit(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[builtins.int] block_interval: If set, when a client reaches a rate limit threshold, the client will
                be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.
+        :param pulumi.Input[builtins.str] group_by: Attribute used to group requests for rate limiting. Limits are enforced independently for each
+               group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+               `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+               that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+               requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+               connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+               the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
         :param pulumi.Input[builtins.bool] inheritable: If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.
         :param pulumi.Input[builtins.int] interval: The duration in seconds to enforce rate limiting for.
         :param pulumi.Input[builtins.str] name: Name of the rate limit quota
@@ -511,12 +632,16 @@ class QuotaRateLimit(pulumi.CustomResource):
         :param pulumi.Input[builtins.float] rate: The maximum number of requests at any given second to be allowed by the quota
                rule. The `rate` must be positive.
         :param pulumi.Input[builtins.str] role: If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.
+        :param pulumi.Input[builtins.float] secondary_rate: Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+               the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+               that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
         __props__ = _QuotaRateLimitState.__new__(_QuotaRateLimitState)
 
         __props__.__dict__["block_interval"] = block_interval
+        __props__.__dict__["group_by"] = group_by
         __props__.__dict__["inheritable"] = inheritable
         __props__.__dict__["interval"] = interval
         __props__.__dict__["name"] = name
@@ -524,6 +649,7 @@ class QuotaRateLimit(pulumi.CustomResource):
         __props__.__dict__["path"] = path
         __props__.__dict__["rate"] = rate
         __props__.__dict__["role"] = role
+        __props__.__dict__["secondary_rate"] = secondary_rate
         return QuotaRateLimit(resource_name, opts=opts, __props__=__props__)
 
     @property
@@ -535,6 +661,20 @@ class QuotaRateLimit(pulumi.CustomResource):
         """
         return pulumi.get(self, "block_interval")
 
+    @property
+    @pulumi.getter(name="groupBy")
+    def group_by(self) -> pulumi.Output[builtins.str]:
+        """
+        Attribute used to group requests for rate limiting. Limits are enforced independently for each
+        group. Valid `group_by` modes are: 1) `ip` that groups requests by their source IP address (**`group_by` defaults to
+        `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests
+        that match the rate limit quota rule; 3) `entity_then_ip` that groups requests by their entity ID for authenticated
+        requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not
+        connected to an entity); and 4) `entity_then_none` which also groups requests by their entity ID when available, but
+        the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).
+        """
+        return pulumi.get(self, "group_by")
+
     @property
     @pulumi.getter
     def inheritable(self) -> pulumi.Output[Optional[builtins.bool]]:
@@ -600,3 +740,13 @@ class QuotaRateLimit(pulumi.CustomResource):
         """
         return pulumi.get(self, "role")
 
+    @property
+    @pulumi.getter(name="secondaryRate")
+    def secondary_rate(self) -> pulumi.Output[builtins.float]:
+        """
+        Can only be set for the `group_by` modes `entity_then_ip` or `entity_then_none`. This is
+        the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests
+        that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`.
+        """
+        return pulumi.get(self, "secondary_rate")
+