pulumi-vault 7.5.0a1763696324__py3-none-any.whl → 7.6.0__py3-none-any.whl

pulumi_vault/database/_inputs.py

@@ -2739,6 +2739,10 @@ if not MYPY:
         """
         Version counter for root credential password write-only field
         """
+        self_managed: NotRequired[pulumi.Input[_builtins.bool]]
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
         split_statements: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Set to true in order to split statements after semi-colons.
@@ -2765,6 +2769,7 @@ class SecretBackendConnectionOracleArgs:
                  password: Optional[pulumi.Input[_builtins.str]] = None,
                  password_wo: Optional[pulumi.Input[_builtins.str]] = None,
                  password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
+                 self_managed: Optional[pulumi.Input[_builtins.bool]] = None,
                  split_statements: Optional[pulumi.Input[_builtins.bool]] = None,
                  username: Optional[pulumi.Input[_builtins.str]] = None,
                  username_template: Optional[pulumi.Input[_builtins.str]] = None):
@@ -2778,6 +2783,7 @@ class SecretBackendConnectionOracleArgs:
         :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
                Write-only field for the root credential password used in the connection URL
         :param pulumi.Input[_builtins.int] password_wo_version: Version counter for root credential password write-only field
+        :param pulumi.Input[_builtins.bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param pulumi.Input[_builtins.bool] split_statements: Set to true in order to split statements after semi-colons.
         :param pulumi.Input[_builtins.str] username: The root credential username used in the connection URL
         :param pulumi.Input[_builtins.str] username_template: Username generation template.
@@ -2798,6 +2804,8 @@ class SecretBackendConnectionOracleArgs:
             pulumi.set(__self__, "password_wo", password_wo)
         if password_wo_version is not None:
             pulumi.set(__self__, "password_wo_version", password_wo_version)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -2902,6 +2910,18 @@ class SecretBackendConnectionOracleArgs:
     def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
         pulumi.set(self, "password_wo_version", value)
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
+    @self_managed.setter
+    def self_managed(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "self_managed", value)
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[pulumi.Input[_builtins.bool]]:
@@ -9358,6 +9378,10 @@ if not MYPY:
         a rotation when a scheduled token rotation occurs. The default rotation window is
         unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
         """
+        self_managed: NotRequired[pulumi.Input[_builtins.bool]]
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
         split_statements: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Set to true in order to split statements after semi-colons.
@@ -9398,6 +9422,7 @@ class SecretsMountOracleArgs:
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_window: Optional[pulumi.Input[_builtins.int]] = None,
+                 self_managed: Optional[pulumi.Input[_builtins.bool]] = None,
                  split_statements: Optional[pulumi.Input[_builtins.bool]] = None,
                  username: Optional[pulumi.Input[_builtins.str]] = None,
                  username_template: Optional[pulumi.Input[_builtins.str]] = None,
@@ -9428,6 +9453,7 @@ class SecretsMountOracleArgs:
         :param pulumi.Input[_builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
                a rotation when a scheduled token rotation occurs. The default rotation window is
                unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[_builtins.bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param pulumi.Input[_builtins.bool] split_statements: Set to true in order to split statements after semi-colons.
         :param pulumi.Input[_builtins.str] username: The root credential username used in the connection URL
         :param pulumi.Input[_builtins.str] username_template: Username generation template.
@@ -9467,6 +9493,8 @@ class SecretsMountOracleArgs:
             pulumi.set(__self__, "rotation_schedule", rotation_schedule)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -9688,6 +9716,18 @@ class SecretsMountOracleArgs:
     def rotation_window(self, value: Optional[pulumi.Input[_builtins.int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
+    @self_managed.setter
+    def self_managed(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "self_managed", value)
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[pulumi.Input[_builtins.bool]]:

pulumi_vault/database/outputs.py

@@ -1996,6 +1996,8 @@ class SecretBackendConnectionOracle(dict):
             suggest = "password_wo"
         elif key == "passwordWoVersion":
             suggest = "password_wo_version"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "splitStatements":
             suggest = "split_statements"
         elif key == "usernameTemplate":
@@ -2021,6 +2023,7 @@ class SecretBackendConnectionOracle(dict):
                  password: Optional[_builtins.str] = None,
                  password_wo: Optional[_builtins.str] = None,
                  password_wo_version: Optional[_builtins.int] = None,
+                 self_managed: Optional[_builtins.bool] = None,
                  split_statements: Optional[_builtins.bool] = None,
                  username: Optional[_builtins.str] = None,
                  username_template: Optional[_builtins.str] = None):
@@ -2034,6 +2037,7 @@ class SecretBackendConnectionOracle(dict):
         :param _builtins.str password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
                Write-only field for the root credential password used in the connection URL
         :param _builtins.int password_wo_version: Version counter for root credential password write-only field
+        :param _builtins.bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param _builtins.bool split_statements: Set to true in order to split statements after semi-colons.
         :param _builtins.str username: The root credential username used in the connection URL
         :param _builtins.str username_template: Username generation template.
@@ -2054,6 +2058,8 @@ class SecretBackendConnectionOracle(dict):
             pulumi.set(__self__, "password_wo", password_wo)
         if password_wo_version is not None:
             pulumi.set(__self__, "password_wo_version", password_wo_version)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -2126,6 +2132,14 @@ class SecretBackendConnectionOracle(dict):
         """
         return pulumi.get(self, "password_wo_version")
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[_builtins.bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[_builtins.bool]:
@@ -6676,6 +6690,8 @@ class SecretsMountOracle(dict):
             suggest = "rotation_schedule"
         elif key == "rotationWindow":
             suggest = "rotation_window"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "splitStatements":
             suggest = "split_statements"
         elif key == "usernameTemplate":
@@ -6712,6 +6728,7 @@ class SecretsMountOracle(dict):
                  rotation_period: Optional[_builtins.int] = None,
                  rotation_schedule: Optional[_builtins.str] = None,
                  rotation_window: Optional[_builtins.int] = None,
+                 self_managed: Optional[_builtins.bool] = None,
                  split_statements: Optional[_builtins.bool] = None,
                  username: Optional[_builtins.str] = None,
                  username_template: Optional[_builtins.str] = None,
@@ -6742,6 +6759,7 @@ class SecretsMountOracle(dict):
         :param _builtins.int rotation_window: The maximum amount of time in seconds allowed to complete
                a rotation when a scheduled token rotation occurs. The default rotation window is
                unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param _builtins.bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param _builtins.bool split_statements: Set to true in order to split statements after semi-colons.
         :param _builtins.str username: The root credential username used in the connection URL
         :param _builtins.str username_template: Username generation template.
@@ -6781,6 +6799,8 @@ class SecretsMountOracle(dict):
             pulumi.set(__self__, "rotation_schedule", rotation_schedule)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -6934,6 +6954,14 @@ class SecretsMountOracle(dict):
         """
         return pulumi.get(self, "rotation_window")
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[_builtins.bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[_builtins.bool]:

pulumi_vault/database/secret_backend_connection.py

@@ -1077,6 +1077,8 @@ class SecretBackendConnection(pulumi.CustomResource):
         """
         ## Example Usage
 
+        ### PostgreSQL Connection
+
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1098,6 +1100,37 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ### Oracle Connection with Self-Managed Mode (Rootless)
+
+        For Vault 1.18+ Enterprise, you can configure Oracle connections in self-managed mode,
+        which allows a static role to manage its own database credentials without requiring root access:
+
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        db = vault.Mount("db",
+            path="database",
+            type="database")
+        oracle = vault.database.SecretBackendConnection("oracle",
+            backend=db.path,
+            name="oracle",
+            allowed_roles=["my-role"],
+            oracle={
+                "connection_url": "{{username}}/{{password}}@//host:port/service",
+                "self_managed": True,
+                "plugin_name": "vault-plugin-database-oracle",
+            })
+        oracle_role = vault.database.SecretBackendStaticRole("oracle_role",
+            backend=db.path,
+            name="my-role",
+            db_name=oracle.name,
+            username="vault_user",
+            password_wo="initial-password",
+            password_wo_version=1,
+            rotation_period=3600)
+        ```
+
         ## Ephemeral Attributes Reference
 
         The following write-only attributes are supported for all DBs that support username/password:
@@ -1171,6 +1204,8 @@ class SecretBackendConnection(pulumi.CustomResource):
         """
         ## Example Usage
 
+        ### PostgreSQL Connection
+
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1192,6 +1227,37 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ### Oracle Connection with Self-Managed Mode (Rootless)
+
+        For Vault 1.18+ Enterprise, you can configure Oracle connections in self-managed mode,
+        which allows a static role to manage its own database credentials without requiring root access:
+
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        db = vault.Mount("db",
+            path="database",
+            type="database")
+        oracle = vault.database.SecretBackendConnection("oracle",
+            backend=db.path,
+            name="oracle",
+            allowed_roles=["my-role"],
+            oracle={
+                "connection_url": "{{username}}/{{password}}@//host:port/service",
+                "self_managed": True,
+                "plugin_name": "vault-plugin-database-oracle",
+            })
+        oracle_role = vault.database.SecretBackendStaticRole("oracle_role",
+            backend=db.path,
+            name="my-role",
+            db_name=oracle.name,
+            username="vault_user",
+            password_wo="initial-password",
+            password_wo_version=1,
+            rotation_period=3600)
+        ```
+
         ## Ephemeral Attributes Reference
 
         The following write-only attributes are supported for all DBs that support username/password:

pulumi_vault/database/secret_backend_static_role.py

@@ -26,6 +26,8 @@ class SecretBackendStaticRoleArgs:
                  credential_type: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -43,6 +45,13 @@ class SecretBackendStaticRoleArgs:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -56,6 +65,7 @@ class SecretBackendStaticRoleArgs:
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         """
@@ -70,6 +80,10 @@ class SecretBackendStaticRoleArgs:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if password_wo is not None:
+            pulumi.set(__self__, "password_wo", password_wo)
+        if password_wo_version is not None:
+            pulumi.set(__self__, "password_wo_version", password_wo_version)
         if rotation_period is not None:
             pulumi.set(__self__, "rotation_period", rotation_period)
         if rotation_schedule is not None:
@@ -167,6 +181,35 @@ class SecretBackendStaticRoleArgs:
     def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @password_wo.setter
+    def password_wo(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "password_wo", value)
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
+    @password_wo_version.setter
+    def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "password_wo_version", value)
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> Optional[pulumi.Input[_builtins.int]]:
@@ -228,6 +271,7 @@ class SecretBackendStaticRoleArgs:
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")
 
@@ -258,6 +302,8 @@ class _SecretBackendStaticRoleState:
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -275,6 +321,13 @@ class _SecretBackendStaticRoleState:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -288,6 +341,7 @@ class _SecretBackendStaticRoleState:
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -304,6 +358,10 @@ class _SecretBackendStaticRoleState:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if password_wo is not None:
+            pulumi.set(__self__, "password_wo", password_wo)
+        if password_wo_version is not None:
+            pulumi.set(__self__, "password_wo_version", password_wo_version)
         if rotation_period is not None:
             pulumi.set(__self__, "rotation_period", rotation_period)
         if rotation_schedule is not None:
@@ -391,6 +449,35 @@ class _SecretBackendStaticRoleState:
     def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @password_wo.setter
+    def password_wo(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "password_wo", value)
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
+    @password_wo_version.setter
+    def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "password_wo_version", value)
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> Optional[pulumi.Input[_builtins.int]]:
@@ -452,6 +539,7 @@ class _SecretBackendStaticRoleState:
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")
 
@@ -497,6 +585,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -543,6 +633,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
+        # configure a static role with a password (Vault 1.19+)
+        password_role = vault.database.SecretBackendStaticRole("password_role",
+            backend=db.path,
+            name="my-password-role",
+            db_name=postgres.name,
+            username="example",
+            password_wo="my-password",
+            password_wo_version=1,
+            rotation_period=3600,
+            rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
 
         ## Import
@@ -563,6 +663,13 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -576,6 +683,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -624,6 +732,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
+        # configure a static role with a password (Vault 1.19+)
+        password_role = vault.database.SecretBackendStaticRole("password_role",
+            backend=db.path,
+            name="my-password-role",
+            db_name=postgres.name,
+            username="example",
+            password_wo="my-password",
+            password_wo_version=1,
+            rotation_period=3600,
+            rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
 
         ## Import
@@ -655,6 +773,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -681,6 +801,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             __props__.__dict__["db_name"] = db_name
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["password_wo"] = None if password_wo is None else pulumi.Output.secret(password_wo)
+            __props__.__dict__["password_wo_version"] = password_wo_version
             __props__.__dict__["rotation_period"] = rotation_period
             __props__.__dict__["rotation_schedule"] = rotation_schedule
             __props__.__dict__["rotation_statements"] = rotation_statements
@@ -690,7 +812,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             if username is None and not opts.urn:
                 raise TypeError("Missing required property 'username'")
             __props__.__dict__["username"] = username
-        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"])
+        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["passwordWo", "selfManagedPassword"])
         opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(SecretBackendStaticRole, __self__).__init__(
             'vault:database/secretBackendStaticRole:SecretBackendStaticRole',
@@ -708,6 +830,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             db_name: Optional[pulumi.Input[_builtins.str]] = None,
             name: Optional[pulumi.Input[_builtins.str]] = None,
             namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+            password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
             rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
             rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
             rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -730,6 +854,13 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -743,6 +874,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -757,6 +889,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         __props__.__dict__["db_name"] = db_name
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["password_wo"] = password_wo
+        __props__.__dict__["password_wo_version"] = password_wo_version
         __props__.__dict__["rotation_period"] = rotation_period
         __props__.__dict__["rotation_schedule"] = rotation_schedule
         __props__.__dict__["rotation_statements"] = rotation_statements
@@ -814,6 +948,27 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace")
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> pulumi.Output[Optional[_builtins.int]]:
@@ -859,6 +1014,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")
 

pulumi_vault/kubernetes/auth_backend_role.py

@@ -20,12 +20,13 @@ __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
 class AuthBackendRoleArgs:
     def __init__(__self__, *,
                  bound_service_account_names: pulumi.Input[Sequence[pulumi.Input[_builtins.str]]],
-                 bound_service_account_namespaces: pulumi.Input[Sequence[pulumi.Input[_builtins.str]]],
                  role_name: pulumi.Input[_builtins.str],
                  alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
                  alias_name_source: Optional[pulumi.Input[_builtins.str]] = None,
                  audience: Optional[pulumi.Input[_builtins.str]] = None,
                  backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_service_account_namespace_selector: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_service_account_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
                  token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
                  token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
@@ -39,7 +40,6 @@ class AuthBackendRoleArgs:
         """
         The set of arguments for constructing a AuthBackendRole resource.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_names: List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
-        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_namespaces: List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         :param pulumi.Input[_builtins.str] role_name: Name of the role.
         :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] alias_metadata: The metadata to be tied to generated entity alias.
                  This should be a list or map containing the metadata in key value pairs.
@@ -51,6 +51,8 @@ class AuthBackendRoleArgs:
                before setting this to something other its default value. There are **important** security
                implications to be aware of.
         :param pulumi.Input[_builtins.str] backend: Unique name of the kubernetes backend to configure.
+        :param pulumi.Input[_builtins.str] bound_service_account_namespace_selector: A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_namespaces: List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
@@ -66,7 +68,6 @@ class AuthBackendRoleArgs:
         :param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
         """
         pulumi.set(__self__, "bound_service_account_names", bound_service_account_names)
-        pulumi.set(__self__, "bound_service_account_namespaces", bound_service_account_namespaces)
         pulumi.set(__self__, "role_name", role_name)
         if alias_metadata is not None:
             pulumi.set(__self__, "alias_metadata", alias_metadata)
@@ -76,6 +77,10 @@ class AuthBackendRoleArgs:
             pulumi.set(__self__, "audience", audience)
         if backend is not None:
             pulumi.set(__self__, "backend", backend)
+        if bound_service_account_namespace_selector is not None:
+            pulumi.set(__self__, "bound_service_account_namespace_selector", bound_service_account_namespace_selector)
+        if bound_service_account_namespaces is not None:
+            pulumi.set(__self__, "bound_service_account_namespaces", bound_service_account_namespaces)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
         if token_bound_cidrs is not None:
@@ -109,18 +114,6 @@ class AuthBackendRoleArgs:
     def bound_service_account_names(self, value: pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]):
         pulumi.set(self, "bound_service_account_names", value)
 
-    @_builtins.property
-    @pulumi.getter(name="boundServiceAccountNamespaces")
-    def bound_service_account_namespaces(self) -> pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]:
-        """
-        List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
-        """
-        return pulumi.get(self, "bound_service_account_namespaces")
-
-    @bound_service_account_namespaces.setter
-    def bound_service_account_namespaces(self, value: pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]):
-        pulumi.set(self, "bound_service_account_namespaces", value)
-
     @_builtins.property
     @pulumi.getter(name="roleName")
     def role_name(self) -> pulumi.Input[_builtins.str]:
@@ -187,6 +180,30 @@ class AuthBackendRoleArgs:
     def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "backend", value)
 
+    @_builtins.property
+    @pulumi.getter(name="boundServiceAccountNamespaceSelector")
+    def bound_service_account_namespace_selector(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
+        """
+        return pulumi.get(self, "bound_service_account_namespace_selector")
+
+    @bound_service_account_namespace_selector.setter
+    def bound_service_account_namespace_selector(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "bound_service_account_namespace_selector", value)
+
+    @_builtins.property
+    @pulumi.getter(name="boundServiceAccountNamespaces")
+    def bound_service_account_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
+        """
+        return pulumi.get(self, "bound_service_account_namespaces")
+
+    @bound_service_account_namespaces.setter
+    def bound_service_account_namespaces(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_service_account_namespaces", value)
+
     @_builtins.property
     @pulumi.getter
     def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
@@ -319,6 +336,7 @@ class _AuthBackendRoleState:
                  audience: Optional[pulumi.Input[_builtins.str]] = None,
                  backend: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_names: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_service_account_namespace_selector: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
                  role_name: Optional[pulumi.Input[_builtins.str]] = None,
@@ -344,6 +362,7 @@ class _AuthBackendRoleState:
                implications to be aware of.
         :param pulumi.Input[_builtins.str] backend: Unique name of the kubernetes backend to configure.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_names: List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
+        :param pulumi.Input[_builtins.str] bound_service_account_namespace_selector: A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_namespaces: List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -370,6 +389,8 @@ class _AuthBackendRoleState:
             pulumi.set(__self__, "backend", backend)
         if bound_service_account_names is not None:
             pulumi.set(__self__, "bound_service_account_names", bound_service_account_names)
+        if bound_service_account_namespace_selector is not None:
+            pulumi.set(__self__, "bound_service_account_namespace_selector", bound_service_account_namespace_selector)
         if bound_service_account_namespaces is not None:
             pulumi.set(__self__, "bound_service_account_namespaces", bound_service_account_namespaces)
         if namespace is not None:
@@ -461,6 +482,18 @@ class _AuthBackendRoleState:
     def bound_service_account_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "bound_service_account_names", value)
 
+    @_builtins.property
+    @pulumi.getter(name="boundServiceAccountNamespaceSelector")
+    def bound_service_account_namespace_selector(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
+        """
+        return pulumi.get(self, "bound_service_account_namespace_selector")
+
+    @bound_service_account_namespace_selector.setter
+    def bound_service_account_namespace_selector(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "bound_service_account_namespace_selector", value)
+
     @_builtins.property
     @pulumi.getter(name="boundServiceAccountNamespaces")
     def bound_service_account_namespaces(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
@@ -620,6 +653,7 @@ class AuthBackendRole(pulumi.CustomResource):
                  audience: Optional[pulumi.Input[_builtins.str]] = None,
                  backend: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_names: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_service_account_namespace_selector: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
                  role_name: Optional[pulumi.Input[_builtins.str]] = None,
@@ -680,6 +714,7 @@ class AuthBackendRole(pulumi.CustomResource):
                implications to be aware of.
         :param pulumi.Input[_builtins.str] backend: Unique name of the kubernetes backend to configure.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_names: List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
+        :param pulumi.Input[_builtins.str] bound_service_account_namespace_selector: A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_namespaces: List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -756,6 +791,7 @@ class AuthBackendRole(pulumi.CustomResource):
                  audience: Optional[pulumi.Input[_builtins.str]] = None,
                  backend: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_names: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_service_account_namespace_selector: Optional[pulumi.Input[_builtins.str]] = None,
                  bound_service_account_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
                  role_name: Optional[pulumi.Input[_builtins.str]] = None,
@@ -784,8 +820,7 @@ class AuthBackendRole(pulumi.CustomResource):
             if bound_service_account_names is None and not opts.urn:
                 raise TypeError("Missing required property 'bound_service_account_names'")
             __props__.__dict__["bound_service_account_names"] = bound_service_account_names
-            if bound_service_account_namespaces is None and not opts.urn:
-                raise TypeError("Missing required property 'bound_service_account_namespaces'")
+            __props__.__dict__["bound_service_account_namespace_selector"] = bound_service_account_namespace_selector
             __props__.__dict__["bound_service_account_namespaces"] = bound_service_account_namespaces
             __props__.__dict__["namespace"] = namespace
             if role_name is None and not opts.urn:
@@ -815,6 +850,7 @@ class AuthBackendRole(pulumi.CustomResource):
             audience: Optional[pulumi.Input[_builtins.str]] = None,
             backend: Optional[pulumi.Input[_builtins.str]] = None,
             bound_service_account_names: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_service_account_namespace_selector: Optional[pulumi.Input[_builtins.str]] = None,
             bound_service_account_namespaces: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
             namespace: Optional[pulumi.Input[_builtins.str]] = None,
             role_name: Optional[pulumi.Input[_builtins.str]] = None,
@@ -845,6 +881,7 @@ class AuthBackendRole(pulumi.CustomResource):
                implications to be aware of.
         :param pulumi.Input[_builtins.str] backend: Unique name of the kubernetes backend to configure.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_names: List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*".
+        :param pulumi.Input[_builtins.str] bound_service_account_namespace_selector: A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
         :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_service_account_namespaces: List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -870,6 +907,7 @@ class AuthBackendRole(pulumi.CustomResource):
         __props__.__dict__["audience"] = audience
         __props__.__dict__["backend"] = backend
         __props__.__dict__["bound_service_account_names"] = bound_service_account_names
+        __props__.__dict__["bound_service_account_namespace_selector"] = bound_service_account_namespace_selector
         __props__.__dict__["bound_service_account_namespaces"] = bound_service_account_namespaces
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["role_name"] = role_name
@@ -930,9 +968,17 @@ class AuthBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "bound_service_account_names")
 
+    @_builtins.property
+    @pulumi.getter(name="boundServiceAccountNamespaceSelector")
+    def bound_service_account_namespace_selector(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
+        """
+        return pulumi.get(self, "bound_service_account_namespace_selector")
+
     @_builtins.property
     @pulumi.getter(name="boundServiceAccountNamespaces")
-    def bound_service_account_namespaces(self) -> pulumi.Output[Sequence[_builtins.str]]:
+    def bound_service_account_namespaces(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*".
         """

pulumi_vault/kubernetes/get_auth_backend_role.py

@@ -26,7 +26,7 @@ class GetAuthBackendRoleResult:
     """
     A collection of values returned by getAuthBackendRole.
     """
-    def __init__(__self__, alias_metadata=None, alias_name_source=None, audience=None, backend=None, bound_service_account_names=None, bound_service_account_namespaces=None, id=None, namespace=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None):
+    def __init__(__self__, alias_metadata=None, alias_name_source=None, audience=None, backend=None, bound_service_account_names=None, bound_service_account_namespace_selector=None, bound_service_account_namespaces=None, id=None, namespace=None, role_name=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None):
         if alias_metadata and not isinstance(alias_metadata, dict):
             raise TypeError("Expected argument 'alias_metadata' to be a dict")
         pulumi.set(__self__, "alias_metadata", alias_metadata)
@@ -42,6 +42,9 @@ class GetAuthBackendRoleResult:
         if bound_service_account_names and not isinstance(bound_service_account_names, list):
             raise TypeError("Expected argument 'bound_service_account_names' to be a list")
         pulumi.set(__self__, "bound_service_account_names", bound_service_account_names)
+        if bound_service_account_namespace_selector and not isinstance(bound_service_account_namespace_selector, str):
+            raise TypeError("Expected argument 'bound_service_account_namespace_selector' to be a str")
+        pulumi.set(__self__, "bound_service_account_namespace_selector", bound_service_account_namespace_selector)
         if bound_service_account_namespaces and not isinstance(bound_service_account_namespaces, list):
             raise TypeError("Expected argument 'bound_service_account_namespaces' to be a list")
         pulumi.set(__self__, "bound_service_account_namespaces", bound_service_account_namespaces)
@@ -116,6 +119,14 @@ class GetAuthBackendRoleResult:
         """
         return pulumi.get(self, "bound_service_account_names")
 
+    @_builtins.property
+    @pulumi.getter(name="boundServiceAccountNamespaceSelector")
+    def bound_service_account_namespace_selector(self) -> _builtins.str:
+        """
+        A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.
+        """
+        return pulumi.get(self, "bound_service_account_namespace_selector")
+
     @_builtins.property
     @pulumi.getter(name="boundServiceAccountNamespaces")
     def bound_service_account_namespaces(self) -> Sequence[_builtins.str]:
@@ -244,6 +255,7 @@ class AwaitableGetAuthBackendRoleResult(GetAuthBackendRoleResult):
             audience=self.audience,
             backend=self.backend,
             bound_service_account_names=self.bound_service_account_names,
+            bound_service_account_namespace_selector=self.bound_service_account_namespace_selector,
             bound_service_account_namespaces=self.bound_service_account_namespaces,
             id=self.id,
             namespace=self.namespace,
@@ -351,6 +363,7 @@ def get_auth_backend_role(alias_metadata: Optional[Mapping[str, _builtins.str]]
         audience=pulumi.get(__ret__, 'audience'),
         backend=pulumi.get(__ret__, 'backend'),
         bound_service_account_names=pulumi.get(__ret__, 'bound_service_account_names'),
+        bound_service_account_namespace_selector=pulumi.get(__ret__, 'bound_service_account_namespace_selector'),
         bound_service_account_namespaces=pulumi.get(__ret__, 'bound_service_account_namespaces'),
         id=pulumi.get(__ret__, 'id'),
         namespace=pulumi.get(__ret__, 'namespace'),
@@ -455,6 +468,7 @@ def get_auth_backend_role_output(alias_metadata: Optional[pulumi.Input[Optional[
         audience=pulumi.get(__response__, 'audience'),
         backend=pulumi.get(__response__, 'backend'),
         bound_service_account_names=pulumi.get(__response__, 'bound_service_account_names'),
+        bound_service_account_namespace_selector=pulumi.get(__response__, 'bound_service_account_namespace_selector'),
         bound_service_account_namespaces=pulumi.get(__response__, 'bound_service_account_namespaces'),
         id=pulumi.get(__response__, 'id'),
         namespace=pulumi.get(__response__, 'namespace'),

pulumi_vault/pulumi-plugin.json

@@ -1,5 +1,5 @@
 {
   "resource": true,
   "name": "vault",
-  "version": "7.5.0-alpha.1763696324"
+  "version": "7.6.0"
 }

{pulumi_vault-7.5.0a1763696324.dist-info → pulumi_vault-7.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulumi_vault
-Version: 7.5.0a1763696324
+Version: 7.6.0
 Summary: A Pulumi package for creating and managing HashiCorp Vault cloud resources.
 License: Apache-2.0
 Project-URL: Homepage, https://pulumi.io

{pulumi_vault-7.5.0a1763696324.dist-info → pulumi_vault-7.6.0.dist-info}/RECORD

@@ -28,7 +28,7 @@ pulumi_vault/plugin.py,sha256=57QZXnzP9lPAU0TbErKMCaLggsm9MehQm9hjVgy36_k,25233
 pulumi_vault/plugin_pinned_version.py,sha256=w3YbjWKRyKY_7Ufc45n7nIAhVxpuj352jqykNlzmk4Q,11340
 pulumi_vault/policy.py,sha256=eOofckCLS7K3YRGh3GElW5jpXz_oK76xny4Fk5VrsR0,11666
 pulumi_vault/provider.py,sha256=0rno_jWm-8NzVdJYUdgvtlhL5R15IjrWJxlcclfPc0c,44944
-pulumi_vault/pulumi-plugin.json,sha256=60wxKJ7pNGKvXnparw70CJkACxTm3Df1gYyCnoeiZoI,81
+pulumi_vault/pulumi-plugin.json,sha256=kAWcFpZuJltcbIqRfOafG0BL3bSRtSTBZlZdn6KJ5PI,64
 pulumi_vault/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pulumi_vault/quota_lease_count.py,sha256=CoqfUnFAx956hEU4610qCLLhfzYcB5Qey0Jfy3hkVwA,26157
 pulumi_vault/quota_rate_limit.py,sha256=tI72HsW0lOMEMMHLyr3EQhW8d6F-FfgsEQyXGH5ebjU,43077
@@ -82,11 +82,11 @@ pulumi_vault/consul/__init__.py,sha256=rvV594Qo7hp6Ysz7aaxgrOVw1c6LlliyrD8nrCoKE
 pulumi_vault/consul/secret_backend.py,sha256=qKboTfen7iw4PB46LMe_jH_C8TxLOztDRTsE0wKZg28,79364
 pulumi_vault/consul/secret_backend_role.py,sha256=42QN0s2omlBnfwOiPV4EmNOlpOCRlf_vb_Cyk63HmCg,43973
 pulumi_vault/database/__init__.py,sha256=IKf2lsiEPGWbulcje7pAgpeQqZ3kElNCrP3eDced97M,472
-pulumi_vault/database/_inputs.py,sha256=ysrNEE-wfw_8R0aHl9OK09NNmgC99NGWfQC8aasyMkI,551551
-pulumi_vault/database/outputs.py,sha256=BA-j4K5X2FcglxtV1TcOp59wGTVtjCoNUf-b8FoDC8o,382460
-pulumi_vault/database/secret_backend_connection.py,sha256=-lETXtUXeiz1vmwG7glaFHi7v4iR8ghIwRHM9dwYchQ,93381
+pulumi_vault/database/_inputs.py,sha256=HdRB9jqu-KtrvYdqR0xPBxrQoEkFeh-E-LYg-TrQNm8,553427
+pulumi_vault/database/outputs.py,sha256=Eh5Us4WpLWRX8S2smxdLD4cekUHfW10svD0H3Oa_IS4,383744
+pulumi_vault/database/secret_backend_connection.py,sha256=vUfjrLbghJh0YXJec0ltqsSb_8Hkp9TyfV_h5GhPQok,95733
 pulumi_vault/database/secret_backend_role.py,sha256=Sm4PtpIA3m0nfUtfIEAGjORXZamAQsEpMaPkNSPNr8U,39232
-pulumi_vault/database/secret_backend_static_role.py,sha256=nB2EZ39_M3Z3KOhnr4tXww92qlt2g9hjPNKbTDktz3Q,44519
+pulumi_vault/database/secret_backend_static_role.py,sha256=DfDTxGN341aV3nNRTuzW9U-xfqpZvU_E4JGwLke6KkY,53995
 pulumi_vault/database/secrets_mount.py,sha256=WAJEOlfp0dB2SZxh1GkTGXGMImweQxS42O3bdboPlIQ,122955
 pulumi_vault/gcp/__init__.py,sha256=FEwIPfzcZ5RqQYSD27FtChXzHEMQfcnhJbDvOPlWSAE,563
 pulumi_vault/gcp/_inputs.py,sha256=OLgraky8XbCZfbPIjQF6Q7G4Gglag_AIOKKZD97VsZk,20330
@@ -147,9 +147,9 @@ pulumi_vault/kmip/secret_role.py,sha256=hok_eaqx_Ws4l52mYY--V5N063fyKtSmWpmktK-v
 pulumi_vault/kmip/secret_scope.py,sha256=Di7loWyXMtxuccPWb0R0Hqw7lVuegnCTVrXXdlQTj6g,15680
 pulumi_vault/kubernetes/__init__.py,sha256=60lqFtbyb-uWFYGPVvTM7wfEx5nF0Pkc58Hw0ORuusA,530
 pulumi_vault/kubernetes/auth_backend_config.py,sha256=NCjEhqwmk-_BpQKGpMxcCaz_EQGD1BoR29Tm1D8fhuI,36743
-pulumi_vault/kubernetes/auth_backend_role.py,sha256=1qv5SjaF6csyW2nmUc_bg1oIkGmDJwWQsc8yJio2MIc,53659
+pulumi_vault/kubernetes/auth_backend_role.py,sha256=Zr0WXb4egCTXNTuCK6IWixiJk1fP4tEhkfJde0Z_6oU,59288
 pulumi_vault/kubernetes/get_auth_backend_config.py,sha256=sOR4umTGQeNeuIVPPSFe6vAaMjvqeJu47FQd1XR123c,16139
-pulumi_vault/kubernetes/get_auth_backend_role.py,sha256=G0k8ovffHFAGR1IlcwffnceFiCf6llEOIftVBY9yxvE,25833
+pulumi_vault/kubernetes/get_auth_backend_role.py,sha256=rX64MY1AW0fuifnl2B7o0Vw-gE5DvUosDckzDydO1l0,27233
 pulumi_vault/kubernetes/get_service_account_token.py,sha256=KfOe5q2QjffFkxxqqzOVCSmINtC5bQ7gvhN9bYx2e4M,15885
 pulumi_vault/kubernetes/secret_backend.py,sha256=Hgo1KtRKKP9G_08xmqquFmIQVmdHc1LFJmkr43QyxC8,72817
 pulumi_vault/kubernetes/secret_backend_role.py,sha256=GZhUBA0uT74tOw2c79b-SoaX30hlxzgLxQKaGiQcpdk,58361
@@ -268,7 +268,7 @@ pulumi_vault/transit/get_sign.py,sha256=zE2W22UeFyoNOOOcL4IACj7Vy_2xSdMW_TXhbJR4
 pulumi_vault/transit/get_verify.py,sha256=MJyNdouCwsAfluPQ7YeGCNkj0OJUB1hVOWAmkodD6fY,17170
 pulumi_vault/transit/secret_backend_key.py,sha256=4F_MJXEBzVsNY22HzSp79mPl0SLIVPCknk-D9klcW5A,68515
 pulumi_vault/transit/secret_cache_config.py,sha256=v5enplOZynVxCUCPaav5df8d9zK2vi07C8F9SAQ73aA,13238
-pulumi_vault-7.5.0a1763696324.dist-info/METADATA,sha256=kcH8nfaZeLfeGgHbmQv-6LGYq5_XB_nsv_qpnxCMAjg,4926
-pulumi_vault-7.5.0a1763696324.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-pulumi_vault-7.5.0a1763696324.dist-info/top_level.txt,sha256=J7lAGvfexHc6T1EpDBGNKF0SXWURpmUhyzi9Nr5I61w,13
-pulumi_vault-7.5.0a1763696324.dist-info/RECORD,,
+pulumi_vault-7.6.0.dist-info/METADATA,sha256=dLWMBlPT8iV1GlEoIulAAa_S5qAeVTIN34Ft-ocJoPI,4915
+pulumi_vault-7.6.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+pulumi_vault-7.6.0.dist-info/top_level.txt,sha256=J7lAGvfexHc6T1EpDBGNKF0SXWURpmUhyzi9Nr5I61w,13
+pulumi_vault-7.6.0.dist-info/RECORD,,