pulumi-vault 7.5.0a1763696324__tar.gz → 7.6.0__tar.gz

{pulumi_vault-7.5.0a1763696324 → pulumi_vault-7.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulumi_vault
-Version: 7.5.0a1763696324
+Version: 7.6.0
 Summary: A Pulumi package for creating and managing HashiCorp Vault cloud resources.
 License: Apache-2.0
 Project-URL: Homepage, https://pulumi.io

{pulumi_vault-7.5.0a1763696324 → pulumi_vault-7.6.0}/pulumi_vault/database/_inputs.py

@@ -2739,6 +2739,10 @@ if not MYPY:
         """
         Version counter for root credential password write-only field
         """
+        self_managed: NotRequired[pulumi.Input[_builtins.bool]]
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
         split_statements: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Set to true in order to split statements after semi-colons.
@@ -2765,6 +2769,7 @@ class SecretBackendConnectionOracleArgs:
                  password: Optional[pulumi.Input[_builtins.str]] = None,
                  password_wo: Optional[pulumi.Input[_builtins.str]] = None,
                  password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
+                 self_managed: Optional[pulumi.Input[_builtins.bool]] = None,
                  split_statements: Optional[pulumi.Input[_builtins.bool]] = None,
                  username: Optional[pulumi.Input[_builtins.str]] = None,
                  username_template: Optional[pulumi.Input[_builtins.str]] = None):
@@ -2778,6 +2783,7 @@ class SecretBackendConnectionOracleArgs:
         :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
                Write-only field for the root credential password used in the connection URL
         :param pulumi.Input[_builtins.int] password_wo_version: Version counter for root credential password write-only field
+        :param pulumi.Input[_builtins.bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param pulumi.Input[_builtins.bool] split_statements: Set to true in order to split statements after semi-colons.
         :param pulumi.Input[_builtins.str] username: The root credential username used in the connection URL
         :param pulumi.Input[_builtins.str] username_template: Username generation template.
@@ -2798,6 +2804,8 @@ class SecretBackendConnectionOracleArgs:
             pulumi.set(__self__, "password_wo", password_wo)
         if password_wo_version is not None:
             pulumi.set(__self__, "password_wo_version", password_wo_version)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -2902,6 +2910,18 @@ class SecretBackendConnectionOracleArgs:
     def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
         pulumi.set(self, "password_wo_version", value)
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
+    @self_managed.setter
+    def self_managed(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "self_managed", value)
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[pulumi.Input[_builtins.bool]]:
@@ -9358,6 +9378,10 @@ if not MYPY:
         a rotation when a scheduled token rotation occurs. The default rotation window is
         unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
         """
+        self_managed: NotRequired[pulumi.Input[_builtins.bool]]
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
         split_statements: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Set to true in order to split statements after semi-colons.
@@ -9398,6 +9422,7 @@ class SecretsMountOracleArgs:
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_window: Optional[pulumi.Input[_builtins.int]] = None,
+                 self_managed: Optional[pulumi.Input[_builtins.bool]] = None,
                  split_statements: Optional[pulumi.Input[_builtins.bool]] = None,
                  username: Optional[pulumi.Input[_builtins.str]] = None,
                  username_template: Optional[pulumi.Input[_builtins.str]] = None,
@@ -9428,6 +9453,7 @@ class SecretsMountOracleArgs:
         :param pulumi.Input[_builtins.int] rotation_window: The maximum amount of time in seconds allowed to complete
                a rotation when a scheduled token rotation occurs. The default rotation window is
                unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param pulumi.Input[_builtins.bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param pulumi.Input[_builtins.bool] split_statements: Set to true in order to split statements after semi-colons.
         :param pulumi.Input[_builtins.str] username: The root credential username used in the connection URL
         :param pulumi.Input[_builtins.str] username_template: Username generation template.
@@ -9467,6 +9493,8 @@ class SecretsMountOracleArgs:
             pulumi.set(__self__, "rotation_schedule", rotation_schedule)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -9688,6 +9716,18 @@ class SecretsMountOracleArgs:
     def rotation_window(self, value: Optional[pulumi.Input[_builtins.int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
+    @self_managed.setter
+    def self_managed(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "self_managed", value)
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[pulumi.Input[_builtins.bool]]:

{pulumi_vault-7.5.0a1763696324 → pulumi_vault-7.6.0}/pulumi_vault/database/outputs.py

@@ -1996,6 +1996,8 @@ class SecretBackendConnectionOracle(dict):
             suggest = "password_wo"
         elif key == "passwordWoVersion":
             suggest = "password_wo_version"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "splitStatements":
             suggest = "split_statements"
         elif key == "usernameTemplate":
@@ -2021,6 +2023,7 @@ class SecretBackendConnectionOracle(dict):
                  password: Optional[_builtins.str] = None,
                  password_wo: Optional[_builtins.str] = None,
                  password_wo_version: Optional[_builtins.int] = None,
+                 self_managed: Optional[_builtins.bool] = None,
                  split_statements: Optional[_builtins.bool] = None,
                  username: Optional[_builtins.str] = None,
                  username_template: Optional[_builtins.str] = None):
@@ -2034,6 +2037,7 @@ class SecretBackendConnectionOracle(dict):
         :param _builtins.str password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
                Write-only field for the root credential password used in the connection URL
         :param _builtins.int password_wo_version: Version counter for root credential password write-only field
+        :param _builtins.bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param _builtins.bool split_statements: Set to true in order to split statements after semi-colons.
         :param _builtins.str username: The root credential username used in the connection URL
         :param _builtins.str username_template: Username generation template.
@@ -2054,6 +2058,8 @@ class SecretBackendConnectionOracle(dict):
             pulumi.set(__self__, "password_wo", password_wo)
         if password_wo_version is not None:
             pulumi.set(__self__, "password_wo_version", password_wo_version)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -2126,6 +2132,14 @@ class SecretBackendConnectionOracle(dict):
         """
         return pulumi.get(self, "password_wo_version")
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[_builtins.bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[_builtins.bool]:
@@ -6676,6 +6690,8 @@ class SecretsMountOracle(dict):
             suggest = "rotation_schedule"
         elif key == "rotationWindow":
             suggest = "rotation_window"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "splitStatements":
             suggest = "split_statements"
         elif key == "usernameTemplate":
@@ -6712,6 +6728,7 @@ class SecretsMountOracle(dict):
                  rotation_period: Optional[_builtins.int] = None,
                  rotation_schedule: Optional[_builtins.str] = None,
                  rotation_window: Optional[_builtins.int] = None,
+                 self_managed: Optional[_builtins.bool] = None,
                  split_statements: Optional[_builtins.bool] = None,
                  username: Optional[_builtins.str] = None,
                  username_template: Optional[_builtins.str] = None,
@@ -6742,6 +6759,7 @@ class SecretsMountOracle(dict):
         :param _builtins.int rotation_window: The maximum amount of time in seconds allowed to complete
                a rotation when a scheduled token rotation occurs. The default rotation window is
                unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
+        :param _builtins.bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param _builtins.bool split_statements: Set to true in order to split statements after semi-colons.
         :param _builtins.str username: The root credential username used in the connection URL
         :param _builtins.str username_template: Username generation template.
@@ -6781,6 +6799,8 @@ class SecretsMountOracle(dict):
             pulumi.set(__self__, "rotation_schedule", rotation_schedule)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if split_statements is not None:
             pulumi.set(__self__, "split_statements", split_statements)
         if username is not None:
@@ -6934,6 +6954,14 @@ class SecretsMountOracle(dict):
         """
         return pulumi.get(self, "rotation_window")
 
+    @_builtins.property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[_builtins.bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @_builtins.property
     @pulumi.getter(name="splitStatements")
     def split_statements(self) -> Optional[_builtins.bool]:

{pulumi_vault-7.5.0a1763696324 → pulumi_vault-7.6.0}/pulumi_vault/database/secret_backend_connection.py

@@ -1077,6 +1077,8 @@ class SecretBackendConnection(pulumi.CustomResource):
         """
         ## Example Usage
 
+        ### PostgreSQL Connection
+
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1098,6 +1100,37 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ### Oracle Connection with Self-Managed Mode (Rootless)
+
+        For Vault 1.18+ Enterprise, you can configure Oracle connections in self-managed mode,
+        which allows a static role to manage its own database credentials without requiring root access:
+
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        db = vault.Mount("db",
+            path="database",
+            type="database")
+        oracle = vault.database.SecretBackendConnection("oracle",
+            backend=db.path,
+            name="oracle",
+            allowed_roles=["my-role"],
+            oracle={
+                "connection_url": "{{username}}/{{password}}@//host:port/service",
+                "self_managed": True,
+                "plugin_name": "vault-plugin-database-oracle",
+            })
+        oracle_role = vault.database.SecretBackendStaticRole("oracle_role",
+            backend=db.path,
+            name="my-role",
+            db_name=oracle.name,
+            username="vault_user",
+            password_wo="initial-password",
+            password_wo_version=1,
+            rotation_period=3600)
+        ```
+
         ## Ephemeral Attributes Reference
 
         The following write-only attributes are supported for all DBs that support username/password:
@@ -1171,6 +1204,8 @@ class SecretBackendConnection(pulumi.CustomResource):
         """
         ## Example Usage
 
+        ### PostgreSQL Connection
+
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1192,6 +1227,37 @@ class SecretBackendConnection(pulumi.CustomResource):
             })
         ```
 
+        ### Oracle Connection with Self-Managed Mode (Rootless)
+
+        For Vault 1.18+ Enterprise, you can configure Oracle connections in self-managed mode,
+        which allows a static role to manage its own database credentials without requiring root access:
+
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+
+        db = vault.Mount("db",
+            path="database",
+            type="database")
+        oracle = vault.database.SecretBackendConnection("oracle",
+            backend=db.path,
+            name="oracle",
+            allowed_roles=["my-role"],
+            oracle={
+                "connection_url": "{{username}}/{{password}}@//host:port/service",
+                "self_managed": True,
+                "plugin_name": "vault-plugin-database-oracle",
+            })
+        oracle_role = vault.database.SecretBackendStaticRole("oracle_role",
+            backend=db.path,
+            name="my-role",
+            db_name=oracle.name,
+            username="vault_user",
+            password_wo="initial-password",
+            password_wo_version=1,
+            rotation_period=3600)
+        ```
+
         ## Ephemeral Attributes Reference
 
         The following write-only attributes are supported for all DBs that support username/password:

{pulumi_vault-7.5.0a1763696324 → pulumi_vault-7.6.0}/pulumi_vault/database/secret_backend_static_role.py

@@ -26,6 +26,8 @@ class SecretBackendStaticRoleArgs:
                  credential_type: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -43,6 +45,13 @@ class SecretBackendStaticRoleArgs:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -56,6 +65,7 @@ class SecretBackendStaticRoleArgs:
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         """
@@ -70,6 +80,10 @@ class SecretBackendStaticRoleArgs:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if password_wo is not None:
+            pulumi.set(__self__, "password_wo", password_wo)
+        if password_wo_version is not None:
+            pulumi.set(__self__, "password_wo_version", password_wo_version)
         if rotation_period is not None:
             pulumi.set(__self__, "rotation_period", rotation_period)
         if rotation_schedule is not None:
@@ -167,6 +181,35 @@ class SecretBackendStaticRoleArgs:
     def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @password_wo.setter
+    def password_wo(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "password_wo", value)
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
+    @password_wo_version.setter
+    def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "password_wo_version", value)
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> Optional[pulumi.Input[_builtins.int]]:
@@ -228,6 +271,7 @@ class SecretBackendStaticRoleArgs:
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")
 
@@ -258,6 +302,8 @@ class _SecretBackendStaticRoleState:
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -275,6 +321,13 @@ class _SecretBackendStaticRoleState:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -288,6 +341,7 @@ class _SecretBackendStaticRoleState:
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -304,6 +358,10 @@ class _SecretBackendStaticRoleState:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if password_wo is not None:
+            pulumi.set(__self__, "password_wo", password_wo)
+        if password_wo_version is not None:
+            pulumi.set(__self__, "password_wo_version", password_wo_version)
         if rotation_period is not None:
             pulumi.set(__self__, "rotation_period", rotation_period)
         if rotation_schedule is not None:
@@ -391,6 +449,35 @@ class _SecretBackendStaticRoleState:
     def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @password_wo.setter
+    def password_wo(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "password_wo", value)
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
+    @password_wo_version.setter
+    def password_wo_version(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "password_wo_version", value)
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> Optional[pulumi.Input[_builtins.int]]:
@@ -452,6 +539,7 @@ class _SecretBackendStaticRoleState:
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")
 
@@ -497,6 +585,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -543,6 +633,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
+        # configure a static role with a password (Vault 1.19+)
+        password_role = vault.database.SecretBackendStaticRole("password_role",
+            backend=db.path,
+            name="my-password-role",
+            db_name=postgres.name,
+            username="example",
+            password_wo="my-password",
+            password_wo_version=1,
+            rotation_period=3600,
+            rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
 
         ## Import
@@ -563,6 +663,13 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -576,6 +683,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -624,6 +732,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule="0 0 * * SAT",
             rotation_window=172800,
             rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
+        # configure a static role with a password (Vault 1.19+)
+        password_role = vault.database.SecretBackendStaticRole("password_role",
+            backend=db.path,
+            name="my-password-role",
+            db_name=postgres.name,
+            username="example",
+            password_wo="my-password",
+            password_wo_version=1,
+            rotation_period=3600,
+            rotation_statements=["ALTER USER \\"{{name}}\\" WITH PASSWORD '{{password}}';"])
         ```
 
         ## Import
@@ -655,6 +773,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  db_name: Optional[pulumi.Input[_builtins.str]] = None,
                  name: Optional[pulumi.Input[_builtins.str]] = None,
                  namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+                 password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
                  rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -681,6 +801,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             __props__.__dict__["db_name"] = db_name
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["password_wo"] = None if password_wo is None else pulumi.Output.secret(password_wo)
+            __props__.__dict__["password_wo_version"] = password_wo_version
             __props__.__dict__["rotation_period"] = rotation_period
             __props__.__dict__["rotation_schedule"] = rotation_schedule
             __props__.__dict__["rotation_statements"] = rotation_statements
@@ -690,7 +812,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             if username is None and not opts.urn:
                 raise TypeError("Missing required property 'username'")
             __props__.__dict__["username"] = username
-        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"])
+        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["passwordWo", "selfManagedPassword"])
         opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(SecretBackendStaticRole, __self__).__init__(
             'vault:database/secretBackendStaticRole:SecretBackendStaticRole',
@@ -708,6 +830,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             db_name: Optional[pulumi.Input[_builtins.str]] = None,
             name: Optional[pulumi.Input[_builtins.str]] = None,
             namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            password_wo: Optional[pulumi.Input[_builtins.str]] = None,
+            password_wo_version: Optional[pulumi.Input[_builtins.int]] = None,
             rotation_period: Optional[pulumi.Input[_builtins.int]] = None,
             rotation_schedule: Optional[pulumi.Input[_builtins.str]] = None,
             rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
@@ -730,6 +854,13 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured namespace.
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.str] password_wo: **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+               The password corresponding to the username in the database.
+               This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+               Cannot be used with `self_managed_password`.
+        :param pulumi.Input[_builtins.int] password_wo_version: The version of the `password_wo` field. 
+               Used for tracking changes to the write-only password field. For more info see
+               updating write-only attributes.
         :param pulumi.Input[_builtins.int] rotation_period: The amount of time Vault should wait before rotating the password, in seconds.
                Mutually exclusive with `rotation_schedule`.
         :param pulumi.Input[_builtins.str] rotation_schedule: A cron-style string that will define the schedule on which rotations should occur.
@@ -743,6 +874,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[_builtins.str] self_managed_password: The password corresponding to the username in the database.
                Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
                select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+               **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         :param pulumi.Input[_builtins.bool] skip_import_rotation: If set to true, Vault will skip the
                initial secret rotation on import. Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[_builtins.str] username: The database username that this static role corresponds to.
@@ -757,6 +889,8 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         __props__.__dict__["db_name"] = db_name
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["password_wo"] = password_wo
+        __props__.__dict__["password_wo_version"] = password_wo_version
         __props__.__dict__["rotation_period"] = rotation_period
         __props__.__dict__["rotation_schedule"] = rotation_schedule
         __props__.__dict__["rotation_statements"] = rotation_statements
@@ -814,6 +948,27 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace")
 
+    @_builtins.property
+    @pulumi.getter(name="passwordWo")
+    def password_wo(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+        The password corresponding to the username in the database.
+        This is a write-only field. Requires Vault 1.19+. Deprecates `self_managed_password` which was introduced in Vault 1.18.
+        Cannot be used with `self_managed_password`.
+        """
+        return pulumi.get(self, "password_wo")
+
+    @_builtins.property
+    @pulumi.getter(name="passwordWoVersion")
+    def password_wo_version(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        The version of the `password_wo` field. 
+        Used for tracking changes to the write-only password field. For more info see
+        updating write-only attributes.
+        """
+        return pulumi.get(self, "password_wo_version")
+
     @_builtins.property
     @pulumi.getter(name="rotationPeriod")
     def rotation_period(self) -> pulumi.Output[Optional[_builtins.int]]:
@@ -859,6 +1014,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         The password corresponding to the username in the database.
         Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
         select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        **Deprecated**: Use `password_wo` instead. This field will be removed in a future version.
         """
         return pulumi.get(self, "self_managed_password")