PyPI - pulumi-vault - Versions diffs - 7.6.0a1764657486__py3-none-any.whl - Mend

pulumi-vault 7.6.0a1764657486__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (274) hide show

pulumi_vault/__init__.py +1399 -0
pulumi_vault/_inputs.py +2701 -0
pulumi_vault/_utilities.py +331 -0
pulumi_vault/ad/__init__.py +12 -0
pulumi_vault/ad/get_access_credentials.py +177 -0
pulumi_vault/ad/secret_backend.py +1916 -0
pulumi_vault/ad/secret_library.py +546 -0
pulumi_vault/ad/secret_role.py +499 -0
pulumi_vault/alicloud/__init__.py +9 -0
pulumi_vault/alicloud/auth_backend_role.py +866 -0
pulumi_vault/approle/__init__.py +12 -0
pulumi_vault/approle/auth_backend_login.py +571 -0
pulumi_vault/approle/auth_backend_role.py +1082 -0
pulumi_vault/approle/auth_backend_role_secret_id.py +796 -0
pulumi_vault/approle/get_auth_backend_role_id.py +169 -0
pulumi_vault/audit.py +499 -0
pulumi_vault/audit_request_header.py +277 -0
pulumi_vault/auth_backend.py +565 -0
pulumi_vault/aws/__init__.py +22 -0
pulumi_vault/aws/auth_backend_cert.py +420 -0
pulumi_vault/aws/auth_backend_client.py +1259 -0
pulumi_vault/aws/auth_backend_config_identity.py +494 -0
pulumi_vault/aws/auth_backend_identity_whitelist.py +380 -0
pulumi_vault/aws/auth_backend_login.py +1046 -0
pulumi_vault/aws/auth_backend_role.py +1961 -0
pulumi_vault/aws/auth_backend_role_tag.py +638 -0
pulumi_vault/aws/auth_backend_roletag_blacklist.py +366 -0
pulumi_vault/aws/auth_backend_sts_role.py +414 -0
pulumi_vault/aws/get_access_credentials.py +369 -0
pulumi_vault/aws/get_static_access_credentials.py +137 -0
pulumi_vault/aws/secret_backend.py +2018 -0
pulumi_vault/aws/secret_backend_role.py +1188 -0
pulumi_vault/aws/secret_backend_static_role.py +639 -0
pulumi_vault/azure/__init__.py +15 -0
pulumi_vault/azure/_inputs.py +108 -0
pulumi_vault/azure/auth_backend_config.py +1096 -0
pulumi_vault/azure/auth_backend_role.py +1176 -0
pulumi_vault/azure/backend.py +1793 -0
pulumi_vault/azure/backend_role.py +883 -0
pulumi_vault/azure/get_access_credentials.py +400 -0
pulumi_vault/azure/outputs.py +107 -0
pulumi_vault/cert_auth_backend_role.py +1539 -0
pulumi_vault/config/__init__.py +9 -0
pulumi_vault/config/__init__.pyi +164 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +1225 -0
pulumi_vault/config/ui_custom_message.py +530 -0
pulumi_vault/config/vars.py +230 -0
pulumi_vault/consul/__init__.py +10 -0
pulumi_vault/consul/secret_backend.py +1517 -0
pulumi_vault/consul/secret_backend_role.py +847 -0
pulumi_vault/database/__init__.py +14 -0
pulumi_vault/database/_inputs.py +11907 -0
pulumi_vault/database/outputs.py +8496 -0
pulumi_vault/database/secret_backend_connection.py +1676 -0
pulumi_vault/database/secret_backend_role.py +840 -0
pulumi_vault/database/secret_backend_static_role.py +881 -0
pulumi_vault/database/secrets_mount.py +2160 -0
pulumi_vault/egp_policy.py +399 -0
pulumi_vault/gcp/__init__.py +17 -0
pulumi_vault/gcp/_inputs.py +441 -0
pulumi_vault/gcp/auth_backend.py +1486 -0
pulumi_vault/gcp/auth_backend_role.py +1235 -0
pulumi_vault/gcp/get_auth_backend_role.py +514 -0
pulumi_vault/gcp/outputs.py +302 -0
pulumi_vault/gcp/secret_backend.py +1807 -0
pulumi_vault/gcp/secret_impersonated_account.py +484 -0
pulumi_vault/gcp/secret_roleset.py +554 -0
pulumi_vault/gcp/secret_static_account.py +557 -0
pulumi_vault/generic/__init__.py +11 -0
pulumi_vault/generic/endpoint.py +786 -0
pulumi_vault/generic/get_secret.py +306 -0
pulumi_vault/generic/secret.py +486 -0
pulumi_vault/get_auth_backend.py +226 -0
pulumi_vault/get_auth_backends.py +170 -0
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +202 -0
pulumi_vault/get_nomad_access_token.py +210 -0
pulumi_vault/get_policy_document.py +160 -0
pulumi_vault/get_raft_autopilot_state.py +267 -0
pulumi_vault/github/__init__.py +13 -0
pulumi_vault/github/_inputs.py +225 -0
pulumi_vault/github/auth_backend.py +1194 -0
pulumi_vault/github/outputs.py +174 -0
pulumi_vault/github/team.py +380 -0
pulumi_vault/github/user.py +380 -0
pulumi_vault/identity/__init__.py +35 -0
pulumi_vault/identity/entity.py +447 -0
pulumi_vault/identity/entity_alias.py +398 -0
pulumi_vault/identity/entity_policies.py +455 -0
pulumi_vault/identity/get_entity.py +384 -0
pulumi_vault/identity/get_group.py +467 -0
pulumi_vault/identity/get_oidc_client_creds.py +175 -0
pulumi_vault/identity/get_oidc_openid_config.py +334 -0
pulumi_vault/identity/get_oidc_public_keys.py +179 -0
pulumi_vault/identity/group.py +805 -0
pulumi_vault/identity/group_alias.py +386 -0
pulumi_vault/identity/group_member_entity_ids.py +444 -0
pulumi_vault/identity/group_member_group_ids.py +467 -0
pulumi_vault/identity/group_policies.py +471 -0
pulumi_vault/identity/mfa_duo.py +674 -0
pulumi_vault/identity/mfa_login_enforcement.py +566 -0
pulumi_vault/identity/mfa_okta.py +626 -0
pulumi_vault/identity/mfa_pingid.py +616 -0
pulumi_vault/identity/mfa_totp.py +758 -0
pulumi_vault/identity/oidc.py +268 -0
pulumi_vault/identity/oidc_assignment.py +375 -0
pulumi_vault/identity/oidc_client.py +667 -0
pulumi_vault/identity/oidc_key.py +474 -0
pulumi_vault/identity/oidc_key_allowed_client_id.py +298 -0
pulumi_vault/identity/oidc_provider.py +550 -0
pulumi_vault/identity/oidc_role.py +543 -0
pulumi_vault/identity/oidc_scope.py +355 -0
pulumi_vault/identity/outputs.py +137 -0
pulumi_vault/jwt/__init__.py +12 -0
pulumi_vault/jwt/_inputs.py +225 -0
pulumi_vault/jwt/auth_backend.py +1347 -0
pulumi_vault/jwt/auth_backend_role.py +1847 -0
pulumi_vault/jwt/outputs.py +174 -0
pulumi_vault/kmip/__init__.py +11 -0
pulumi_vault/kmip/secret_backend.py +1591 -0
pulumi_vault/kmip/secret_role.py +1194 -0
pulumi_vault/kmip/secret_scope.py +372 -0
pulumi_vault/kubernetes/__init__.py +15 -0
pulumi_vault/kubernetes/auth_backend_config.py +654 -0
pulumi_vault/kubernetes/auth_backend_role.py +1031 -0
pulumi_vault/kubernetes/get_auth_backend_config.py +280 -0
pulumi_vault/kubernetes/get_auth_backend_role.py +470 -0
pulumi_vault/kubernetes/get_service_account_token.py +344 -0
pulumi_vault/kubernetes/secret_backend.py +1341 -0
pulumi_vault/kubernetes/secret_backend_role.py +1140 -0
pulumi_vault/kv/__init__.py +18 -0
pulumi_vault/kv/_inputs.py +124 -0
pulumi_vault/kv/get_secret.py +240 -0
pulumi_vault/kv/get_secret_subkeys_v2.py +275 -0
pulumi_vault/kv/get_secret_v2.py +315 -0
pulumi_vault/kv/get_secrets_list.py +186 -0
pulumi_vault/kv/get_secrets_list_v2.py +243 -0
pulumi_vault/kv/outputs.py +102 -0
pulumi_vault/kv/secret.py +397 -0
pulumi_vault/kv/secret_backend_v2.py +455 -0
pulumi_vault/kv/secret_v2.py +970 -0
pulumi_vault/ldap/__init__.py +19 -0
pulumi_vault/ldap/_inputs.py +225 -0
pulumi_vault/ldap/auth_backend.py +2520 -0
pulumi_vault/ldap/auth_backend_group.py +386 -0
pulumi_vault/ldap/auth_backend_user.py +439 -0
pulumi_vault/ldap/get_dynamic_credentials.py +181 -0
pulumi_vault/ldap/get_static_credentials.py +192 -0
pulumi_vault/ldap/outputs.py +174 -0
pulumi_vault/ldap/secret_backend.py +2207 -0
pulumi_vault/ldap/secret_backend_dynamic_role.py +767 -0
pulumi_vault/ldap/secret_backend_library_set.py +552 -0
pulumi_vault/ldap/secret_backend_static_role.py +541 -0
pulumi_vault/managed/__init__.py +11 -0
pulumi_vault/managed/_inputs.py +944 -0
pulumi_vault/managed/keys.py +398 -0
pulumi_vault/managed/outputs.py +667 -0
pulumi_vault/mfa_duo.py +589 -0
pulumi_vault/mfa_okta.py +623 -0
pulumi_vault/mfa_pingid.py +670 -0
pulumi_vault/mfa_totp.py +620 -0
pulumi_vault/mongodbatlas/__init__.py +10 -0
pulumi_vault/mongodbatlas/secret_backend.py +388 -0
pulumi_vault/mongodbatlas/secret_role.py +726 -0
pulumi_vault/mount.py +1262 -0
pulumi_vault/namespace.py +452 -0
pulumi_vault/nomad_secret_backend.py +1559 -0
pulumi_vault/nomad_secret_role.py +489 -0
pulumi_vault/oci_auth_backend.py +676 -0
pulumi_vault/oci_auth_backend_role.py +852 -0
pulumi_vault/okta/__init__.py +13 -0
pulumi_vault/okta/_inputs.py +320 -0
pulumi_vault/okta/auth_backend.py +1231 -0
pulumi_vault/okta/auth_backend_group.py +369 -0
pulumi_vault/okta/auth_backend_user.py +416 -0
pulumi_vault/okta/outputs.py +244 -0
pulumi_vault/outputs.py +502 -0
pulumi_vault/pkisecret/__init__.py +38 -0
pulumi_vault/pkisecret/_inputs.py +270 -0
pulumi_vault/pkisecret/backend_acme_eab.py +550 -0
pulumi_vault/pkisecret/backend_config_acme.py +690 -0
pulumi_vault/pkisecret/backend_config_auto_tidy.py +1370 -0
pulumi_vault/pkisecret/backend_config_cluster.py +370 -0
pulumi_vault/pkisecret/backend_config_cmpv2.py +693 -0
pulumi_vault/pkisecret/backend_config_est.py +756 -0
pulumi_vault/pkisecret/backend_config_scep.py +738 -0
pulumi_vault/pkisecret/get_backend_cert_metadata.py +277 -0
pulumi_vault/pkisecret/get_backend_config_cmpv2.py +226 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_config_scep.py +271 -0
pulumi_vault/pkisecret/get_backend_issuer.py +395 -0
pulumi_vault/pkisecret/get_backend_issuers.py +192 -0
pulumi_vault/pkisecret/get_backend_key.py +211 -0
pulumi_vault/pkisecret/get_backend_keys.py +192 -0
pulumi_vault/pkisecret/outputs.py +270 -0
pulumi_vault/pkisecret/secret_backend_cert.py +1315 -0
pulumi_vault/pkisecret/secret_backend_config_ca.py +386 -0
pulumi_vault/pkisecret/secret_backend_config_issuers.py +392 -0
pulumi_vault/pkisecret/secret_backend_config_urls.py +462 -0
pulumi_vault/pkisecret/secret_backend_crl_config.py +846 -0
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +1629 -0
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +444 -0
pulumi_vault/pkisecret/secret_backend_issuer.py +1089 -0
pulumi_vault/pkisecret/secret_backend_key.py +613 -0
pulumi_vault/pkisecret/secret_backend_role.py +2694 -0
pulumi_vault/pkisecret/secret_backend_root_cert.py +2134 -0
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +2031 -0
pulumi_vault/pkisecret/secret_backend_sign.py +1194 -0
pulumi_vault/plugin.py +596 -0
pulumi_vault/plugin_pinned_version.py +299 -0
pulumi_vault/policy.py +279 -0
pulumi_vault/provider.py +781 -0
pulumi_vault/pulumi-plugin.json +5 -0
pulumi_vault/py.typed +0 -0
pulumi_vault/quota_lease_count.py +504 -0
pulumi_vault/quota_rate_limit.py +751 -0
pulumi_vault/rabbitmq/__init__.py +12 -0
pulumi_vault/rabbitmq/_inputs.py +235 -0
pulumi_vault/rabbitmq/outputs.py +144 -0
pulumi_vault/rabbitmq/secret_backend.py +1437 -0
pulumi_vault/rabbitmq/secret_backend_role.py +496 -0
pulumi_vault/raft_autopilot.py +609 -0
pulumi_vault/raft_snapshot_agent_config.py +1591 -0
pulumi_vault/rgp_policy.py +349 -0
pulumi_vault/saml/__init__.py +12 -0
pulumi_vault/saml/_inputs.py +225 -0
pulumi_vault/saml/auth_backend.py +811 -0
pulumi_vault/saml/auth_backend_role.py +1068 -0
pulumi_vault/saml/outputs.py +174 -0
pulumi_vault/scep_auth_backend_role.py +908 -0
pulumi_vault/secrets/__init__.py +18 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +450 -0
pulumi_vault/secrets/sync_aws_destination.py +780 -0
pulumi_vault/secrets/sync_azure_destination.py +736 -0
pulumi_vault/secrets/sync_config.py +303 -0
pulumi_vault/secrets/sync_gcp_destination.py +572 -0
pulumi_vault/secrets/sync_gh_destination.py +688 -0
pulumi_vault/secrets/sync_github_apps.py +376 -0
pulumi_vault/secrets/sync_vercel_destination.py +603 -0
pulumi_vault/ssh/__init__.py +13 -0
pulumi_vault/ssh/_inputs.py +76 -0
pulumi_vault/ssh/get_secret_backend_sign.py +294 -0
pulumi_vault/ssh/outputs.py +51 -0
pulumi_vault/ssh/secret_backend_ca.py +588 -0
pulumi_vault/ssh/secret_backend_role.py +1493 -0
pulumi_vault/terraformcloud/__init__.py +11 -0
pulumi_vault/terraformcloud/secret_backend.py +1321 -0
pulumi_vault/terraformcloud/secret_creds.py +445 -0
pulumi_vault/terraformcloud/secret_role.py +563 -0
pulumi_vault/token.py +1026 -0
pulumi_vault/tokenauth/__init__.py +9 -0
pulumi_vault/tokenauth/auth_backend_role.py +1135 -0
pulumi_vault/transform/__init__.py +14 -0
pulumi_vault/transform/alphabet.py +348 -0
pulumi_vault/transform/get_decode.py +287 -0
pulumi_vault/transform/get_encode.py +291 -0
pulumi_vault/transform/role.py +350 -0
pulumi_vault/transform/template.py +592 -0
pulumi_vault/transform/transformation.py +608 -0
pulumi_vault/transit/__init__.py +15 -0
pulumi_vault/transit/get_cmac.py +256 -0
pulumi_vault/transit/get_decrypt.py +181 -0
pulumi_vault/transit/get_encrypt.py +174 -0
pulumi_vault/transit/get_sign.py +328 -0
pulumi_vault/transit/get_verify.py +373 -0
pulumi_vault/transit/secret_backend_key.py +1202 -0
pulumi_vault/transit/secret_cache_config.py +302 -0
pulumi_vault-7.6.0a1764657486.dist-info/METADATA +92 -0
pulumi_vault-7.6.0a1764657486.dist-info/RECORD +274 -0
pulumi_vault-7.6.0a1764657486.dist-info/WHEEL +5 -0
pulumi_vault-7.6.0a1764657486.dist-info/top_level.txt +1 -0

pulumi_vault/secrets/sync_aws_destination.py ADDED Viewed

@@ -0,0 +1,780 @@
+# coding=utf-8
+# *** WARNING: this file was generated by pulumi-language-python. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+import builtins as _builtins
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+__all__ = ['SyncAwsDestinationArgs', 'SyncAwsDestination']
+@pulumi.input_type
+class SyncAwsDestinationArgs:
+    def __init__(__self__, *,
+                 access_key_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 external_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 granularity: Optional[pulumi.Input[_builtins.str]] = None,
+                 name: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 region: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_arn: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_access_key: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_name_template: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        The set of arguments for constructing a SyncAwsDestination resource.
+        :param pulumi.Input[_builtins.str] access_key_id: Access key id to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+               variable.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[_builtins.str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[_builtins.str] granularity: Determines what level of information is synced as a distinct resource
+               at the destination. Supports `secret-path` and `secret-key`.
+        :param pulumi.Input[_builtins.str] name: Unique name of the AWS destination.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        :param pulumi.Input[_builtins.str] region: Region where to manage the secrets manager entries.
+               Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+               variable.
+        :param pulumi.Input[_builtins.str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
+        :param pulumi.Input[_builtins.str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+               variable.
+        :param pulumi.Input[_builtins.str] secret_name_template: Template describing how to generate external secret names.
+               Supports a subset of the Go Template syntax.
+        """
+        if access_key_id is not None:
+            pulumi.set(__self__, "access_key_id", access_key_id)
+        if custom_tags is not None:
+            pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
+        if granularity is not None:
+            pulumi.set(__self__, "granularity", granularity)
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if region is not None:
+            pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
+        if secret_access_key is not None:
+            pulumi.set(__self__, "secret_access_key", secret_access_key)
+        if secret_name_template is not None:
+            pulumi.set(__self__, "secret_name_template", secret_name_template)
+    @_builtins.property
+    @pulumi.getter(name="accessKeyId")
+    def access_key_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Access key id to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+        variable.
+        """
+        return pulumi.get(self, "access_key_id")
+    @access_key_id.setter
+    def access_key_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "access_key_id", value)
+    @_builtins.property
+    @pulumi.getter(name="customTags")
+    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+        """
+        Custom tags to set on the secret managed at the destination.
+        """
+        return pulumi.get(self, "custom_tags")
+    @custom_tags.setter
+    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "custom_tags", value)
+    @_builtins.property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "external_id", value)
+    @_builtins.property
+    @pulumi.getter
+    def granularity(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Determines what level of information is synced as a distinct resource
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+    @granularity.setter
+    def granularity(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "granularity", value)
+    @_builtins.property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Unique name of the AWS destination.
+        """
+        return pulumi.get(self, "name")
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "name", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter
+    def region(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Region where to manage the secrets manager entries.
+        Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+        variable.
+        """
+        return pulumi.get(self, "region")
+    @region.setter
+    def region(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "region", value)
+    @_builtins.property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role,
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role_arn", value)
+    @_builtins.property
+    @pulumi.getter(name="secretAccessKey")
+    def secret_access_key(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Secret access key to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+        variable.
+        """
+        return pulumi.get(self, "secret_access_key")
+    @secret_access_key.setter
+    def secret_access_key(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "secret_access_key", value)
+    @_builtins.property
+    @pulumi.getter(name="secretNameTemplate")
+    def secret_name_template(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Template describing how to generate external secret names.
+        Supports a subset of the Go Template syntax.
+        """
+        return pulumi.get(self, "secret_name_template")
+    @secret_name_template.setter
+    def secret_name_template(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "secret_name_template", value)
+@pulumi.input_type
+class _SyncAwsDestinationState:
+    def __init__(__self__, *,
+                 access_key_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 external_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 granularity: Optional[pulumi.Input[_builtins.str]] = None,
+                 name: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 region: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_arn: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_access_key: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_name_template: Optional[pulumi.Input[_builtins.str]] = None,
+                 type: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        Input properties used for looking up and filtering SyncAwsDestination resources.
+        :param pulumi.Input[_builtins.str] access_key_id: Access key id to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+               variable.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[_builtins.str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[_builtins.str] granularity: Determines what level of information is synced as a distinct resource
+               at the destination. Supports `secret-path` and `secret-key`.
+        :param pulumi.Input[_builtins.str] name: Unique name of the AWS destination.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        :param pulumi.Input[_builtins.str] region: Region where to manage the secrets manager entries.
+               Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+               variable.
+        :param pulumi.Input[_builtins.str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
+        :param pulumi.Input[_builtins.str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+               variable.
+        :param pulumi.Input[_builtins.str] secret_name_template: Template describing how to generate external secret names.
+               Supports a subset of the Go Template syntax.
+        :param pulumi.Input[_builtins.str] type: The type of the secrets destination (`aws-sm`).
+        """
+        if access_key_id is not None:
+            pulumi.set(__self__, "access_key_id", access_key_id)
+        if custom_tags is not None:
+            pulumi.set(__self__, "custom_tags", custom_tags)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
+        if granularity is not None:
+            pulumi.set(__self__, "granularity", granularity)
+        if name is not None:
+            pulumi.set(__self__, "name", name)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if region is not None:
+            pulumi.set(__self__, "region", region)
+        if role_arn is not None:
+            pulumi.set(__self__, "role_arn", role_arn)
+        if secret_access_key is not None:
+            pulumi.set(__self__, "secret_access_key", secret_access_key)
+        if secret_name_template is not None:
+            pulumi.set(__self__, "secret_name_template", secret_name_template)
+        if type is not None:
+            pulumi.set(__self__, "type", type)
+    @_builtins.property
+    @pulumi.getter(name="accessKeyId")
+    def access_key_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Access key id to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+        variable.
+        """
+        return pulumi.get(self, "access_key_id")
+    @access_key_id.setter
+    def access_key_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "access_key_id", value)
+    @_builtins.property
+    @pulumi.getter(name="customTags")
+    def custom_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+        """
+        Custom tags to set on the secret managed at the destination.
+        """
+        return pulumi.get(self, "custom_tags")
+    @custom_tags.setter
+    def custom_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "custom_tags", value)
+    @_builtins.property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "external_id", value)
+    @_builtins.property
+    @pulumi.getter
+    def granularity(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Determines what level of information is synced as a distinct resource
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+    @granularity.setter
+    def granularity(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "granularity", value)
+    @_builtins.property
+    @pulumi.getter
+    def name(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Unique name of the AWS destination.
+        """
+        return pulumi.get(self, "name")
+    @name.setter
+    def name(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "name", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter
+    def region(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Region where to manage the secrets manager entries.
+        Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+        variable.
+        """
+        return pulumi.get(self, "region")
+    @region.setter
+    def region(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "region", value)
+    @_builtins.property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role,
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+    @role_arn.setter
+    def role_arn(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role_arn", value)
+    @_builtins.property
+    @pulumi.getter(name="secretAccessKey")
+    def secret_access_key(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Secret access key to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+        variable.
+        """
+        return pulumi.get(self, "secret_access_key")
+    @secret_access_key.setter
+    def secret_access_key(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "secret_access_key", value)
+    @_builtins.property
+    @pulumi.getter(name="secretNameTemplate")
+    def secret_name_template(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Template describing how to generate external secret names.
+        Supports a subset of the Go Template syntax.
+        """
+        return pulumi.get(self, "secret_name_template")
+    @secret_name_template.setter
+    def secret_name_template(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "secret_name_template", value)
+    @_builtins.property
+    @pulumi.getter
+    def type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The type of the secrets destination (`aws-sm`).
+        """
+        return pulumi.get(self, "type")
+    @type.setter
+    def type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "type", value)
+@pulumi.type_token("vault:secrets/syncAwsDestination:SyncAwsDestination")
+class SyncAwsDestination(pulumi.CustomResource):
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 access_key_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 external_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 granularity: Optional[pulumi.Input[_builtins.str]] = None,
+                 name: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 region: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_arn: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_access_key: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_name_template: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        """
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        aws = vault.secrets.SyncAwsDestination("aws",
+            name="aws-dest",
+            access_key_id=access_key_id,
+            secret_access_key=secret_access_key,
+            region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
+            secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
+            custom_tags={
+                "foo": "bar",
+            })
+        ```
+        ## Import
+        AWS Secrets sync destinations can be imported using the `name`, e.g.
+        ```sh
+        $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
+        ```
+        :param str resource_name: The name of the resource.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[_builtins.str] access_key_id: Access key id to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+               variable.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[_builtins.str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[_builtins.str] granularity: Determines what level of information is synced as a distinct resource
+               at the destination. Supports `secret-path` and `secret-key`.
+        :param pulumi.Input[_builtins.str] name: Unique name of the AWS destination.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        :param pulumi.Input[_builtins.str] region: Region where to manage the secrets manager entries.
+               Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+               variable.
+        :param pulumi.Input[_builtins.str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
+        :param pulumi.Input[_builtins.str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+               variable.
+        :param pulumi.Input[_builtins.str] secret_name_template: Template describing how to generate external secret names.
+               Supports a subset of the Go Template syntax.
+        """
+        ...
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 args: Optional[SyncAwsDestinationArgs] = None,
+                 opts: Optional[pulumi.ResourceOptions] = None):
+        """
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        aws = vault.secrets.SyncAwsDestination("aws",
+            name="aws-dest",
+            access_key_id=access_key_id,
+            secret_access_key=secret_access_key,
+            region="us-east-1",
+            role_arn="role-arn",
+            external_id="external-id",
+            secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
+            custom_tags={
+                "foo": "bar",
+            })
+        ```
+        ## Import
+        AWS Secrets sync destinations can be imported using the `name`, e.g.
+        ```sh
+        $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
+        ```
+        :param str resource_name: The name of the resource.
+        :param SyncAwsDestinationArgs args: The arguments to use to populate this resource's properties.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        """
+        ...
+    def __init__(__self__, resource_name: str, *args, **kwargs):
+        resource_args, opts = _utilities.get_resource_args_opts(SyncAwsDestinationArgs, pulumi.ResourceOptions, *args, **kwargs)
+        if resource_args is not None:
+            __self__._internal_init(resource_name, opts, **resource_args.__dict__)
+        else:
+            __self__._internal_init(resource_name, *args, **kwargs)
+    def _internal_init(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 access_key_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 external_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 granularity: Optional[pulumi.Input[_builtins.str]] = None,
+                 name: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 region: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_arn: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_access_key: Optional[pulumi.Input[_builtins.str]] = None,
+                 secret_name_template: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
+        if not isinstance(opts, pulumi.ResourceOptions):
+            raise TypeError('Expected resource options to be a ResourceOptions instance')
+        if opts.id is None:
+            if __props__ is not None:
+                raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
+            __props__ = SyncAwsDestinationArgs.__new__(SyncAwsDestinationArgs)
+            __props__.__dict__["access_key_id"] = access_key_id
+            __props__.__dict__["custom_tags"] = custom_tags
+            __props__.__dict__["external_id"] = external_id
+            __props__.__dict__["granularity"] = granularity
+            __props__.__dict__["name"] = name
+            __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["region"] = region
+            __props__.__dict__["role_arn"] = role_arn
+            __props__.__dict__["secret_access_key"] = None if secret_access_key is None else pulumi.Output.secret(secret_access_key)
+            __props__.__dict__["secret_name_template"] = secret_name_template
+            __props__.__dict__["type"] = None
+        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["secretAccessKey"])
+        opts = pulumi.ResourceOptions.merge(opts, secret_opts)
+        super(SyncAwsDestination, __self__).__init__(
+            'vault:secrets/syncAwsDestination:SyncAwsDestination',
+            resource_name,
+            __props__,
+            opts)
+    @staticmethod
+    def get(resource_name: str,
+            id: pulumi.Input[str],
+            opts: Optional[pulumi.ResourceOptions] = None,
+            access_key_id: Optional[pulumi.Input[_builtins.str]] = None,
+            custom_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+            external_id: Optional[pulumi.Input[_builtins.str]] = None,
+            granularity: Optional[pulumi.Input[_builtins.str]] = None,
+            name: Optional[pulumi.Input[_builtins.str]] = None,
+            namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            region: Optional[pulumi.Input[_builtins.str]] = None,
+            role_arn: Optional[pulumi.Input[_builtins.str]] = None,
+            secret_access_key: Optional[pulumi.Input[_builtins.str]] = None,
+            secret_name_template: Optional[pulumi.Input[_builtins.str]] = None,
+            type: Optional[pulumi.Input[_builtins.str]] = None) -> 'SyncAwsDestination':
+        """
+        Get an existing SyncAwsDestination resource's state with the given name, id, and optional extra
+        properties used to qualify the lookup.
+        :param str resource_name: The unique name of the resulting resource.
+        :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[_builtins.str] access_key_id: Access key id to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+               variable.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] custom_tags: Custom tags to set on the secret managed at the destination.
+        :param pulumi.Input[_builtins.str] external_id: Optional extra protection that must match the trust policy granting access to the
+               AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+               The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+               relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+               denied errors. Ignored if the `role_arn` field is empty.
+        :param pulumi.Input[_builtins.str] granularity: Determines what level of information is synced as a distinct resource
+               at the destination. Supports `secret-path` and `secret-key`.
+        :param pulumi.Input[_builtins.str] name: Unique name of the AWS destination.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        :param pulumi.Input[_builtins.str] region: Region where to manage the secrets manager entries.
+               Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+               variable.
+        :param pulumi.Input[_builtins.str] role_arn: Specifies a role to assume when connecting to AWS. When assuming a role,
+               Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+               exist for Vault to be able to assume this role. The role can be in a different account.
+               The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+               It is possible to provide both an access key pair and a role to assume.
+        :param pulumi.Input[_builtins.str] secret_access_key: Secret access key to authenticate against the AWS secrets manager.
+               Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+               variable.
+        :param pulumi.Input[_builtins.str] secret_name_template: Template describing how to generate external secret names.
+               Supports a subset of the Go Template syntax.
+        :param pulumi.Input[_builtins.str] type: The type of the secrets destination (`aws-sm`).
+        """
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
+        __props__ = _SyncAwsDestinationState.__new__(_SyncAwsDestinationState)
+        __props__.__dict__["access_key_id"] = access_key_id
+        __props__.__dict__["custom_tags"] = custom_tags
+        __props__.__dict__["external_id"] = external_id
+        __props__.__dict__["granularity"] = granularity
+        __props__.__dict__["name"] = name
+        __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["region"] = region
+        __props__.__dict__["role_arn"] = role_arn
+        __props__.__dict__["secret_access_key"] = secret_access_key
+        __props__.__dict__["secret_name_template"] = secret_name_template
+        __props__.__dict__["type"] = type
+        return SyncAwsDestination(resource_name, opts=opts, __props__=__props__)
+    @_builtins.property
+    @pulumi.getter(name="accessKeyId")
+    def access_key_id(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Access key id to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment
+        variable.
+        """
+        return pulumi.get(self, "access_key_id")
+    @_builtins.property
+    @pulumi.getter(name="customTags")
+    def custom_tags(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
+        """
+        Custom tags to set on the secret managed at the destination.
+        """
+        return pulumi.get(self, "custom_tags")
+    @_builtins.property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Optional extra protection that must match the trust policy granting access to the
+        AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
+        The field is mutable with no special condition, but users must be careful that the new value fits with the trust
+        relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
+        denied errors. Ignored if the `role_arn` field is empty.
+        """
+        return pulumi.get(self, "external_id")
+    @_builtins.property
+    @pulumi.getter
+    def granularity(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Determines what level of information is synced as a distinct resource
+        at the destination. Supports `secret-path` and `secret-key`.
+        """
+        return pulumi.get(self, "granularity")
+    @_builtins.property
+    @pulumi.getter
+    def name(self) -> pulumi.Output[_builtins.str]:
+        """
+        Unique name of the AWS destination.
+        """
+        return pulumi.get(self, "name")
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        """
+        return pulumi.get(self, "namespace")
+    @_builtins.property
+    @pulumi.getter
+    def region(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Region where to manage the secrets manager entries.
+        Can be omitted and directly provided to Vault using the `AWS_REGION` environment
+        variable.
+        """
+        return pulumi.get(self, "region")
+    @_builtins.property
+    @pulumi.getter(name="roleArn")
+    def role_arn(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Specifies a role to assume when connecting to AWS. When assuming a role,
+        Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must
+        exist for Vault to be able to assume this role. The role can be in a different account.
+        The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.
+        It is possible to provide both an access key pair and a role to assume.
+        """
+        return pulumi.get(self, "role_arn")
+    @_builtins.property
+    @pulumi.getter(name="secretAccessKey")
+    def secret_access_key(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Secret access key to authenticate against the AWS secrets manager.
+        Can be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment
+        variable.
+        """
+        return pulumi.get(self, "secret_access_key")
+    @_builtins.property
+    @pulumi.getter(name="secretNameTemplate")
+    def secret_name_template(self) -> pulumi.Output[_builtins.str]:
+        """
+        Template describing how to generate external secret names.
+        Supports a subset of the Go Template syntax.
+        """
+        return pulumi.get(self, "secret_name_template")
+    @_builtins.property
+    @pulumi.getter
+    def type(self) -> pulumi.Output[_builtins.str]:
+        """
+        The type of the secrets destination (`aws-sm`).
+        """
+        return pulumi.get(self, "type")