diff --git a/provider/cmd/pulumi-resource-vault/schema.json b/provider/cmd/pulumi-resource-vault/schema.json index dfba32a94..482306add 100644 --- a/provider/cmd/pulumi-resource-vault/schema.json +++ b/provider/cmd/pulumi-resource-vault/schema.json @@ -882,6 +882,10 @@ "type": "integer", "description": "The CQL protocol version to use.\n" }, + "skipVerification": { + "type": "boolean", + "description": "Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.\n" + }, "tls": { "type": "boolean", "description": "Whether to use TLS when connecting to Cassandra.\n" @@ -1458,11 +1462,28 @@ "description": "The root credential password used in the connection URL\n", "secret": true }, + "privateKey": { + "type": "string", + "description": "The secret key used for the x509 client certificate. Must be PEM encoded.\n", + "secret": true + }, + "selfManaged": { + "type": "boolean", + "description": "If set, allows onboarding static roles with a rootless connection configuration.\n" + }, "serviceAccountJson": { "type": "string", "description": "A JSON encoded credential for use with IAM authorization\n", "secret": true }, + "tlsCa": { + "type": "string", + "description": "The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.\n" + }, + "tlsCertificate": { + "type": "string", + "description": "The x509 client certificate for connecting to the database. Must be PEM encoded.\n" + }, "username": { "type": "string", "description": "The root credential username used in the connection URL\n" @@ -1680,6 +1701,10 @@ }, "description": "A list of database statements to be executed to rotate the root user's credentials.\n" }, + "skipVerification": { + "type": "boolean", + "description": "Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.\n" + }, "tls": { "type": "boolean", "description": "Whether to use TLS when connecting to Cassandra.\n" @@ -2825,6 +2850,11 @@ "type": "string", "description": "Specifies the name of the plugin to use.\n" }, + "privateKey": { + "type": "string", + "description": "The secret key used for the x509 client certificate. Must be PEM encoded.\n", + "secret": true + }, "rootRotationStatements": { "type": "array", "items": { @@ -2832,11 +2862,23 @@ }, "description": "A list of database statements to be executed to rotate the root user's credentials.\n" }, + "selfManaged": { + "type": "boolean", + "description": "If set, allows onboarding static roles with a rootless connection configuration.\n" + }, "serviceAccountJson": { "type": "string", "description": "A JSON encoded credential for use with IAM authorization\n", "secret": true }, + "tlsCa": { + "type": "string", + "description": "The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.\n" + }, + "tlsCertificate": { + "type": "string", + "description": "The x509 client certificate for connecting to the database. Must be PEM encoded.\n" + }, "username": { "type": "string", "description": "The root credential username used in the connection URL\n" @@ -6261,6 +6303,10 @@ "type": "string", "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n" }, + "numUses": { + "type": "integer", + "description": "The number of uses for the secret-id.\n" + }, "roleName": { "type": "string", "description": "The name of the role to create the SecretID for.\n" @@ -6270,6 +6316,10 @@ "description": "The SecretID to be created. If set, uses \"Push\"\nmode. Defaults to Vault auto-generating SecretIDs.\n", "secret": true }, + "ttl": { + "type": "integer", + "description": "The TTL duration of the SecretID.\n" + }, "withWrappedAccessor": { "type": "boolean", "description": "Set to `true` to use the wrapped secret-id accessor as the resource ID.\nIf `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n" @@ -6319,6 +6369,11 @@ "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", "willReplaceOnChanges": true }, + "numUses": { + "type": "integer", + "description": "The number of uses for the secret-id.\n", + "willReplaceOnChanges": true + }, "roleName": { "type": "string", "description": "The name of the role to create the SecretID for.\n", @@ -6330,6 +6385,11 @@ "secret": true, "willReplaceOnChanges": true }, + "ttl": { + "type": "integer", + "description": "The TTL duration of the SecretID.\n", + "willReplaceOnChanges": true + }, "withWrappedAccessor": { "type": "boolean", "description": "Set to `true` to use the wrapped secret-id accessor as the resource ID.\nIf `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n", @@ -6374,6 +6434,11 @@ "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", "willReplaceOnChanges": true }, + "numUses": { + "type": "integer", + "description": "The number of uses for the secret-id.\n", + "willReplaceOnChanges": true + }, "roleName": { "type": "string", "description": "The name of the role to create the SecretID for.\n", @@ -6385,6 +6450,11 @@ "secret": true, "willReplaceOnChanges": true }, + "ttl": { + "type": "integer", + "description": "The TTL duration of the SecretID.\n", + "willReplaceOnChanges": true + }, "withWrappedAccessor": { "type": "boolean", "description": "Set to `true` to use the wrapped secret-id accessor as the resource ID.\nIf `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n", @@ -10519,6 +10589,11 @@ "type": "integer", "description": "The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given `rotation_schedule`.\n" }, + "selfManagedPassword": { + "type": "string", + "description": "The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n", + "secret": true + }, "username": { "type": "string", "description": "The database username that this static role corresponds to.\n" @@ -10570,6 +10645,11 @@ "type": "integer", "description": "The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given `rotation_schedule`.\n" }, + "selfManagedPassword": { + "type": "string", + "description": "The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n", + "secret": true + }, "username": { "type": "string", "description": "The database username that this static role corresponds to.\n", @@ -10623,6 +10703,11 @@ "type": "integer", "description": "The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given `rotation_schedule`.\n" }, + "selfManagedPassword": { + "type": "string", + "description": "The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n", + "secret": true + }, "username": { "type": "string", "description": "The database username that this static role corresponds to.\n", @@ -12125,13 +12210,18 @@ "type": "string" }, "description": "List of OAuth scopes to assign to access tokens generated under this impersonated account.\n" + }, + "ttl": { + "type": "string", + "description": "Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n" } }, "required": [ "backend", "impersonatedAccount", "serviceAccountEmail", - "serviceAccountProject" + "serviceAccountProject", + "ttl" ], "inputProperties": { "backend": { @@ -12160,6 +12250,10 @@ "type": "string" }, "description": "List of OAuth scopes to assign to access tokens generated under this impersonated account.\n" + }, + "ttl": { + "type": "string", + "description": "Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n" } }, "requiredInputs": [ @@ -12200,6 +12294,10 @@ "type": "string" }, "description": "List of OAuth scopes to assign to access tokens generated under this impersonated account.\n" + }, + "ttl": { + "type": "string", + "description": "Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n" } }, "type": "object" @@ -20580,13 +20678,18 @@ "type": "string", "description": "A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.\n", "secret": true + }, + "useAnnotationsAsAliasMetadata": { + "type": "boolean", + "description": "Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n" } }, "required": [ "disableIssValidation", "disableLocalCaJwt", "kubernetesCaCert", - "kubernetesHost" + "kubernetesHost", + "useAnnotationsAsAliasMetadata" ], "inputProperties": { "backend": { @@ -20630,6 +20733,10 @@ "type": "string", "description": "A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.\n", "secret": true + }, + "useAnnotationsAsAliasMetadata": { + "type": "boolean", + "description": "Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n" } }, "requiredInputs": [ @@ -20679,6 +20786,10 @@ "type": "string", "description": "A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.\n", "secret": true + }, + "useAnnotationsAsAliasMetadata": { + "type": "boolean", + "description": "Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n" } }, "type": "object" @@ -21921,6 +22032,10 @@ "type": "string", "secret": true }, + "connectionTimeout": { + "type": "integer", + "description": "Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)\n" + }, "denyNullBind": { "type": "boolean", "description": "Prevents users from bypassing authentication when providing an empty password.\n" @@ -22060,6 +22175,7 @@ "certificate", "clientTlsCert", "clientTlsKey", + "connectionTimeout", "denyNullBind", "description", "discoverdn", @@ -22103,6 +22219,10 @@ "type": "string", "secret": true }, + "connectionTimeout": { + "type": "integer", + "description": "Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)\n" + }, "denyNullBind": { "type": "boolean", "description": "Prevents users from bypassing authentication when providing an empty password.\n" @@ -22270,6 +22390,10 @@ "type": "string", "secret": true }, + "connectionTimeout": { + "type": "integer", + "description": "Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)\n" + }, "denyNullBind": { "type": "boolean", "description": "Prevents users from bypassing authentication when providing an empty password.\n" @@ -30194,6 +30318,9 @@ "type": "boolean", "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, + "allowEmptyPrincipals": { + "type": "boolean" + }, "allowHostCertificates": { "type": "boolean", "description": "Specifies if certificates are allowed to be signed for use as a 'host'.\n" @@ -30319,6 +30446,9 @@ "type": "boolean", "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, + "allowEmptyPrincipals": { + "type": "boolean" + }, "allowHostCertificates": { "type": "boolean", "description": "Specifies if certificates are allowed to be signed for use as a 'host'.\n" @@ -30443,6 +30573,9 @@ "type": "boolean", "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, + "allowEmptyPrincipals": { + "type": "boolean" + }, "allowHostCertificates": { "type": "boolean", "description": "Specifies if certificates are allowed to be signed for use as a 'host'.\n" @@ -33684,10 +33817,12 @@ "willReplaceOnChanges": true }, "disableIssValidation": { - "type": "boolean" + "type": "boolean", + "description": "(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n" }, "disableLocalCaJwt": { - "type": "boolean" + "type": "boolean", + "description": "(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n" }, "issuer": { "type": "string", @@ -33712,6 +33847,10 @@ "type": "string" }, "description": "Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n" + }, + "useAnnotationsAsAliasMetadata": { + "type": "boolean", + "description": "(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n" } }, "type": "object" @@ -33723,9 +33862,11 @@ "type": "string" }, "disableIssValidation": { + "description": "(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n", "type": "boolean" }, "disableLocalCaJwt": { + "description": "(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n", "type": "boolean" }, "id": { @@ -33753,6 +33894,10 @@ "type": "string" }, "type": "array" + }, + "useAnnotationsAsAliasMetadata": { + "description": "(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n", + "type": "boolean" } }, "required": [ @@ -33762,6 +33907,7 @@ "kubernetesCaCert", "kubernetesHost", "pemKeys", + "useAnnotationsAsAliasMetadata", "id" ], "type": "object" @@ -34190,7 +34336,7 @@ } }, "vault:kv/getSecretV2:getSecretV2": { - "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n path: \"kvv2\",\n type: \"kv\",\n options: {\n version: \"2\",\n },\n description: \"KV Version 2 secret engine mount\",\n});\nconst exampleSecretV2 = new vault.kv.SecretV2(\"example\", {\n mount: kvv2.path,\n name: \"secret\",\n cas: 1,\n deleteAllVersions: true,\n dataJson: JSON.stringify({\n zip: \"zap\",\n foo: \"bar\",\n }),\n});\nconst example = vault.kv.getSecretV2Output({\n mount: kvv2.path,\n name: exampleSecretV2.name,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n path=\"kvv2\",\n type=\"kv\",\n options={\n \"version\": \"2\",\n },\n description=\"KV Version 2 secret engine mount\")\nexample_secret_v2 = vault.kv.SecretV2(\"example\",\n mount=kvv2.path,\n name=\"secret\",\n cas=1,\n delete_all_versions=True,\n data_json=json.dumps({\n \"zip\": \"zap\",\n \"foo\": \"bar\",\n }))\nexample = vault.kv.get_secret_v2_output(mount=kvv2.path,\n name=example_secret_v2.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var kvv2 = new Vault.Mount(\"kvv2\", new()\n {\n Path = \"kvv2\",\n Type = \"kv\",\n Options = \n {\n { \"version\", \"2\" },\n },\n Description = \"KV Version 2 secret engine mount\",\n });\n\n var exampleSecretV2 = new Vault.Kv.SecretV2(\"example\", new()\n {\n Mount = kvv2.Path,\n Name = \"secret\",\n Cas = 1,\n DeleteAllVersions = true,\n DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"zip\"] = \"zap\",\n [\"foo\"] = \"bar\",\n }),\n });\n\n var example = Vault.kv.GetSecretV2.Invoke(new()\n {\n Mount = kvv2.Path,\n Name = exampleSecretV2.Name,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\texampleSecretV2, err := kv.NewSecretV2(ctx, \"example\", \u0026kv.SecretV2Args{\n\t\t\tMount: kvv2.Path,\n\t\t\tName: pulumi.String(\"secret\"),\n\t\t\tCas: pulumi.Int(1),\n\t\t\tDeleteAllVersions: pulumi.Bool(true),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.LookupSecretV2Output(ctx, kv.GetSecretV2OutputArgs{\n\t\t\tMount: kvv2.Path,\n\t\t\tName: exampleSecretV2.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretV2Args;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n .path(\"kvv2\")\n .type(\"kv\")\n .options(Map.of(\"version\", \"2\"))\n .description(\"KV Version 2 secret engine mount\")\n .build());\n\n var exampleSecretV2 = new SecretV2(\"exampleSecretV2\", SecretV2Args.builder()\n .mount(kvv2.path())\n .name(\"secret\")\n .cas(1)\n .deleteAllVersions(true)\n .dataJson(serializeJson(\n jsonObject(\n jsonProperty(\"zip\", \"zap\"),\n jsonProperty(\"foo\", \"bar\")\n )))\n .build());\n\n final var example = KvFunctions.getSecretV2(GetSecretV2Args.builder()\n .mount(kvv2.path())\n .name(exampleSecretV2.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n kvv2:\n type: vault:Mount\n properties:\n path: kvv2\n type: kv\n options:\n version: '2'\n description: KV Version 2 secret engine mount\n exampleSecretV2:\n type: vault:kv:SecretV2\n name: example\n properties:\n mount: ${kvv2.path}\n name: secret\n cas: 1\n deleteAllVersions: true\n dataJson:\n fn::toJSON:\n zip: zap\n foo: bar\nvariables:\n example:\n fn::invoke:\n Function: vault:kv:getSecretV2\n Arguments:\n mount: ${kvv2.path}\n name: ${exampleSecretV2.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the `read` capability on the given path.\n", + "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n path: \"kvv2\",\n type: \"kv\",\n options: {\n version: \"2\",\n },\n description: \"KV Version 2 secret engine mount\",\n});\nconst exampleSecretV2 = new vault.kv.SecretV2(\"example\", {\n mount: kvv2.path,\n name: \"secret\",\n deleteAllVersions: true,\n dataJson: JSON.stringify({\n zip: \"zap\",\n foo: \"bar\",\n }),\n});\nconst example = vault.kv.getSecretV2Output({\n mount: kvv2.path,\n name: exampleSecretV2.name,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n path=\"kvv2\",\n type=\"kv\",\n options={\n \"version\": \"2\",\n },\n description=\"KV Version 2 secret engine mount\")\nexample_secret_v2 = vault.kv.SecretV2(\"example\",\n mount=kvv2.path,\n name=\"secret\",\n delete_all_versions=True,\n data_json=json.dumps({\n \"zip\": \"zap\",\n \"foo\": \"bar\",\n }))\nexample = vault.kv.get_secret_v2_output(mount=kvv2.path,\n name=example_secret_v2.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var kvv2 = new Vault.Mount(\"kvv2\", new()\n {\n Path = \"kvv2\",\n Type = \"kv\",\n Options = \n {\n { \"version\", \"2\" },\n },\n Description = \"KV Version 2 secret engine mount\",\n });\n\n var exampleSecretV2 = new Vault.Kv.SecretV2(\"example\", new()\n {\n Mount = kvv2.Path,\n Name = \"secret\",\n DeleteAllVersions = true,\n DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"zip\"] = \"zap\",\n [\"foo\"] = \"bar\",\n }),\n });\n\n var example = Vault.kv.GetSecretV2.Invoke(new()\n {\n Mount = kvv2.Path,\n Name = exampleSecretV2.Name,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\texampleSecretV2, err := kv.NewSecretV2(ctx, \"example\", \u0026kv.SecretV2Args{\n\t\t\tMount: kvv2.Path,\n\t\t\tName: pulumi.String(\"secret\"),\n\t\t\tDeleteAllVersions: pulumi.Bool(true),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.LookupSecretV2Output(ctx, kv.GetSecretV2OutputArgs{\n\t\t\tMount: kvv2.Path,\n\t\t\tName: exampleSecretV2.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretV2Args;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n .path(\"kvv2\")\n .type(\"kv\")\n .options(Map.of(\"version\", \"2\"))\n .description(\"KV Version 2 secret engine mount\")\n .build());\n\n var exampleSecretV2 = new SecretV2(\"exampleSecretV2\", SecretV2Args.builder()\n .mount(kvv2.path())\n .name(\"secret\")\n .deleteAllVersions(true)\n .dataJson(serializeJson(\n jsonObject(\n jsonProperty(\"zip\", \"zap\"),\n jsonProperty(\"foo\", \"bar\")\n )))\n .build());\n\n final var example = KvFunctions.getSecretV2(GetSecretV2Args.builder()\n .mount(kvv2.path())\n .name(exampleSecretV2.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n kvv2:\n type: vault:Mount\n properties:\n path: kvv2\n type: kv\n options:\n version: '2'\n description: KV Version 2 secret engine mount\n exampleSecretV2:\n type: vault:kv:SecretV2\n name: example\n properties:\n mount: ${kvv2.path}\n name: secret\n deleteAllVersions: true\n dataJson:\n fn::toJSON:\n zip: zap\n foo: bar\nvariables:\n example:\n fn::invoke:\n Function: vault:kv:getSecretV2\n Arguments:\n mount: ${kvv2.path}\n name: ${exampleSecretV2.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the `read` capability on the given path.\n", "inputs": { "description": "A collection of arguments for invoking getSecretV2.\n", "properties": { diff --git a/provider/go.mod b/provider/go.mod index 2c7896776..f94fe9c63 100644 --- a/provider/go.mod +++ b/provider/go.mod @@ -266,15 +266,15 @@ require ( go.uber.org/atomic v1.11.0 // indirect gocloud.dev v0.37.0 // indirect gocloud.dev/secrets/hashivault v0.37.0 // indirect - golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto v0.27.0 // indirect golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect golang.org/x/mod v0.18.0 // indirect golang.org/x/net v0.28.0 // indirect golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.22.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect diff --git a/provider/go.sum b/provider/go.sum index ded9f2b85..b1baaea74 100644 --- a/provider/go.sum +++ b/provider/go.sum @@ -2325,8 +2325,10 @@ github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9 github.com/intel/goresctrl v0.3.0/go.mod h1:fdz3mD85cmP9sHD8JUlrNWAxvwM86CrbmVXltEKd7zk= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= github.com/j-keck/arping v1.0.2/go.mod h1:aJbELhR92bSk7tp79AWM/ftfc90EfEi2bQJrbBFOsPw= +github.com/jackc/chunkreader v1.0.0 h1:4s39bBR8ByfqH+DKm8rQA3E1LHZWB9XWcrz8fqaZbe0= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= +github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8= github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA= github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE= @@ -2335,11 +2337,16 @@ github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfG github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY= github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI= github.com/jackc/pgconn v1.14.0/go.mod h1:9mBNlny0UvkgJdCDvdVHYSjI+8tD2rnKK69Wz8ti++E= +github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w= +github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM= +github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE= github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8= github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE= github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c= github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgproto3 v1.1.0 h1:FYYE4yRw+AgI8wXIinMlNjBbp/UitDJwfj5LqqewP1A= github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78= github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA= github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg= @@ -2348,18 +2355,25 @@ github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1: github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= github.com/jackc/pgproto3/v2 v2.3.2/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= +github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag= +github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E= github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg= github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc= github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw= github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM= +github.com/jackc/pgtype v1.14.0 h1:y+xUdabmyMkJLyApYuPj38mW+aAIqCe5uuBB51rH3Vw= github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4= github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y= github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM= github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc= github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs= github.com/jackc/pgx/v4 v4.18.1/go.mod h1:FydWkUyadDmdNH/mHnGob881GawxeEm7TcMCzkb+qQE= +github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA= +github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw= github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= @@ -3317,8 +3331,8 @@ golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -3710,8 +3724,8 @@ golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -3735,8 +3749,8 @@ golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -3758,8 +3772,8 @@ golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/sdk/dotnet/AppRole/AuthBackendRoleSecretId.cs b/sdk/dotnet/AppRole/AuthBackendRoleSecretId.cs index 6d513e034..79948ff21 100644 --- a/sdk/dotnet/AppRole/AuthBackendRoleSecretId.cs +++ b/sdk/dotnet/AppRole/AuthBackendRoleSecretId.cs @@ -93,6 +93,12 @@ public partial class AuthBackendRoleSecretId : global::Pulumi.CustomResource [Output("namespace")] public Output Namespace { get; private set; } = null!; + /// + /// The number of uses for the secret-id. + /// + [Output("numUses")] + public Output NumUses { get; private set; } = null!; + /// /// The name of the role to create the SecretID for. /// @@ -106,6 +112,12 @@ public partial class AuthBackendRoleSecretId : global::Pulumi.CustomResource [Output("secretId")] public Output SecretId { get; private set; } = null!; + /// + /// The TTL duration of the SecretID. + /// + [Output("ttl")] + public Output Ttl { get; private set; } = null!; + /// /// Set to `true` to use the wrapped secret-id accessor as the resource ID. /// If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -226,6 +238,12 @@ public InputList CidrLists [Input("namespace")] public Input? Namespace { get; set; } + /// + /// The number of uses for the secret-id. + /// + [Input("numUses")] + public Input? NumUses { get; set; } + /// /// The name of the role to create the SecretID for. /// @@ -249,6 +267,12 @@ public Input? SecretId } } + /// + /// The TTL duration of the SecretID. + /// + [Input("ttl")] + public Input? Ttl { get; set; } + /// /// Set to `true` to use the wrapped secret-id accessor as the resource ID. /// If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -315,6 +339,12 @@ public InputList CidrLists [Input("namespace")] public Input? Namespace { get; set; } + /// + /// The number of uses for the secret-id. + /// + [Input("numUses")] + public Input? NumUses { get; set; } + /// /// The name of the role to create the SecretID for. /// @@ -338,6 +368,12 @@ public Input? SecretId } } + /// + /// The TTL duration of the SecretID. + /// + [Input("ttl")] + public Input? Ttl { get; set; } + /// /// Set to `true` to use the wrapped secret-id accessor as the resource ID. /// If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraArgs.cs index e788b7e0e..94daad16d 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraArgs.cs @@ -96,6 +96,12 @@ public Input? PemJson [Input("protocolVersion")] public Input? ProtocolVersion { get; set; } + /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + [Input("skipVerification")] + public Input? SkipVerification { get; set; } + /// /// Whether to use TLS when connecting to Cassandra. /// diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraGetArgs.cs index 9b5276bf4..f9e0dd049 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionCassandraGetArgs.cs @@ -96,6 +96,12 @@ public Input? PemJson [Input("protocolVersion")] public Input? ProtocolVersion { get; set; } + /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + [Input("skipVerification")] + public Input? SkipVerification { get; set; } + /// /// Whether to use TLS when connecting to Cassandra. /// diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs index f7ffc1e71..8d41f5723 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs @@ -64,6 +64,28 @@ public Input? Password } } + [Input("privateKey")] + private Input? _privateKey; + + /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public Input? PrivateKey + { + get => _privateKey; + set + { + var emptySecret = Output.CreateSecret(0); + _privateKey = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + + /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + [Input("selfManaged")] + public Input? SelfManaged { get; set; } + [Input("serviceAccountJson")] private Input? _serviceAccountJson; @@ -80,6 +102,18 @@ public Input? ServiceAccountJson } } + /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + [Input("tlsCa")] + public Input? TlsCa { get; set; } + + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + [Input("tlsCertificate")] + public Input? TlsCertificate { get; set; } + /// /// The root credential username used in the connection URL /// diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs index e68e57069..7287b3c7b 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs @@ -64,6 +64,28 @@ public Input? Password } } + [Input("privateKey")] + private Input? _privateKey; + + /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public Input? PrivateKey + { + get => _privateKey; + set + { + var emptySecret = Output.CreateSecret(0); + _privateKey = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + + /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + [Input("selfManaged")] + public Input? SelfManaged { get; set; } + [Input("serviceAccountJson")] private Input? _serviceAccountJson; @@ -80,6 +102,18 @@ public Input? ServiceAccountJson } } + /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + [Input("tlsCa")] + public Input? TlsCa { get; set; } + + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + [Input("tlsCertificate")] + public Input? TlsCertificate { get; set; } + /// /// The root credential username used in the connection URL /// diff --git a/sdk/dotnet/Database/Inputs/SecretsMountCassandraArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountCassandraArgs.cs index 54da3d47a..debd16e76 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountCassandraArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountCassandraArgs.cs @@ -147,6 +147,12 @@ public InputList RootRotationStatements set => _rootRotationStatements = value; } + /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + [Input("skipVerification")] + public Input? SkipVerification { get; set; } + /// /// Whether to use TLS when connecting to Cassandra. /// diff --git a/sdk/dotnet/Database/Inputs/SecretsMountCassandraGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountCassandraGetArgs.cs index d678804d1..38e4d5e70 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountCassandraGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountCassandraGetArgs.cs @@ -147,6 +147,12 @@ public InputList RootRotationStatements set => _rootRotationStatements = value; } + /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + [Input("skipVerification")] + public Input? SkipVerification { get; set; } + /// /// Whether to use TLS when connecting to Cassandra. /// diff --git a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs index fd2ac32e4..061463c4b 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs @@ -103,6 +103,22 @@ public Input? Password [Input("pluginName")] public Input? PluginName { get; set; } + [Input("privateKey")] + private Input? _privateKey; + + /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public Input? PrivateKey + { + get => _privateKey; + set + { + var emptySecret = Output.CreateSecret(0); + _privateKey = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + [Input("rootRotationStatements")] private InputList? _rootRotationStatements; @@ -115,6 +131,12 @@ public InputList RootRotationStatements set => _rootRotationStatements = value; } + /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + [Input("selfManaged")] + public Input? SelfManaged { get; set; } + [Input("serviceAccountJson")] private Input? _serviceAccountJson; @@ -131,6 +153,18 @@ public Input? ServiceAccountJson } } + /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + [Input("tlsCa")] + public Input? TlsCa { get; set; } + + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + [Input("tlsCertificate")] + public Input? TlsCertificate { get; set; } + /// /// The root credential username used in the connection URL /// diff --git a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs index 22661a946..e94e494c3 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs @@ -103,6 +103,22 @@ public Input? Password [Input("pluginName")] public Input? PluginName { get; set; } + [Input("privateKey")] + private Input? _privateKey; + + /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public Input? PrivateKey + { + get => _privateKey; + set + { + var emptySecret = Output.CreateSecret(0); + _privateKey = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + [Input("rootRotationStatements")] private InputList? _rootRotationStatements; @@ -115,6 +131,12 @@ public InputList RootRotationStatements set => _rootRotationStatements = value; } + /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + [Input("selfManaged")] + public Input? SelfManaged { get; set; } + [Input("serviceAccountJson")] private Input? _serviceAccountJson; @@ -131,6 +153,18 @@ public Input? ServiceAccountJson } } + /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + [Input("tlsCa")] + public Input? TlsCa { get; set; } + + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + [Input("tlsCertificate")] + public Input? TlsCertificate { get; set; } + /// /// The root credential username used in the connection URL /// diff --git a/sdk/dotnet/Database/Outputs/SecretBackendConnectionCassandra.cs b/sdk/dotnet/Database/Outputs/SecretBackendConnectionCassandra.cs index 5a4f11fc4..2e756c6a2 100644 --- a/sdk/dotnet/Database/Outputs/SecretBackendConnectionCassandra.cs +++ b/sdk/dotnet/Database/Outputs/SecretBackendConnectionCassandra.cs @@ -46,6 +46,10 @@ public sealed class SecretBackendConnectionCassandra /// public readonly int? ProtocolVersion; /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + public readonly bool? SkipVerification; + /// /// Whether to use TLS when connecting to Cassandra. /// public readonly bool? Tls; @@ -72,6 +76,8 @@ private SecretBackendConnectionCassandra( int? protocolVersion, + bool? skipVerification, + bool? tls, string? username) @@ -84,6 +90,7 @@ private SecretBackendConnectionCassandra( PemJson = pemJson; Port = port; ProtocolVersion = protocolVersion; + SkipVerification = skipVerification; Tls = tls; Username = username; } diff --git a/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs b/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs index ebef8a7a5..211145d7f 100644 --- a/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs +++ b/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs @@ -42,10 +42,26 @@ public sealed class SecretBackendConnectionPostgresql /// public readonly string? Password; /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public readonly string? PrivateKey; + /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + public readonly bool? SelfManaged; + /// /// A JSON encoded credential for use with IAM authorization /// public readonly string? ServiceAccountJson; /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + public readonly string? TlsCa; + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + public readonly string? TlsCertificate; + /// /// The root credential username used in the connection URL /// public readonly string? Username; @@ -70,8 +86,16 @@ private SecretBackendConnectionPostgresql( string? password, + string? privateKey, + + bool? selfManaged, + string? serviceAccountJson, + string? tlsCa, + + string? tlsCertificate, + string? username, string? usernameTemplate) @@ -83,7 +107,11 @@ private SecretBackendConnectionPostgresql( MaxIdleConnections = maxIdleConnections; MaxOpenConnections = maxOpenConnections; Password = password; + PrivateKey = privateKey; + SelfManaged = selfManaged; ServiceAccountJson = serviceAccountJson; + TlsCa = tlsCa; + TlsCertificate = tlsCertificate; Username = username; UsernameTemplate = usernameTemplate; } diff --git a/sdk/dotnet/Database/Outputs/SecretsMountCassandra.cs b/sdk/dotnet/Database/Outputs/SecretsMountCassandra.cs index b71161e6a..02458558a 100644 --- a/sdk/dotnet/Database/Outputs/SecretsMountCassandra.cs +++ b/sdk/dotnet/Database/Outputs/SecretsMountCassandra.cs @@ -69,6 +69,10 @@ public sealed class SecretsMountCassandra /// public readonly ImmutableArray RootRotationStatements; /// + /// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + /// + public readonly bool? SkipVerification; + /// /// Whether to use TLS when connecting to Cassandra. /// public readonly bool? Tls; @@ -110,6 +114,8 @@ private SecretsMountCassandra( ImmutableArray rootRotationStatements, + bool? skipVerification, + bool? tls, string? username, @@ -129,6 +135,7 @@ private SecretsMountCassandra( Port = port; ProtocolVersion = protocolVersion; RootRotationStatements = rootRotationStatements; + SkipVerification = skipVerification; Tls = tls; Username = username; VerifyConnection = verifyConnection; diff --git a/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs b/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs index f8f848d19..e5a911da1 100644 --- a/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs +++ b/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs @@ -61,14 +61,30 @@ public sealed class SecretsMountPostgresql /// public readonly string? PluginName; /// + /// The secret key used for the x509 client certificate. Must be PEM encoded. + /// + public readonly string? PrivateKey; + /// /// A list of database statements to be executed to rotate the root user's credentials. /// public readonly ImmutableArray RootRotationStatements; /// + /// If set, allows onboarding static roles with a rootless connection configuration. + /// + public readonly bool? SelfManaged; + /// /// A JSON encoded credential for use with IAM authorization /// public readonly string? ServiceAccountJson; /// + /// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + /// + public readonly string? TlsCa; + /// + /// The x509 client certificate for connecting to the database. Must be PEM encoded. + /// + public readonly string? TlsCertificate; + /// /// The root credential username used in the connection URL /// public readonly string? Username; @@ -106,10 +122,18 @@ private SecretsMountPostgresql( string? pluginName, + string? privateKey, + ImmutableArray rootRotationStatements, + bool? selfManaged, + string? serviceAccountJson, + string? tlsCa, + + string? tlsCertificate, + string? username, string? usernameTemplate, @@ -127,8 +151,12 @@ private SecretsMountPostgresql( Name = name; Password = password; PluginName = pluginName; + PrivateKey = privateKey; RootRotationStatements = rootRotationStatements; + SelfManaged = selfManaged; ServiceAccountJson = serviceAccountJson; + TlsCa = tlsCa; + TlsCertificate = tlsCertificate; Username = username; UsernameTemplate = usernameTemplate; VerifyConnection = verifyConnection; diff --git a/sdk/dotnet/Database/SecretBackendStaticRole.cs b/sdk/dotnet/Database/SecretBackendStaticRole.cs index fcaf30039..6f0ee0c09 100644 --- a/sdk/dotnet/Database/SecretBackendStaticRole.cs +++ b/sdk/dotnet/Database/SecretBackendStaticRole.cs @@ -144,6 +144,14 @@ public partial class SecretBackendStaticRole : global::Pulumi.CustomResource [Output("rotationWindow")] public Output RotationWindow { get; private set; } = null!; + /// + /// The password corresponding to the username in the database. + /// Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + /// select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + /// + [Output("selfManagedPassword")] + public Output SelfManagedPassword { get; private set; } = null!; + /// /// The database username that this static role corresponds to. /// @@ -173,6 +181,10 @@ private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? var defaultOptions = new CustomResourceOptions { Version = Utilities.Version, + AdditionalSecretOutputs = + { + "selfManagedPassword", + }, }; var merged = CustomResourceOptions.Merge(defaultOptions, options); // Override the ID if one was specified for consistency with other language SDKs. @@ -259,6 +271,24 @@ public InputList RotationStatements [Input("rotationWindow")] public Input? RotationWindow { get; set; } + [Input("selfManagedPassword")] + private Input? _selfManagedPassword; + + /// + /// The password corresponding to the username in the database. + /// Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + /// select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + /// + public Input? SelfManagedPassword + { + get => _selfManagedPassword; + set + { + var emptySecret = Output.CreateSecret(0); + _selfManagedPassword = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + /// /// The database username that this static role corresponds to. /// @@ -336,6 +366,24 @@ public InputList RotationStatements [Input("rotationWindow")] public Input? RotationWindow { get; set; } + [Input("selfManagedPassword")] + private Input? _selfManagedPassword; + + /// + /// The password corresponding to the username in the database. + /// Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + /// select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + /// + public Input? SelfManagedPassword + { + get => _selfManagedPassword; + set + { + var emptySecret = Output.CreateSecret(0); + _selfManagedPassword = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + /// /// The database username that this static role corresponds to. /// diff --git a/sdk/dotnet/Gcp/SecretImpersonatedAccount.cs b/sdk/dotnet/Gcp/SecretImpersonatedAccount.cs index 788933b8b..bec859124 100644 --- a/sdk/dotnet/Gcp/SecretImpersonatedAccount.cs +++ b/sdk/dotnet/Gcp/SecretImpersonatedAccount.cs @@ -102,6 +102,13 @@ public partial class SecretImpersonatedAccount : global::Pulumi.CustomResource [Output("tokenScopes")] public Output> TokenScopes { get; private set; } = null!; + /// + /// Specifies the default TTL for service principals generated using this role. + /// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + /// + [Output("ttl")] + public Output Ttl { get; private set; } = null!; + /// /// Create a SecretImpersonatedAccount resource with the given unique name, arguments, and options. @@ -184,6 +191,13 @@ public InputList TokenScopes set => _tokenScopes = value; } + /// + /// Specifies the default TTL for service principals generated using this role. + /// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + /// + [Input("ttl")] + public Input? Ttl { get; set; } + public SecretImpersonatedAccountArgs() { } @@ -234,6 +248,13 @@ public InputList TokenScopes set => _tokenScopes = value; } + /// + /// Specifies the default TTL for service principals generated using this role. + /// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + /// + [Input("ttl")] + public Input? Ttl { get; set; } + public SecretImpersonatedAccountState() { } diff --git a/sdk/dotnet/Kubernetes/AuthBackendConfig.cs b/sdk/dotnet/Kubernetes/AuthBackendConfig.cs index 3cbb42b96..94e2fefb0 100644 --- a/sdk/dotnet/Kubernetes/AuthBackendConfig.cs +++ b/sdk/dotnet/Kubernetes/AuthBackendConfig.cs @@ -112,6 +112,12 @@ public partial class AuthBackendConfig : global::Pulumi.CustomResource [Output("tokenReviewerJwt")] public Output TokenReviewerJwt { get; private set; } = null!; + /// + /// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + [Output("useAnnotationsAsAliasMetadata")] + public Output UseAnnotationsAsAliasMetadata { get; private set; } = null!; + /// /// Create a AuthBackendConfig resource with the given unique name, arguments, and options. @@ -235,6 +241,12 @@ public Input? TokenReviewerJwt } } + /// + /// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + [Input("useAnnotationsAsAliasMetadata")] + public Input? UseAnnotationsAsAliasMetadata { get; set; } + public AuthBackendConfigArgs() { } @@ -316,6 +328,12 @@ public Input? TokenReviewerJwt } } + /// + /// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + [Input("useAnnotationsAsAliasMetadata")] + public Input? UseAnnotationsAsAliasMetadata { get; set; } + public AuthBackendConfigState() { } diff --git a/sdk/dotnet/Kubernetes/GetAuthBackendConfig.cs b/sdk/dotnet/Kubernetes/GetAuthBackendConfig.cs index fda210713..c21acce16 100644 --- a/sdk/dotnet/Kubernetes/GetAuthBackendConfig.cs +++ b/sdk/dotnet/Kubernetes/GetAuthBackendConfig.cs @@ -38,9 +38,15 @@ public sealed class GetAuthBackendConfigArgs : global::Pulumi.InvokeArgs [Input("backend")] public string? Backend { get; set; } + /// + /// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// [Input("disableIssValidation")] public bool? DisableIssValidation { get; set; } + /// + /// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// [Input("disableLocalCaJwt")] public bool? DisableLocalCaJwt { get; set; } @@ -83,6 +89,12 @@ public List PemKeys set => _pemKeys = value; } + /// + /// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + [Input("useAnnotationsAsAliasMetadata")] + public bool? UseAnnotationsAsAliasMetadata { get; set; } + public GetAuthBackendConfigArgs() { } @@ -98,9 +110,15 @@ public sealed class GetAuthBackendConfigInvokeArgs : global::Pulumi.InvokeArgs [Input("backend")] public Input? Backend { get; set; } + /// + /// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// [Input("disableIssValidation")] public Input? DisableIssValidation { get; set; } + /// + /// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// [Input("disableLocalCaJwt")] public Input? DisableLocalCaJwt { get; set; } @@ -143,6 +161,12 @@ public InputList PemKeys set => _pemKeys = value; } + /// + /// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + [Input("useAnnotationsAsAliasMetadata")] + public Input? UseAnnotationsAsAliasMetadata { get; set; } + public GetAuthBackendConfigInvokeArgs() { } @@ -154,7 +178,13 @@ public GetAuthBackendConfigInvokeArgs() public sealed class GetAuthBackendConfigResult { public readonly string? Backend; + /// + /// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// public readonly bool DisableIssValidation; + /// + /// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + /// public readonly bool DisableLocalCaJwt; /// /// The provider-assigned unique ID for this managed resource. @@ -177,6 +207,10 @@ public sealed class GetAuthBackendConfigResult /// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. /// public readonly ImmutableArray PemKeys; + /// + /// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + /// + public readonly bool UseAnnotationsAsAliasMetadata; [OutputConstructor] private GetAuthBackendConfigResult( @@ -196,7 +230,9 @@ private GetAuthBackendConfigResult( string? @namespace, - ImmutableArray pemKeys) + ImmutableArray pemKeys, + + bool useAnnotationsAsAliasMetadata) { Backend = backend; DisableIssValidation = disableIssValidation; @@ -207,6 +243,7 @@ private GetAuthBackendConfigResult( KubernetesHost = kubernetesHost; Namespace = @namespace; PemKeys = pemKeys; + UseAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; } } } diff --git a/sdk/dotnet/Ldap/AuthBackend.cs b/sdk/dotnet/Ldap/AuthBackend.cs index 35e12b6c8..a26c9572a 100644 --- a/sdk/dotnet/Ldap/AuthBackend.cs +++ b/sdk/dotnet/Ldap/AuthBackend.cs @@ -84,6 +84,12 @@ public partial class AuthBackend : global::Pulumi.CustomResource [Output("clientTlsKey")] public Output ClientTlsKey { get; private set; } = null!; + /// + /// Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + /// + [Output("connectionTimeout")] + public Output ConnectionTimeout { get; private set; } = null!; + /// /// Prevents users from bypassing authentication when providing an empty password. /// @@ -375,6 +381,12 @@ public Input? ClientTlsKey } } + /// + /// Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + /// + [Input("connectionTimeout")] + public Input? ConnectionTimeout { get; set; } + /// /// Prevents users from bypassing authentication when providing an empty password. /// @@ -641,6 +653,12 @@ public Input? ClientTlsKey } } + /// + /// Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + /// + [Input("connectionTimeout")] + public Input? ConnectionTimeout { get; set; } + /// /// Prevents users from bypassing authentication when providing an empty password. /// diff --git a/sdk/dotnet/Ssh/SecretBackendRole.cs b/sdk/dotnet/Ssh/SecretBackendRole.cs index cf5d006f0..1f25f4af7 100644 --- a/sdk/dotnet/Ssh/SecretBackendRole.cs +++ b/sdk/dotnet/Ssh/SecretBackendRole.cs @@ -72,6 +72,9 @@ public partial class SecretBackendRole : global::Pulumi.CustomResource [Output("allowBareDomains")] public Output AllowBareDomains { get; private set; } = null!; + [Output("allowEmptyPrincipals")] + public Output AllowEmptyPrincipals { get; private set; } = null!; + /// /// Specifies if certificates are allowed to be signed for use as a 'host'. /// @@ -280,6 +283,9 @@ public sealed class SecretBackendRoleArgs : global::Pulumi.ResourceArgs [Input("allowBareDomains")] public Input? AllowBareDomains { get; set; } + [Input("allowEmptyPrincipals")] + public Input? AllowEmptyPrincipals { get; set; } + /// /// Specifies if certificates are allowed to be signed for use as a 'host'. /// @@ -468,6 +474,9 @@ public sealed class SecretBackendRoleState : global::Pulumi.ResourceArgs [Input("allowBareDomains")] public Input? AllowBareDomains { get; set; } + [Input("allowEmptyPrincipals")] + public Input? AllowEmptyPrincipals { get; set; } + /// /// Specifies if certificates are allowed to be signed for use as a 'host'. /// diff --git a/sdk/dotnet/kv/GetSecretV2.cs b/sdk/dotnet/kv/GetSecretV2.cs index e75ccf353..5659e6aeb 100644 --- a/sdk/dotnet/kv/GetSecretV2.cs +++ b/sdk/dotnet/kv/GetSecretV2.cs @@ -38,7 +38,6 @@ public static class GetSecretV2 /// { /// Mount = kvv2.Path, /// Name = "secret", - /// Cas = 1, /// DeleteAllVersions = true, /// DataJson = JsonSerializer.Serialize(new Dictionary<string, object?> /// { @@ -90,7 +89,6 @@ public static Task InvokeAsync(GetSecretV2Args args, InvokeOp /// { /// Mount = kvv2.Path, /// Name = "secret", - /// Cas = 1, /// DeleteAllVersions = true, /// DataJson = JsonSerializer.Serialize(new Dictionary<string, object?> /// { diff --git a/sdk/go/vault/approle/authBackendRoleSecretId.go b/sdk/go/vault/approle/authBackendRoleSecretId.go index acf854ada..fa38ae9e6 100644 --- a/sdk/go/vault/approle/authBackendRoleSecretId.go +++ b/sdk/go/vault/approle/authBackendRoleSecretId.go @@ -89,11 +89,15 @@ type AuthBackendRoleSecretId struct { // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). // *Available only for Vault Enterprise*. Namespace pulumi.StringPtrOutput `pulumi:"namespace"` + // The number of uses for the secret-id. + NumUses pulumi.IntPtrOutput `pulumi:"numUses"` // The name of the role to create the SecretID for. RoleName pulumi.StringOutput `pulumi:"roleName"` // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. SecretId pulumi.StringOutput `pulumi:"secretId"` + // The TTL duration of the SecretID. + Ttl pulumi.IntPtrOutput `pulumi:"ttl"` // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -172,11 +176,15 @@ type authBackendRoleSecretIdState struct { // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). // *Available only for Vault Enterprise*. Namespace *string `pulumi:"namespace"` + // The number of uses for the secret-id. + NumUses *int `pulumi:"numUses"` // The name of the role to create the SecretID for. RoleName *string `pulumi:"roleName"` // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. SecretId *string `pulumi:"secretId"` + // The TTL duration of the SecretID. + Ttl *int `pulumi:"ttl"` // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -209,11 +217,15 @@ type AuthBackendRoleSecretIdState struct { // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). // *Available only for Vault Enterprise*. Namespace pulumi.StringPtrInput + // The number of uses for the secret-id. + NumUses pulumi.IntPtrInput // The name of the role to create the SecretID for. RoleName pulumi.StringPtrInput // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. SecretId pulumi.StringPtrInput + // The TTL duration of the SecretID. + Ttl pulumi.IntPtrInput // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -248,11 +260,15 @@ type authBackendRoleSecretIdArgs struct { // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). // *Available only for Vault Enterprise*. Namespace *string `pulumi:"namespace"` + // The number of uses for the secret-id. + NumUses *int `pulumi:"numUses"` // The name of the role to create the SecretID for. RoleName string `pulumi:"roleName"` // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. SecretId *string `pulumi:"secretId"` + // The TTL duration of the SecretID. + Ttl *int `pulumi:"ttl"` // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -279,11 +295,15 @@ type AuthBackendRoleSecretIdArgs struct { // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). // *Available only for Vault Enterprise*. Namespace pulumi.StringPtrInput + // The number of uses for the secret-id. + NumUses pulumi.IntPtrInput // The name of the role to create the SecretID for. RoleName pulumi.StringInput // The SecretID to be created. If set, uses "Push" // mode. Defaults to Vault auto-generating SecretIDs. SecretId pulumi.StringPtrInput + // The TTL duration of the SecretID. + Ttl pulumi.IntPtrInput // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. @@ -412,6 +432,11 @@ func (o AuthBackendRoleSecretIdOutput) Namespace() pulumi.StringPtrOutput { return o.ApplyT(func(v *AuthBackendRoleSecretId) pulumi.StringPtrOutput { return v.Namespace }).(pulumi.StringPtrOutput) } +// The number of uses for the secret-id. +func (o AuthBackendRoleSecretIdOutput) NumUses() pulumi.IntPtrOutput { + return o.ApplyT(func(v *AuthBackendRoleSecretId) pulumi.IntPtrOutput { return v.NumUses }).(pulumi.IntPtrOutput) +} + // The name of the role to create the SecretID for. func (o AuthBackendRoleSecretIdOutput) RoleName() pulumi.StringOutput { return o.ApplyT(func(v *AuthBackendRoleSecretId) pulumi.StringOutput { return v.RoleName }).(pulumi.StringOutput) @@ -423,6 +448,11 @@ func (o AuthBackendRoleSecretIdOutput) SecretId() pulumi.StringOutput { return o.ApplyT(func(v *AuthBackendRoleSecretId) pulumi.StringOutput { return v.SecretId }).(pulumi.StringOutput) } +// The TTL duration of the SecretID. +func (o AuthBackendRoleSecretIdOutput) Ttl() pulumi.IntPtrOutput { + return o.ApplyT(func(v *AuthBackendRoleSecretId) pulumi.IntPtrOutput { return v.Ttl }).(pulumi.IntPtrOutput) +} + // Set to `true` to use the wrapped secret-id accessor as the resource ID. // If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or // invalidated through unwrapping. diff --git a/sdk/go/vault/database/pulumiTypes.go b/sdk/go/vault/database/pulumiTypes.go index d2616de5e..d5311aa67 100644 --- a/sdk/go/vault/database/pulumiTypes.go +++ b/sdk/go/vault/database/pulumiTypes.go @@ -30,6 +30,8 @@ type SecretBackendConnectionCassandra struct { Port *int `pulumi:"port"` // The CQL protocol version to use. ProtocolVersion *int `pulumi:"protocolVersion"` + // Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + SkipVerification *bool `pulumi:"skipVerification"` // Whether to use TLS when connecting to Cassandra. Tls *bool `pulumi:"tls"` // The username to use when authenticating with Cassandra. @@ -64,6 +66,8 @@ type SecretBackendConnectionCassandraArgs struct { Port pulumi.IntPtrInput `pulumi:"port"` // The CQL protocol version to use. ProtocolVersion pulumi.IntPtrInput `pulumi:"protocolVersion"` + // Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + SkipVerification pulumi.BoolPtrInput `pulumi:"skipVerification"` // Whether to use TLS when connecting to Cassandra. Tls pulumi.BoolPtrInput `pulumi:"tls"` // The username to use when authenticating with Cassandra. @@ -187,6 +191,11 @@ func (o SecretBackendConnectionCassandraOutput) ProtocolVersion() pulumi.IntPtrO return o.ApplyT(func(v SecretBackendConnectionCassandra) *int { return v.ProtocolVersion }).(pulumi.IntPtrOutput) } +// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. +func (o SecretBackendConnectionCassandraOutput) SkipVerification() pulumi.BoolPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionCassandra) *bool { return v.SkipVerification }).(pulumi.BoolPtrOutput) +} + // Whether to use TLS when connecting to Cassandra. func (o SecretBackendConnectionCassandraOutput) Tls() pulumi.BoolPtrOutput { return o.ApplyT(func(v SecretBackendConnectionCassandra) *bool { return v.Tls }).(pulumi.BoolPtrOutput) @@ -301,6 +310,16 @@ func (o SecretBackendConnectionCassandraPtrOutput) ProtocolVersion() pulumi.IntP }).(pulumi.IntPtrOutput) } +// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. +func (o SecretBackendConnectionCassandraPtrOutput) SkipVerification() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionCassandra) *bool { + if v == nil { + return nil + } + return v.SkipVerification + }).(pulumi.BoolPtrOutput) +} + // Whether to use TLS when connecting to Cassandra. func (o SecretBackendConnectionCassandraPtrOutput) Tls() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendConnectionCassandra) *bool { @@ -3785,8 +3804,16 @@ type SecretBackendConnectionPostgresql struct { MaxOpenConnections *int `pulumi:"maxOpenConnections"` // The root credential password used in the connection URL Password *string `pulumi:"password"` + // The secret key used for the x509 client certificate. Must be PEM encoded. + PrivateKey *string `pulumi:"privateKey"` + // If set, allows onboarding static roles with a rootless connection configuration. + SelfManaged *bool `pulumi:"selfManaged"` // A JSON encoded credential for use with IAM authorization ServiceAccountJson *string `pulumi:"serviceAccountJson"` + // The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + TlsCa *string `pulumi:"tlsCa"` + // The x509 client certificate for connecting to the database. Must be PEM encoded. + TlsCertificate *string `pulumi:"tlsCertificate"` // The root credential username used in the connection URL Username *string `pulumi:"username"` // Username generation template. @@ -3819,8 +3846,16 @@ type SecretBackendConnectionPostgresqlArgs struct { MaxOpenConnections pulumi.IntPtrInput `pulumi:"maxOpenConnections"` // The root credential password used in the connection URL Password pulumi.StringPtrInput `pulumi:"password"` + // The secret key used for the x509 client certificate. Must be PEM encoded. + PrivateKey pulumi.StringPtrInput `pulumi:"privateKey"` + // If set, allows onboarding static roles with a rootless connection configuration. + SelfManaged pulumi.BoolPtrInput `pulumi:"selfManaged"` // A JSON encoded credential for use with IAM authorization ServiceAccountJson pulumi.StringPtrInput `pulumi:"serviceAccountJson"` + // The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + TlsCa pulumi.StringPtrInput `pulumi:"tlsCa"` + // The x509 client certificate for connecting to the database. Must be PEM encoded. + TlsCertificate pulumi.StringPtrInput `pulumi:"tlsCertificate"` // The root credential username used in the connection URL Username pulumi.StringPtrInput `pulumi:"username"` // Username generation template. @@ -3939,11 +3974,31 @@ func (o SecretBackendConnectionPostgresqlOutput) Password() pulumi.StringPtrOutp return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.Password }).(pulumi.StringPtrOutput) } +// The secret key used for the x509 client certificate. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlOutput) PrivateKey() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.PrivateKey }).(pulumi.StringPtrOutput) +} + +// If set, allows onboarding static roles with a rootless connection configuration. +func (o SecretBackendConnectionPostgresqlOutput) SelfManaged() pulumi.BoolPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionPostgresql) *bool { return v.SelfManaged }).(pulumi.BoolPtrOutput) +} + // A JSON encoded credential for use with IAM authorization func (o SecretBackendConnectionPostgresqlOutput) ServiceAccountJson() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.ServiceAccountJson }).(pulumi.StringPtrOutput) } +// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlOutput) TlsCa() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.TlsCa }).(pulumi.StringPtrOutput) +} + +// The x509 client certificate for connecting to the database. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlOutput) TlsCertificate() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.TlsCertificate }).(pulumi.StringPtrOutput) +} + // The root credential username used in the connection URL func (o SecretBackendConnectionPostgresqlOutput) Username() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.Username }).(pulumi.StringPtrOutput) @@ -4048,6 +4103,26 @@ func (o SecretBackendConnectionPostgresqlPtrOutput) Password() pulumi.StringPtrO }).(pulumi.StringPtrOutput) } +// The secret key used for the x509 client certificate. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlPtrOutput) PrivateKey() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { + if v == nil { + return nil + } + return v.PrivateKey + }).(pulumi.StringPtrOutput) +} + +// If set, allows onboarding static roles with a rootless connection configuration. +func (o SecretBackendConnectionPostgresqlPtrOutput) SelfManaged() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *bool { + if v == nil { + return nil + } + return v.SelfManaged + }).(pulumi.BoolPtrOutput) +} + // A JSON encoded credential for use with IAM authorization func (o SecretBackendConnectionPostgresqlPtrOutput) ServiceAccountJson() pulumi.StringPtrOutput { return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { @@ -4058,6 +4133,26 @@ func (o SecretBackendConnectionPostgresqlPtrOutput) ServiceAccountJson() pulumi. }).(pulumi.StringPtrOutput) } +// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlPtrOutput) TlsCa() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { + if v == nil { + return nil + } + return v.TlsCa + }).(pulumi.StringPtrOutput) +} + +// The x509 client certificate for connecting to the database. Must be PEM encoded. +func (o SecretBackendConnectionPostgresqlPtrOutput) TlsCertificate() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { + if v == nil { + return nil + } + return v.TlsCertificate + }).(pulumi.StringPtrOutput) +} + // The root credential username used in the connection URL func (o SecretBackendConnectionPostgresqlPtrOutput) Username() pulumi.StringPtrOutput { return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { @@ -5074,6 +5169,8 @@ type SecretsMountCassandra struct { ProtocolVersion *int `pulumi:"protocolVersion"` // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []string `pulumi:"rootRotationStatements"` + // Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + SkipVerification *bool `pulumi:"skipVerification"` // Whether to use TLS when connecting to Cassandra. Tls *bool `pulumi:"tls"` // The username to use when authenticating with Cassandra. @@ -5124,6 +5221,8 @@ type SecretsMountCassandraArgs struct { ProtocolVersion pulumi.IntPtrInput `pulumi:"protocolVersion"` // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements pulumi.StringArrayInput `pulumi:"rootRotationStatements"` + // Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + SkipVerification pulumi.BoolPtrInput `pulumi:"skipVerification"` // Whether to use TLS when connecting to Cassandra. Tls pulumi.BoolPtrInput `pulumi:"tls"` // The username to use when authenticating with Cassandra. @@ -5252,6 +5351,11 @@ func (o SecretsMountCassandraOutput) RootRotationStatements() pulumi.StringArray return o.ApplyT(func(v SecretsMountCassandra) []string { return v.RootRotationStatements }).(pulumi.StringArrayOutput) } +// Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. +func (o SecretsMountCassandraOutput) SkipVerification() pulumi.BoolPtrOutput { + return o.ApplyT(func(v SecretsMountCassandra) *bool { return v.SkipVerification }).(pulumi.BoolPtrOutput) +} + // Whether to use TLS when connecting to Cassandra. func (o SecretsMountCassandraOutput) Tls() pulumi.BoolPtrOutput { return o.ApplyT(func(v SecretsMountCassandra) *bool { return v.Tls }).(pulumi.BoolPtrOutput) @@ -8125,10 +8229,18 @@ type SecretsMountPostgresql struct { Password *string `pulumi:"password"` // Specifies the name of the plugin to use. PluginName *string `pulumi:"pluginName"` + // The secret key used for the x509 client certificate. Must be PEM encoded. + PrivateKey *string `pulumi:"privateKey"` // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []string `pulumi:"rootRotationStatements"` + // If set, allows onboarding static roles with a rootless connection configuration. + SelfManaged *bool `pulumi:"selfManaged"` // A JSON encoded credential for use with IAM authorization ServiceAccountJson *string `pulumi:"serviceAccountJson"` + // The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + TlsCa *string `pulumi:"tlsCa"` + // The x509 client certificate for connecting to the database. Must be PEM encoded. + TlsCertificate *string `pulumi:"tlsCertificate"` // The root credential username used in the connection URL Username *string `pulumi:"username"` // Username generation template. @@ -8175,10 +8287,18 @@ type SecretsMountPostgresqlArgs struct { Password pulumi.StringPtrInput `pulumi:"password"` // Specifies the name of the plugin to use. PluginName pulumi.StringPtrInput `pulumi:"pluginName"` + // The secret key used for the x509 client certificate. Must be PEM encoded. + PrivateKey pulumi.StringPtrInput `pulumi:"privateKey"` // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements pulumi.StringArrayInput `pulumi:"rootRotationStatements"` + // If set, allows onboarding static roles with a rootless connection configuration. + SelfManaged pulumi.BoolPtrInput `pulumi:"selfManaged"` // A JSON encoded credential for use with IAM authorization ServiceAccountJson pulumi.StringPtrInput `pulumi:"serviceAccountJson"` + // The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + TlsCa pulumi.StringPtrInput `pulumi:"tlsCa"` + // The x509 client certificate for connecting to the database. Must be PEM encoded. + TlsCertificate pulumi.StringPtrInput `pulumi:"tlsCertificate"` // The root credential username used in the connection URL Username pulumi.StringPtrInput `pulumi:"username"` // Username generation template. @@ -8297,16 +8417,36 @@ func (o SecretsMountPostgresqlOutput) PluginName() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.PluginName }).(pulumi.StringPtrOutput) } +// The secret key used for the x509 client certificate. Must be PEM encoded. +func (o SecretsMountPostgresqlOutput) PrivateKey() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.PrivateKey }).(pulumi.StringPtrOutput) +} + // A list of database statements to be executed to rotate the root user's credentials. func (o SecretsMountPostgresqlOutput) RootRotationStatements() pulumi.StringArrayOutput { return o.ApplyT(func(v SecretsMountPostgresql) []string { return v.RootRotationStatements }).(pulumi.StringArrayOutput) } +// If set, allows onboarding static roles with a rootless connection configuration. +func (o SecretsMountPostgresqlOutput) SelfManaged() pulumi.BoolPtrOutput { + return o.ApplyT(func(v SecretsMountPostgresql) *bool { return v.SelfManaged }).(pulumi.BoolPtrOutput) +} + // A JSON encoded credential for use with IAM authorization func (o SecretsMountPostgresqlOutput) ServiceAccountJson() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.ServiceAccountJson }).(pulumi.StringPtrOutput) } +// The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. +func (o SecretsMountPostgresqlOutput) TlsCa() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.TlsCa }).(pulumi.StringPtrOutput) +} + +// The x509 client certificate for connecting to the database. Must be PEM encoded. +func (o SecretsMountPostgresqlOutput) TlsCertificate() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.TlsCertificate }).(pulumi.StringPtrOutput) +} + // The root credential username used in the connection URL func (o SecretsMountPostgresqlOutput) Username() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.Username }).(pulumi.StringPtrOutput) diff --git a/sdk/go/vault/database/secretBackendStaticRole.go b/sdk/go/vault/database/secretBackendStaticRole.go index e1bfeb6f0..93dc4ea69 100644 --- a/sdk/go/vault/database/secretBackendStaticRole.go +++ b/sdk/go/vault/database/secretBackendStaticRole.go @@ -121,6 +121,10 @@ type SecretBackendStaticRole struct { // The amount of time, in seconds, in which rotations are allowed to occur starting // from a given `rotationSchedule`. RotationWindow pulumi.IntPtrOutput `pulumi:"rotationWindow"` + // The password corresponding to the username in the database. + // Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + // select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + SelfManagedPassword pulumi.StringPtrOutput `pulumi:"selfManagedPassword"` // The database username that this static role corresponds to. Username pulumi.StringOutput `pulumi:"username"` } @@ -141,6 +145,13 @@ func NewSecretBackendStaticRole(ctx *pulumi.Context, if args.Username == nil { return nil, errors.New("invalid value for required argument 'Username'") } + if args.SelfManagedPassword != nil { + args.SelfManagedPassword = pulumi.ToSecret(args.SelfManagedPassword).(pulumi.StringPtrInput) + } + secrets := pulumi.AdditionalSecretOutputs([]string{ + "selfManagedPassword", + }) + opts = append(opts, secrets) opts = internal.PkgResourceDefaultOpts(opts) var resource SecretBackendStaticRole err := ctx.RegisterResource("vault:database/secretBackendStaticRole:SecretBackendStaticRole", name, args, &resource, opts...) @@ -189,6 +200,10 @@ type secretBackendStaticRoleState struct { // The amount of time, in seconds, in which rotations are allowed to occur starting // from a given `rotationSchedule`. RotationWindow *int `pulumi:"rotationWindow"` + // The password corresponding to the username in the database. + // Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + // select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + SelfManagedPassword *string `pulumi:"selfManagedPassword"` // The database username that this static role corresponds to. Username *string `pulumi:"username"` } @@ -219,6 +234,10 @@ type SecretBackendStaticRoleState struct { // The amount of time, in seconds, in which rotations are allowed to occur starting // from a given `rotationSchedule`. RotationWindow pulumi.IntPtrInput + // The password corresponding to the username in the database. + // Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + // select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + SelfManagedPassword pulumi.StringPtrInput // The database username that this static role corresponds to. Username pulumi.StringPtrInput } @@ -253,6 +272,10 @@ type secretBackendStaticRoleArgs struct { // The amount of time, in seconds, in which rotations are allowed to occur starting // from a given `rotationSchedule`. RotationWindow *int `pulumi:"rotationWindow"` + // The password corresponding to the username in the database. + // Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + // select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + SelfManagedPassword *string `pulumi:"selfManagedPassword"` // The database username that this static role corresponds to. Username string `pulumi:"username"` } @@ -284,6 +307,10 @@ type SecretBackendStaticRoleArgs struct { // The amount of time, in seconds, in which rotations are allowed to occur starting // from a given `rotationSchedule`. RotationWindow pulumi.IntPtrInput + // The password corresponding to the username in the database. + // Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + // select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + SelfManagedPassword pulumi.StringPtrInput // The database username that this static role corresponds to. Username pulumi.StringInput } @@ -424,6 +451,13 @@ func (o SecretBackendStaticRoleOutput) RotationWindow() pulumi.IntPtrOutput { return o.ApplyT(func(v *SecretBackendStaticRole) pulumi.IntPtrOutput { return v.RotationWindow }).(pulumi.IntPtrOutput) } +// The password corresponding to the username in the database. +// Required when using the Rootless Password Rotation workflow for static roles. Only enabled for +// select DB engines (Postgres). Requires Vault 1.18+ Enterprise. +func (o SecretBackendStaticRoleOutput) SelfManagedPassword() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackendStaticRole) pulumi.StringPtrOutput { return v.SelfManagedPassword }).(pulumi.StringPtrOutput) +} + // The database username that this static role corresponds to. func (o SecretBackendStaticRoleOutput) Username() pulumi.StringOutput { return o.ApplyT(func(v *SecretBackendStaticRole) pulumi.StringOutput { return v.Username }).(pulumi.StringOutput) diff --git a/sdk/go/vault/gcp/secretImpersonatedAccount.go b/sdk/go/vault/gcp/secretImpersonatedAccount.go index 38784f16a..f1021ea8c 100644 --- a/sdk/go/vault/gcp/secretImpersonatedAccount.go +++ b/sdk/go/vault/gcp/secretImpersonatedAccount.go @@ -91,6 +91,9 @@ type SecretImpersonatedAccount struct { ServiceAccountProject pulumi.StringOutput `pulumi:"serviceAccountProject"` // List of OAuth scopes to assign to access tokens generated under this impersonated account. TokenScopes pulumi.StringArrayOutput `pulumi:"tokenScopes"` + // Specifies the default TTL for service principals generated using this role. + // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Ttl pulumi.StringOutput `pulumi:"ttl"` } // NewSecretImpersonatedAccount registers a new resource with the given unique name, arguments, and options. @@ -144,6 +147,9 @@ type secretImpersonatedAccountState struct { ServiceAccountProject *string `pulumi:"serviceAccountProject"` // List of OAuth scopes to assign to access tokens generated under this impersonated account. TokenScopes []string `pulumi:"tokenScopes"` + // Specifies the default TTL for service principals generated using this role. + // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Ttl *string `pulumi:"ttl"` } type SecretImpersonatedAccountState struct { @@ -159,6 +165,9 @@ type SecretImpersonatedAccountState struct { ServiceAccountProject pulumi.StringPtrInput // List of OAuth scopes to assign to access tokens generated under this impersonated account. TokenScopes pulumi.StringArrayInput + // Specifies the default TTL for service principals generated using this role. + // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Ttl pulumi.StringPtrInput } func (SecretImpersonatedAccountState) ElementType() reflect.Type { @@ -176,6 +185,9 @@ type secretImpersonatedAccountArgs struct { ServiceAccountEmail string `pulumi:"serviceAccountEmail"` // List of OAuth scopes to assign to access tokens generated under this impersonated account. TokenScopes []string `pulumi:"tokenScopes"` + // Specifies the default TTL for service principals generated using this role. + // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Ttl *string `pulumi:"ttl"` } // The set of arguments for constructing a SecretImpersonatedAccount resource. @@ -190,6 +202,9 @@ type SecretImpersonatedAccountArgs struct { ServiceAccountEmail pulumi.StringInput // List of OAuth scopes to assign to access tokens generated under this impersonated account. TokenScopes pulumi.StringArrayInput + // Specifies the default TTL for service principals generated using this role. + // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + Ttl pulumi.StringPtrInput } func (SecretImpersonatedAccountArgs) ElementType() reflect.Type { @@ -309,6 +324,12 @@ func (o SecretImpersonatedAccountOutput) TokenScopes() pulumi.StringArrayOutput return o.ApplyT(func(v *SecretImpersonatedAccount) pulumi.StringArrayOutput { return v.TokenScopes }).(pulumi.StringArrayOutput) } +// Specifies the default TTL for service principals generated using this role. +// Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. +func (o SecretImpersonatedAccountOutput) Ttl() pulumi.StringOutput { + return o.ApplyT(func(v *SecretImpersonatedAccount) pulumi.StringOutput { return v.Ttl }).(pulumi.StringOutput) +} + type SecretImpersonatedAccountArrayOutput struct{ *pulumi.OutputState } func (SecretImpersonatedAccountArrayOutput) ElementType() reflect.Type { diff --git a/sdk/go/vault/kubernetes/authBackendConfig.go b/sdk/go/vault/kubernetes/authBackendConfig.go index 7823f6b1f..054bf5208 100644 --- a/sdk/go/vault/kubernetes/authBackendConfig.go +++ b/sdk/go/vault/kubernetes/authBackendConfig.go @@ -85,6 +85,8 @@ type AuthBackendConfig struct { PemKeys pulumi.StringArrayOutput `pulumi:"pemKeys"` // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrOutput `pulumi:"tokenReviewerJwt"` + // Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata pulumi.BoolOutput `pulumi:"useAnnotationsAsAliasMetadata"` } // NewAuthBackendConfig registers a new resource with the given unique name, arguments, and options. @@ -148,6 +150,8 @@ type authBackendConfigState struct { PemKeys []string `pulumi:"pemKeys"` // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt *string `pulumi:"tokenReviewerJwt"` + // Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata *bool `pulumi:"useAnnotationsAsAliasMetadata"` } type AuthBackendConfigState struct { @@ -172,6 +176,8 @@ type AuthBackendConfigState struct { PemKeys pulumi.StringArrayInput // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrInput + // Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput } func (AuthBackendConfigState) ElementType() reflect.Type { @@ -200,6 +206,8 @@ type authBackendConfigArgs struct { PemKeys []string `pulumi:"pemKeys"` // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt *string `pulumi:"tokenReviewerJwt"` + // Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata *bool `pulumi:"useAnnotationsAsAliasMetadata"` } // The set of arguments for constructing a AuthBackendConfig resource. @@ -225,6 +233,8 @@ type AuthBackendConfigArgs struct { PemKeys pulumi.StringArrayInput // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrInput + // Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput } func (AuthBackendConfigArgs) ElementType() reflect.Type { @@ -362,6 +372,11 @@ func (o AuthBackendConfigOutput) TokenReviewerJwt() pulumi.StringPtrOutput { return o.ApplyT(func(v *AuthBackendConfig) pulumi.StringPtrOutput { return v.TokenReviewerJwt }).(pulumi.StringPtrOutput) } +// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` +func (o AuthBackendConfigOutput) UseAnnotationsAsAliasMetadata() pulumi.BoolOutput { + return o.ApplyT(func(v *AuthBackendConfig) pulumi.BoolOutput { return v.UseAnnotationsAsAliasMetadata }).(pulumi.BoolOutput) +} + type AuthBackendConfigArrayOutput struct{ *pulumi.OutputState } func (AuthBackendConfigArrayOutput) ElementType() reflect.Type { diff --git a/sdk/go/vault/kubernetes/getAuthBackendConfig.go b/sdk/go/vault/kubernetes/getAuthBackendConfig.go index 8956cac4e..1bef76ac9 100644 --- a/sdk/go/vault/kubernetes/getAuthBackendConfig.go +++ b/sdk/go/vault/kubernetes/getAuthBackendConfig.go @@ -28,9 +28,11 @@ func LookupAuthBackendConfig(ctx *pulumi.Context, args *LookupAuthBackendConfigA type LookupAuthBackendConfigArgs struct { // The unique name for the Kubernetes backend the config to // retrieve Role attributes for resides in. Defaults to "kubernetes". - Backend *string `pulumi:"backend"` - DisableIssValidation *bool `pulumi:"disableIssValidation"` - DisableLocalCaJwt *bool `pulumi:"disableLocalCaJwt"` + Backend *string `pulumi:"backend"` + // (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableIssValidation *bool `pulumi:"disableIssValidation"` + // (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableLocalCaJwt *bool `pulumi:"disableLocalCaJwt"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer *string `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. @@ -44,13 +46,17 @@ type LookupAuthBackendConfigArgs struct { Namespace *string `pulumi:"namespace"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys []string `pulumi:"pemKeys"` + // (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata *bool `pulumi:"useAnnotationsAsAliasMetadata"` } // A collection of values returned by getAuthBackendConfig. type LookupAuthBackendConfigResult struct { - Backend *string `pulumi:"backend"` - DisableIssValidation bool `pulumi:"disableIssValidation"` - DisableLocalCaJwt bool `pulumi:"disableLocalCaJwt"` + Backend *string `pulumi:"backend"` + // (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableIssValidation bool `pulumi:"disableIssValidation"` + // (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableLocalCaJwt bool `pulumi:"disableLocalCaJwt"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. @@ -62,6 +68,8 @@ type LookupAuthBackendConfigResult struct { Namespace *string `pulumi:"namespace"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys []string `pulumi:"pemKeys"` + // (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata bool `pulumi:"useAnnotationsAsAliasMetadata"` } func LookupAuthBackendConfigOutput(ctx *pulumi.Context, args LookupAuthBackendConfigOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendConfigResultOutput { @@ -87,9 +95,11 @@ func LookupAuthBackendConfigOutput(ctx *pulumi.Context, args LookupAuthBackendCo type LookupAuthBackendConfigOutputArgs struct { // The unique name for the Kubernetes backend the config to // retrieve Role attributes for resides in. Defaults to "kubernetes". - Backend pulumi.StringPtrInput `pulumi:"backend"` - DisableIssValidation pulumi.BoolPtrInput `pulumi:"disableIssValidation"` - DisableLocalCaJwt pulumi.BoolPtrInput `pulumi:"disableLocalCaJwt"` + Backend pulumi.StringPtrInput `pulumi:"backend"` + // (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableIssValidation pulumi.BoolPtrInput `pulumi:"disableIssValidation"` + // (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + DisableLocalCaJwt pulumi.BoolPtrInput `pulumi:"disableLocalCaJwt"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer pulumi.StringPtrInput `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. @@ -103,6 +113,8 @@ type LookupAuthBackendConfigOutputArgs struct { Namespace pulumi.StringPtrInput `pulumi:"namespace"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys pulumi.StringArrayInput `pulumi:"pemKeys"` + // (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput `pulumi:"useAnnotationsAsAliasMetadata"` } func (LookupAuthBackendConfigOutputArgs) ElementType() reflect.Type { @@ -128,10 +140,12 @@ func (o LookupAuthBackendConfigResultOutput) Backend() pulumi.StringPtrOutput { return o.ApplyT(func(v LookupAuthBackendConfigResult) *string { return v.Backend }).(pulumi.StringPtrOutput) } +// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` func (o LookupAuthBackendConfigResultOutput) DisableIssValidation() pulumi.BoolOutput { return o.ApplyT(func(v LookupAuthBackendConfigResult) bool { return v.DisableIssValidation }).(pulumi.BoolOutput) } +// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` func (o LookupAuthBackendConfigResultOutput) DisableLocalCaJwt() pulumi.BoolOutput { return o.ApplyT(func(v LookupAuthBackendConfigResult) bool { return v.DisableLocalCaJwt }).(pulumi.BoolOutput) } @@ -165,6 +179,11 @@ func (o LookupAuthBackendConfigResultOutput) PemKeys() pulumi.StringArrayOutput return o.ApplyT(func(v LookupAuthBackendConfigResult) []string { return v.PemKeys }).(pulumi.StringArrayOutput) } +// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` +func (o LookupAuthBackendConfigResultOutput) UseAnnotationsAsAliasMetadata() pulumi.BoolOutput { + return o.ApplyT(func(v LookupAuthBackendConfigResult) bool { return v.UseAnnotationsAsAliasMetadata }).(pulumi.BoolOutput) +} + func init() { pulumi.RegisterOutputType(LookupAuthBackendConfigResultOutput{}) } diff --git a/sdk/go/vault/kv/getSecretV2.go b/sdk/go/vault/kv/getSecretV2.go index e9ee4d7a6..149ec4c77 100644 --- a/sdk/go/vault/kv/getSecretV2.go +++ b/sdk/go/vault/kv/getSecretV2.go @@ -50,7 +50,6 @@ import ( // exampleSecretV2, err := kv.NewSecretV2(ctx, "example", &kv.SecretV2Args{ // Mount: kvv2.Path, // Name: pulumi.String("secret"), -// Cas: pulumi.Int(1), // DeleteAllVersions: pulumi.Bool(true), // DataJson: pulumi.String(json0), // }) diff --git a/sdk/go/vault/ldap/authBackend.go b/sdk/go/vault/ldap/authBackend.go index 5367096d4..6efdbc236 100644 --- a/sdk/go/vault/ldap/authBackend.go +++ b/sdk/go/vault/ldap/authBackend.go @@ -69,6 +69,8 @@ type AuthBackend struct { Certificate pulumi.StringOutput `pulumi:"certificate"` ClientTlsCert pulumi.StringOutput `pulumi:"clientTlsCert"` ClientTlsKey pulumi.StringOutput `pulumi:"clientTlsKey"` + // Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + ConnectionTimeout pulumi.IntOutput `pulumi:"connectionTimeout"` // Prevents users from bypassing authentication when providing an empty password. DenyNullBind pulumi.BoolOutput `pulumi:"denyNullBind"` // Description for the LDAP auth backend mount @@ -194,6 +196,8 @@ type authBackendState struct { Certificate *string `pulumi:"certificate"` ClientTlsCert *string `pulumi:"clientTlsCert"` ClientTlsKey *string `pulumi:"clientTlsKey"` + // Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + ConnectionTimeout *int `pulumi:"connectionTimeout"` // Prevents users from bypassing authentication when providing an empty password. DenyNullBind *bool `pulumi:"denyNullBind"` // Description for the LDAP auth backend mount @@ -276,6 +280,8 @@ type AuthBackendState struct { Certificate pulumi.StringPtrInput ClientTlsCert pulumi.StringPtrInput ClientTlsKey pulumi.StringPtrInput + // Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + ConnectionTimeout pulumi.IntPtrInput // Prevents users from bypassing authentication when providing an empty password. DenyNullBind pulumi.BoolPtrInput // Description for the LDAP auth backend mount @@ -360,6 +366,8 @@ type authBackendArgs struct { Certificate *string `pulumi:"certificate"` ClientTlsCert *string `pulumi:"clientTlsCert"` ClientTlsKey *string `pulumi:"clientTlsKey"` + // Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + ConnectionTimeout *int `pulumi:"connectionTimeout"` // Prevents users from bypassing authentication when providing an empty password. DenyNullBind *bool `pulumi:"denyNullBind"` // Description for the LDAP auth backend mount @@ -441,6 +449,8 @@ type AuthBackendArgs struct { Certificate pulumi.StringPtrInput ClientTlsCert pulumi.StringPtrInput ClientTlsKey pulumi.StringPtrInput + // Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + ConnectionTimeout pulumi.IntPtrInput // Prevents users from bypassing authentication when providing an empty password. DenyNullBind pulumi.BoolPtrInput // Description for the LDAP auth backend mount @@ -630,6 +640,11 @@ func (o AuthBackendOutput) ClientTlsKey() pulumi.StringOutput { return o.ApplyT(func(v *AuthBackend) pulumi.StringOutput { return v.ClientTlsKey }).(pulumi.StringOutput) } +// Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) +func (o AuthBackendOutput) ConnectionTimeout() pulumi.IntOutput { + return o.ApplyT(func(v *AuthBackend) pulumi.IntOutput { return v.ConnectionTimeout }).(pulumi.IntOutput) +} + // Prevents users from bypassing authentication when providing an empty password. func (o AuthBackendOutput) DenyNullBind() pulumi.BoolOutput { return o.ApplyT(func(v *AuthBackend) pulumi.BoolOutput { return v.DenyNullBind }).(pulumi.BoolOutput) diff --git a/sdk/go/vault/ssh/secretBackendRole.go b/sdk/go/vault/ssh/secretBackendRole.go index 60ca9b763..e6fd29f69 100644 --- a/sdk/go/vault/ssh/secretBackendRole.go +++ b/sdk/go/vault/ssh/secretBackendRole.go @@ -75,7 +75,8 @@ type SecretBackendRole struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringOutput `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrOutput `pulumi:"allowBareDomains"` + AllowBareDomains pulumi.BoolPtrOutput `pulumi:"allowBareDomains"` + AllowEmptyPrincipals pulumi.BoolPtrOutput `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrOutput `pulumi:"allowHostCertificates"` // Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowedDomains`. @@ -171,7 +172,8 @@ type secretBackendRoleState struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner *string `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowEmptyPrincipals *bool `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates *bool `pulumi:"allowHostCertificates"` // Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowedDomains`. @@ -232,7 +234,8 @@ type SecretBackendRoleState struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringPtrInput // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrInput + AllowBareDomains pulumi.BoolPtrInput + AllowEmptyPrincipals pulumi.BoolPtrInput // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrInput // Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowedDomains`. @@ -297,7 +300,8 @@ type secretBackendRoleArgs struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner *string `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowEmptyPrincipals *bool `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates *bool `pulumi:"allowHostCertificates"` // Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowedDomains`. @@ -359,7 +363,8 @@ type SecretBackendRoleArgs struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringPtrInput // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrInput + AllowBareDomains pulumi.BoolPtrInput + AllowEmptyPrincipals pulumi.BoolPtrInput // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrInput // Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowedDomains`. @@ -513,6 +518,10 @@ func (o SecretBackendRoleOutput) AllowBareDomains() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowBareDomains }).(pulumi.BoolPtrOutput) } +func (o SecretBackendRoleOutput) AllowEmptyPrincipals() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowEmptyPrincipals }).(pulumi.BoolPtrOutput) +} + // Specifies if certificates are allowed to be signed for use as a 'host'. func (o SecretBackendRoleOutput) AllowHostCertificates() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowHostCertificates }).(pulumi.BoolPtrOutput) diff --git a/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretId.java b/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretId.java index abbcaf201..c097996aa 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretId.java +++ b/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretId.java @@ -12,6 +12,7 @@ import com.pulumi.vault.appRole.AuthBackendRoleSecretIdArgs; import com.pulumi.vault.appRole.inputs.AuthBackendRoleSecretIdState; import java.lang.Boolean; +import java.lang.Integer; import java.lang.String; import java.util.List; import java.util.Optional; @@ -163,6 +164,20 @@ public Output> metadata() { public Output> namespace() { return Codegen.optional(this.namespace); } + /** + * The number of uses for the secret-id. + * + */ + @Export(name="numUses", refs={Integer.class}, tree="[0]") + private Output numUses; + + /** + * @return The number of uses for the secret-id. + * + */ + public Output> numUses() { + return Codegen.optional(this.numUses); + } /** * The name of the role to create the SecretID for. * @@ -193,6 +208,20 @@ public Output roleName() { public Output secretId() { return this.secretId; } + /** + * The TTL duration of the SecretID. + * + */ + @Export(name="ttl", refs={Integer.class}, tree="[0]") + private Output ttl; + + /** + * @return The TTL duration of the SecretID. + * + */ + public Output> ttl() { + return Codegen.optional(this.ttl); + } /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or diff --git a/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretIdArgs.java b/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretIdArgs.java index bee06a1c5..7914a6cbc 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretIdArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/appRole/AuthBackendRoleSecretIdArgs.java @@ -7,6 +7,7 @@ import com.pulumi.core.annotations.Import; import com.pulumi.exceptions.MissingRequiredPropertyException; import java.lang.Boolean; +import java.lang.Integer; import java.lang.String; import java.util.List; import java.util.Objects; @@ -88,6 +89,21 @@ public Optional> namespace() { return Optional.ofNullable(this.namespace); } + /** + * The number of uses for the secret-id. + * + */ + @Import(name="numUses") + private @Nullable Output numUses; + + /** + * @return The number of uses for the secret-id. + * + */ + public Optional> numUses() { + return Optional.ofNullable(this.numUses); + } + /** * The name of the role to create the SecretID for. * @@ -120,6 +136,21 @@ public Optional> secretId() { return Optional.ofNullable(this.secretId); } + /** + * The TTL duration of the SecretID. + * + */ + @Import(name="ttl") + private @Nullable Output ttl; + + /** + * @return The TTL duration of the SecretID. + * + */ + public Optional> ttl() { + return Optional.ofNullable(this.ttl); + } + /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -167,8 +198,10 @@ private AuthBackendRoleSecretIdArgs(AuthBackendRoleSecretIdArgs $) { this.cidrLists = $.cidrLists; this.metadata = $.metadata; this.namespace = $.namespace; + this.numUses = $.numUses; this.roleName = $.roleName; this.secretId = $.secretId; + this.ttl = $.ttl; this.withWrappedAccessor = $.withWrappedAccessor; this.wrappingTtl = $.wrappingTtl; } @@ -296,6 +329,27 @@ public Builder namespace(String namespace) { return namespace(Output.of(namespace)); } + /** + * @param numUses The number of uses for the secret-id. + * + * @return builder + * + */ + public Builder numUses(@Nullable Output numUses) { + $.numUses = numUses; + return this; + } + + /** + * @param numUses The number of uses for the secret-id. + * + * @return builder + * + */ + public Builder numUses(Integer numUses) { + return numUses(Output.of(numUses)); + } + /** * @param roleName The name of the role to create the SecretID for. * @@ -340,6 +394,27 @@ public Builder secretId(String secretId) { return secretId(Output.of(secretId)); } + /** + * @param ttl The TTL duration of the SecretID. + * + * @return builder + * + */ + public Builder ttl(@Nullable Output ttl) { + $.ttl = ttl; + return this; + } + + /** + * @param ttl The TTL duration of the SecretID. + * + * @return builder + * + */ + public Builder ttl(Integer ttl) { + return ttl(Output.of(ttl)); + } + /** * @param withWrappedAccessor Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or diff --git a/sdk/java/src/main/java/com/pulumi/vault/appRole/inputs/AuthBackendRoleSecretIdState.java b/sdk/java/src/main/java/com/pulumi/vault/appRole/inputs/AuthBackendRoleSecretIdState.java index 6bfa31555..42f276a40 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/appRole/inputs/AuthBackendRoleSecretIdState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/appRole/inputs/AuthBackendRoleSecretIdState.java @@ -6,6 +6,7 @@ import com.pulumi.core.Output; import com.pulumi.core.annotations.Import; import java.lang.Boolean; +import java.lang.Integer; import java.lang.String; import java.util.List; import java.util.Objects; @@ -102,6 +103,21 @@ public Optional> namespace() { return Optional.ofNullable(this.namespace); } + /** + * The number of uses for the secret-id. + * + */ + @Import(name="numUses") + private @Nullable Output numUses; + + /** + * @return The number of uses for the secret-id. + * + */ + public Optional> numUses() { + return Optional.ofNullable(this.numUses); + } + /** * The name of the role to create the SecretID for. * @@ -134,6 +150,21 @@ public Optional> secretId() { return Optional.ofNullable(this.secretId); } + /** + * The TTL duration of the SecretID. + * + */ + @Import(name="ttl") + private @Nullable Output ttl; + + /** + * @return The TTL duration of the SecretID. + * + */ + public Optional> ttl() { + return Optional.ofNullable(this.ttl); + } + /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -214,8 +245,10 @@ private AuthBackendRoleSecretIdState(AuthBackendRoleSecretIdState $) { this.cidrLists = $.cidrLists; this.metadata = $.metadata; this.namespace = $.namespace; + this.numUses = $.numUses; this.roleName = $.roleName; this.secretId = $.secretId; + this.ttl = $.ttl; this.withWrappedAccessor = $.withWrappedAccessor; this.wrappingAccessor = $.wrappingAccessor; this.wrappingToken = $.wrappingToken; @@ -366,6 +399,27 @@ public Builder namespace(String namespace) { return namespace(Output.of(namespace)); } + /** + * @param numUses The number of uses for the secret-id. + * + * @return builder + * + */ + public Builder numUses(@Nullable Output numUses) { + $.numUses = numUses; + return this; + } + + /** + * @param numUses The number of uses for the secret-id. + * + * @return builder + * + */ + public Builder numUses(Integer numUses) { + return numUses(Output.of(numUses)); + } + /** * @param roleName The name of the role to create the SecretID for. * @@ -410,6 +464,27 @@ public Builder secretId(String secretId) { return secretId(Output.of(secretId)); } + /** + * @param ttl The TTL duration of the SecretID. + * + * @return builder + * + */ + public Builder ttl(@Nullable Output ttl) { + $.ttl = ttl; + return this; + } + + /** + * @param ttl The TTL duration of the SecretID. + * + * @return builder + * + */ + public Builder ttl(Integer ttl) { + return ttl(Output.of(ttl)); + } + /** * @param withWrappedAccessor Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRole.java b/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRole.java index dc376a63c..e0b7b0fb4 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRole.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRole.java @@ -233,6 +233,24 @@ public Output>> rotationStatements() { public Output> rotationWindow() { return Codegen.optional(this.rotationWindow); } + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + @Export(name="selfManagedPassword", refs={String.class}, tree="[0]") + private Output selfManagedPassword; + + /** + * @return The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + public Output> selfManagedPassword() { + return Codegen.optional(this.selfManagedPassword); + } /** * The database username that this static role corresponds to. * @@ -287,6 +305,9 @@ private static SecretBackendStaticRoleArgs makeArgs(SecretBackendStaticRoleArgs private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) { var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder() .version(Utilities.getVersion()) + .additionalSecretOutputs(List.of( + "selfManagedPassword" + )) .build(); return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id); } diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRoleArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRoleArgs.java index b985d440b..eee792838 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/SecretBackendStaticRoleArgs.java @@ -156,6 +156,25 @@ public Optional> rotationWindow() { return Optional.ofNullable(this.rotationWindow); } + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + @Import(name="selfManagedPassword") + private @Nullable Output selfManagedPassword; + + /** + * @return The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + public Optional> selfManagedPassword() { + return Optional.ofNullable(this.selfManagedPassword); + } + /** * The database username that this static role corresponds to. * @@ -182,6 +201,7 @@ private SecretBackendStaticRoleArgs(SecretBackendStaticRoleArgs $) { this.rotationSchedule = $.rotationSchedule; this.rotationStatements = $.rotationStatements; this.rotationWindow = $.rotationWindow; + this.selfManagedPassword = $.selfManagedPassword; this.username = $.username; } @@ -399,6 +419,31 @@ public Builder rotationWindow(Integer rotationWindow) { return rotationWindow(Output.of(rotationWindow)); } + /** + * @param selfManagedPassword The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + * @return builder + * + */ + public Builder selfManagedPassword(@Nullable Output selfManagedPassword) { + $.selfManagedPassword = selfManagedPassword; + return this; + } + + /** + * @param selfManagedPassword The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + * @return builder + * + */ + public Builder selfManagedPassword(String selfManagedPassword) { + return selfManagedPassword(Output.of(selfManagedPassword)); + } + /** * @param username The database username that this static role corresponds to. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionCassandraArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionCassandraArgs.java index 99ab3cace..59b4286e6 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionCassandraArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionCassandraArgs.java @@ -138,6 +138,21 @@ public Optional> protocolVersion() { return Optional.ofNullable(this.protocolVersion); } + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + @Import(name="skipVerification") + private @Nullable Output skipVerification; + + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + public Optional> skipVerification() { + return Optional.ofNullable(this.skipVerification); + } + /** * Whether to use TLS when connecting to Cassandra. * @@ -179,6 +194,7 @@ private SecretBackendConnectionCassandraArgs(SecretBackendConnectionCassandraArg this.pemJson = $.pemJson; this.port = $.port; this.protocolVersion = $.protocolVersion; + this.skipVerification = $.skipVerification; this.tls = $.tls; this.username = $.username; } @@ -379,6 +395,27 @@ public Builder protocolVersion(Integer protocolVersion) { return protocolVersion(Output.of(protocolVersion)); } + /** + * @param skipVerification Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + * @return builder + * + */ + public Builder skipVerification(@Nullable Output skipVerification) { + $.skipVerification = skipVerification; + return this; + } + + /** + * @param skipVerification Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + * @return builder + * + */ + public Builder skipVerification(Boolean skipVerification) { + return skipVerification(Output.of(skipVerification)); + } + /** * @param tls Whether to use TLS when connecting to Cassandra. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java index 34261dc8f..ae4feea5b 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java @@ -122,6 +122,36 @@ public Optional> password() { return Optional.ofNullable(this.password); } + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + @Import(name="privateKey") + private @Nullable Output privateKey; + + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + public Optional> privateKey() { + return Optional.ofNullable(this.privateKey); + } + + /** + * If set, allows onboarding static roles with a rootless connection configuration. + * + */ + @Import(name="selfManaged") + private @Nullable Output selfManaged; + + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + public Optional> selfManaged() { + return Optional.ofNullable(this.selfManaged); + } + /** * A JSON encoded credential for use with IAM authorization * @@ -137,6 +167,36 @@ public Optional> serviceAccountJson() { return Optional.ofNullable(this.serviceAccountJson); } + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + @Import(name="tlsCa") + private @Nullable Output tlsCa; + + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + public Optional> tlsCa() { + return Optional.ofNullable(this.tlsCa); + } + + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + @Import(name="tlsCertificate") + private @Nullable Output tlsCertificate; + + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + public Optional> tlsCertificate() { + return Optional.ofNullable(this.tlsCertificate); + } + /** * The root credential username used in the connection URL * @@ -177,7 +237,11 @@ private SecretBackendConnectionPostgresqlArgs(SecretBackendConnectionPostgresqlA this.maxIdleConnections = $.maxIdleConnections; this.maxOpenConnections = $.maxOpenConnections; this.password = $.password; + this.privateKey = $.privateKey; + this.selfManaged = $.selfManaged; this.serviceAccountJson = $.serviceAccountJson; + this.tlsCa = $.tlsCa; + this.tlsCertificate = $.tlsCertificate; this.username = $.username; this.usernameTemplate = $.usernameTemplate; } @@ -347,6 +411,48 @@ public Builder password(String password) { return password(Output.of(password)); } + /** + * @param privateKey The secret key used for the x509 client certificate. Must be PEM encoded. + * + * @return builder + * + */ + public Builder privateKey(@Nullable Output privateKey) { + $.privateKey = privateKey; + return this; + } + + /** + * @param privateKey The secret key used for the x509 client certificate. Must be PEM encoded. + * + * @return builder + * + */ + public Builder privateKey(String privateKey) { + return privateKey(Output.of(privateKey)); + } + + /** + * @param selfManaged If set, allows onboarding static roles with a rootless connection configuration. + * + * @return builder + * + */ + public Builder selfManaged(@Nullable Output selfManaged) { + $.selfManaged = selfManaged; + return this; + } + + /** + * @param selfManaged If set, allows onboarding static roles with a rootless connection configuration. + * + * @return builder + * + */ + public Builder selfManaged(Boolean selfManaged) { + return selfManaged(Output.of(selfManaged)); + } + /** * @param serviceAccountJson A JSON encoded credential for use with IAM authorization * @@ -368,6 +474,48 @@ public Builder serviceAccountJson(String serviceAccountJson) { return serviceAccountJson(Output.of(serviceAccountJson)); } + /** + * @param tlsCa The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCa(@Nullable Output tlsCa) { + $.tlsCa = tlsCa; + return this; + } + + /** + * @param tlsCa The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCa(String tlsCa) { + return tlsCa(Output.of(tlsCa)); + } + + /** + * @param tlsCertificate The x509 client certificate for connecting to the database. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCertificate(@Nullable Output tlsCertificate) { + $.tlsCertificate = tlsCertificate; + return this; + } + + /** + * @param tlsCertificate The x509 client certificate for connecting to the database. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCertificate(String tlsCertificate) { + return tlsCertificate(Output.of(tlsCertificate)); + } + /** * @param username The root credential username used in the connection URL * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendStaticRoleState.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendStaticRoleState.java index 2642d8ec2..c1a50d932 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendStaticRoleState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendStaticRoleState.java @@ -155,6 +155,25 @@ public Optional> rotationWindow() { return Optional.ofNullable(this.rotationWindow); } + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + @Import(name="selfManagedPassword") + private @Nullable Output selfManagedPassword; + + /** + * @return The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + */ + public Optional> selfManagedPassword() { + return Optional.ofNullable(this.selfManagedPassword); + } + /** * The database username that this static role corresponds to. * @@ -181,6 +200,7 @@ private SecretBackendStaticRoleState(SecretBackendStaticRoleState $) { this.rotationSchedule = $.rotationSchedule; this.rotationStatements = $.rotationStatements; this.rotationWindow = $.rotationWindow; + this.selfManagedPassword = $.selfManagedPassword; this.username = $.username; } @@ -398,6 +418,31 @@ public Builder rotationWindow(Integer rotationWindow) { return rotationWindow(Output.of(rotationWindow)); } + /** + * @param selfManagedPassword The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + * @return builder + * + */ + public Builder selfManagedPassword(@Nullable Output selfManagedPassword) { + $.selfManagedPassword = selfManagedPassword; + return this; + } + + /** + * @param selfManagedPassword The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + * + * @return builder + * + */ + public Builder selfManagedPassword(String selfManagedPassword) { + return selfManagedPassword(Output.of(selfManagedPassword)); + } + /** * @param username The database username that this static role corresponds to. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountCassandraArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountCassandraArgs.java index 713211c0c..067d33715 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountCassandraArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountCassandraArgs.java @@ -221,6 +221,21 @@ public Optional>> rootRotationStatements() { return Optional.ofNullable(this.rootRotationStatements); } + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + @Import(name="skipVerification") + private @Nullable Output skipVerification; + + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + public Optional> skipVerification() { + return Optional.ofNullable(this.skipVerification); + } + /** * Whether to use TLS when connecting to Cassandra. * @@ -284,6 +299,7 @@ private SecretsMountCassandraArgs(SecretsMountCassandraArgs $) { this.port = $.port; this.protocolVersion = $.protocolVersion; this.rootRotationStatements = $.rootRotationStatements; + this.skipVerification = $.skipVerification; this.tls = $.tls; this.username = $.username; this.verifyConnection = $.verifyConnection; @@ -617,6 +633,27 @@ public Builder rootRotationStatements(String... rootRotationStatements) { return rootRotationStatements(List.of(rootRotationStatements)); } + /** + * @param skipVerification Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + * @return builder + * + */ + public Builder skipVerification(@Nullable Output skipVerification) { + $.skipVerification = skipVerification; + return this; + } + + /** + * @param skipVerification Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + * @return builder + * + */ + public Builder skipVerification(Boolean skipVerification) { + return skipVerification(Output.of(skipVerification)); + } + /** * @param tls Whether to use TLS when connecting to Cassandra. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java index 68837e37a..e28e08117 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java @@ -191,6 +191,21 @@ public Optional> pluginName() { return Optional.ofNullable(this.pluginName); } + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + @Import(name="privateKey") + private @Nullable Output privateKey; + + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + public Optional> privateKey() { + return Optional.ofNullable(this.privateKey); + } + /** * A list of database statements to be executed to rotate the root user's credentials. * @@ -206,6 +221,21 @@ public Optional>> rootRotationStatements() { return Optional.ofNullable(this.rootRotationStatements); } + /** + * If set, allows onboarding static roles with a rootless connection configuration. + * + */ + @Import(name="selfManaged") + private @Nullable Output selfManaged; + + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + public Optional> selfManaged() { + return Optional.ofNullable(this.selfManaged); + } + /** * A JSON encoded credential for use with IAM authorization * @@ -221,6 +251,36 @@ public Optional> serviceAccountJson() { return Optional.ofNullable(this.serviceAccountJson); } + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + @Import(name="tlsCa") + private @Nullable Output tlsCa; + + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + public Optional> tlsCa() { + return Optional.ofNullable(this.tlsCa); + } + + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + @Import(name="tlsCertificate") + private @Nullable Output tlsCertificate; + + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + public Optional> tlsCertificate() { + return Optional.ofNullable(this.tlsCertificate); + } + /** * The root credential username used in the connection URL * @@ -282,8 +342,12 @@ private SecretsMountPostgresqlArgs(SecretsMountPostgresqlArgs $) { this.name = $.name; this.password = $.password; this.pluginName = $.pluginName; + this.privateKey = $.privateKey; this.rootRotationStatements = $.rootRotationStatements; + this.selfManaged = $.selfManaged; this.serviceAccountJson = $.serviceAccountJson; + this.tlsCa = $.tlsCa; + this.tlsCertificate = $.tlsCertificate; this.username = $.username; this.usernameTemplate = $.usernameTemplate; this.verifyConnection = $.verifyConnection; @@ -555,6 +619,27 @@ public Builder pluginName(String pluginName) { return pluginName(Output.of(pluginName)); } + /** + * @param privateKey The secret key used for the x509 client certificate. Must be PEM encoded. + * + * @return builder + * + */ + public Builder privateKey(@Nullable Output privateKey) { + $.privateKey = privateKey; + return this; + } + + /** + * @param privateKey The secret key used for the x509 client certificate. Must be PEM encoded. + * + * @return builder + * + */ + public Builder privateKey(String privateKey) { + return privateKey(Output.of(privateKey)); + } + /** * @param rootRotationStatements A list of database statements to be executed to rotate the root user's credentials. * @@ -586,6 +671,27 @@ public Builder rootRotationStatements(String... rootRotationStatements) { return rootRotationStatements(List.of(rootRotationStatements)); } + /** + * @param selfManaged If set, allows onboarding static roles with a rootless connection configuration. + * + * @return builder + * + */ + public Builder selfManaged(@Nullable Output selfManaged) { + $.selfManaged = selfManaged; + return this; + } + + /** + * @param selfManaged If set, allows onboarding static roles with a rootless connection configuration. + * + * @return builder + * + */ + public Builder selfManaged(Boolean selfManaged) { + return selfManaged(Output.of(selfManaged)); + } + /** * @param serviceAccountJson A JSON encoded credential for use with IAM authorization * @@ -607,6 +713,48 @@ public Builder serviceAccountJson(String serviceAccountJson) { return serviceAccountJson(Output.of(serviceAccountJson)); } + /** + * @param tlsCa The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCa(@Nullable Output tlsCa) { + $.tlsCa = tlsCa; + return this; + } + + /** + * @param tlsCa The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCa(String tlsCa) { + return tlsCa(Output.of(tlsCa)); + } + + /** + * @param tlsCertificate The x509 client certificate for connecting to the database. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCertificate(@Nullable Output tlsCertificate) { + $.tlsCertificate = tlsCertificate; + return this; + } + + /** + * @param tlsCertificate The x509 client certificate for connecting to the database. Must be PEM encoded. + * + * @return builder + * + */ + public Builder tlsCertificate(String tlsCertificate) { + return tlsCertificate(Output.of(tlsCertificate)); + } + /** * @param username The root credential username used in the connection URL * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionCassandra.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionCassandra.java index a6d241a5e..5b49b2a44 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionCassandra.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionCassandra.java @@ -54,6 +54,11 @@ public final class SecretBackendConnectionCassandra { * */ private @Nullable Integer protocolVersion; + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + private @Nullable Boolean skipVerification; /** * @return Whether to use TLS when connecting to Cassandra. * @@ -122,6 +127,13 @@ public Optional port() { public Optional protocolVersion() { return Optional.ofNullable(this.protocolVersion); } + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + public Optional skipVerification() { + return Optional.ofNullable(this.skipVerification); + } /** * @return Whether to use TLS when connecting to Cassandra. * @@ -154,6 +166,7 @@ public static final class Builder { private @Nullable String pemJson; private @Nullable Integer port; private @Nullable Integer protocolVersion; + private @Nullable Boolean skipVerification; private @Nullable Boolean tls; private @Nullable String username; public Builder() {} @@ -167,6 +180,7 @@ public Builder(SecretBackendConnectionCassandra defaults) { this.pemJson = defaults.pemJson; this.port = defaults.port; this.protocolVersion = defaults.protocolVersion; + this.skipVerification = defaults.skipVerification; this.tls = defaults.tls; this.username = defaults.username; } @@ -223,6 +237,12 @@ public Builder protocolVersion(@Nullable Integer protocolVersion) { return this; } @CustomType.Setter + public Builder skipVerification(@Nullable Boolean skipVerification) { + + this.skipVerification = skipVerification; + return this; + } + @CustomType.Setter public Builder tls(@Nullable Boolean tls) { this.tls = tls; @@ -244,6 +264,7 @@ public SecretBackendConnectionCassandra build() { _resultValue.pemJson = pemJson; _resultValue.port = port; _resultValue.protocolVersion = protocolVersion; + _resultValue.skipVerification = skipVerification; _resultValue.tls = tls; _resultValue.username = username; return _resultValue; diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java index 1ca260000..f5aa7c4d2 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java @@ -48,11 +48,31 @@ public final class SecretBackendConnectionPostgresql { * */ private @Nullable String password; + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + private @Nullable String privateKey; + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + private @Nullable Boolean selfManaged; /** * @return A JSON encoded credential for use with IAM authorization * */ private @Nullable String serviceAccountJson; + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + private @Nullable String tlsCa; + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + private @Nullable String tlsCertificate; /** * @return The root credential username used in the connection URL * @@ -114,6 +134,20 @@ public Optional maxOpenConnections() { public Optional password() { return Optional.ofNullable(this.password); } + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + public Optional privateKey() { + return Optional.ofNullable(this.privateKey); + } + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + public Optional selfManaged() { + return Optional.ofNullable(this.selfManaged); + } /** * @return A JSON encoded credential for use with IAM authorization * @@ -121,6 +155,20 @@ public Optional password() { public Optional serviceAccountJson() { return Optional.ofNullable(this.serviceAccountJson); } + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + public Optional tlsCa() { + return Optional.ofNullable(this.tlsCa); + } + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + public Optional tlsCertificate() { + return Optional.ofNullable(this.tlsCertificate); + } /** * @return The root credential username used in the connection URL * @@ -152,7 +200,11 @@ public static final class Builder { private @Nullable Integer maxIdleConnections; private @Nullable Integer maxOpenConnections; private @Nullable String password; + private @Nullable String privateKey; + private @Nullable Boolean selfManaged; private @Nullable String serviceAccountJson; + private @Nullable String tlsCa; + private @Nullable String tlsCertificate; private @Nullable String username; private @Nullable String usernameTemplate; public Builder() {} @@ -165,7 +217,11 @@ public Builder(SecretBackendConnectionPostgresql defaults) { this.maxIdleConnections = defaults.maxIdleConnections; this.maxOpenConnections = defaults.maxOpenConnections; this.password = defaults.password; + this.privateKey = defaults.privateKey; + this.selfManaged = defaults.selfManaged; this.serviceAccountJson = defaults.serviceAccountJson; + this.tlsCa = defaults.tlsCa; + this.tlsCertificate = defaults.tlsCertificate; this.username = defaults.username; this.usernameTemplate = defaults.usernameTemplate; } @@ -213,12 +269,36 @@ public Builder password(@Nullable String password) { return this; } @CustomType.Setter + public Builder privateKey(@Nullable String privateKey) { + + this.privateKey = privateKey; + return this; + } + @CustomType.Setter + public Builder selfManaged(@Nullable Boolean selfManaged) { + + this.selfManaged = selfManaged; + return this; + } + @CustomType.Setter public Builder serviceAccountJson(@Nullable String serviceAccountJson) { this.serviceAccountJson = serviceAccountJson; return this; } @CustomType.Setter + public Builder tlsCa(@Nullable String tlsCa) { + + this.tlsCa = tlsCa; + return this; + } + @CustomType.Setter + public Builder tlsCertificate(@Nullable String tlsCertificate) { + + this.tlsCertificate = tlsCertificate; + return this; + } + @CustomType.Setter public Builder username(@Nullable String username) { this.username = username; @@ -239,7 +319,11 @@ public SecretBackendConnectionPostgresql build() { _resultValue.maxIdleConnections = maxIdleConnections; _resultValue.maxOpenConnections = maxOpenConnections; _resultValue.password = password; + _resultValue.privateKey = privateKey; + _resultValue.selfManaged = selfManaged; _resultValue.serviceAccountJson = serviceAccountJson; + _resultValue.tlsCa = tlsCa; + _resultValue.tlsCertificate = tlsCertificate; _resultValue.username = username; _resultValue.usernameTemplate = usernameTemplate; return _resultValue; diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountCassandra.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountCassandra.java index bd2200cb7..46de5cd60 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountCassandra.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountCassandra.java @@ -84,6 +84,11 @@ public final class SecretsMountCassandra { * */ private @Nullable List rootRotationStatements; + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + private @Nullable Boolean skipVerification; /** * @return Whether to use TLS when connecting to Cassandra. * @@ -196,6 +201,13 @@ public Optional protocolVersion() { public List rootRotationStatements() { return this.rootRotationStatements == null ? List.of() : this.rootRotationStatements; } + /** + * @return Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + * + */ + public Optional skipVerification() { + return Optional.ofNullable(this.skipVerification); + } /** * @return Whether to use TLS when connecting to Cassandra. * @@ -241,6 +253,7 @@ public static final class Builder { private @Nullable Integer port; private @Nullable Integer protocolVersion; private @Nullable List rootRotationStatements; + private @Nullable Boolean skipVerification; private @Nullable Boolean tls; private @Nullable String username; private @Nullable Boolean verifyConnection; @@ -260,6 +273,7 @@ public Builder(SecretsMountCassandra defaults) { this.port = defaults.port; this.protocolVersion = defaults.protocolVersion; this.rootRotationStatements = defaults.rootRotationStatements; + this.skipVerification = defaults.skipVerification; this.tls = defaults.tls; this.username = defaults.username; this.verifyConnection = defaults.verifyConnection; @@ -355,6 +369,12 @@ public Builder rootRotationStatements(String... rootRotationStatements) { return rootRotationStatements(List.of(rootRotationStatements)); } @CustomType.Setter + public Builder skipVerification(@Nullable Boolean skipVerification) { + + this.skipVerification = skipVerification; + return this; + } + @CustomType.Setter public Builder tls(@Nullable Boolean tls) { this.tls = tls; @@ -387,6 +407,7 @@ public SecretsMountCassandra build() { _resultValue.port = port; _resultValue.protocolVersion = protocolVersion; _resultValue.rootRotationStatements = rootRotationStatements; + _resultValue.skipVerification = skipVerification; _resultValue.tls = tls; _resultValue.username = username; _resultValue.verifyConnection = verifyConnection; diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java index 3e225c4df..cfa60c1d2 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java @@ -74,16 +74,36 @@ public final class SecretsMountPostgresql { * */ private @Nullable String pluginName; + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + private @Nullable String privateKey; /** * @return A list of database statements to be executed to rotate the root user's credentials. * */ private @Nullable List rootRotationStatements; + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + private @Nullable Boolean selfManaged; /** * @return A JSON encoded credential for use with IAM authorization * */ private @Nullable String serviceAccountJson; + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + private @Nullable String tlsCa; + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + private @Nullable String tlsCertificate; /** * @return The root credential username used in the connection URL * @@ -182,6 +202,13 @@ public Optional password() { public Optional pluginName() { return Optional.ofNullable(this.pluginName); } + /** + * @return The secret key used for the x509 client certificate. Must be PEM encoded. + * + */ + public Optional privateKey() { + return Optional.ofNullable(this.privateKey); + } /** * @return A list of database statements to be executed to rotate the root user's credentials. * @@ -189,6 +216,13 @@ public Optional pluginName() { public List rootRotationStatements() { return this.rootRotationStatements == null ? List.of() : this.rootRotationStatements; } + /** + * @return If set, allows onboarding static roles with a rootless connection configuration. + * + */ + public Optional selfManaged() { + return Optional.ofNullable(this.selfManaged); + } /** * @return A JSON encoded credential for use with IAM authorization * @@ -196,6 +230,20 @@ public List rootRotationStatements() { public Optional serviceAccountJson() { return Optional.ofNullable(this.serviceAccountJson); } + /** + * @return The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + * + */ + public Optional tlsCa() { + return Optional.ofNullable(this.tlsCa); + } + /** + * @return The x509 client certificate for connecting to the database. Must be PEM encoded. + * + */ + public Optional tlsCertificate() { + return Optional.ofNullable(this.tlsCertificate); + } /** * @return The root credential username used in the connection URL * @@ -239,8 +287,12 @@ public static final class Builder { private String name; private @Nullable String password; private @Nullable String pluginName; + private @Nullable String privateKey; private @Nullable List rootRotationStatements; + private @Nullable Boolean selfManaged; private @Nullable String serviceAccountJson; + private @Nullable String tlsCa; + private @Nullable String tlsCertificate; private @Nullable String username; private @Nullable String usernameTemplate; private @Nullable Boolean verifyConnection; @@ -258,8 +310,12 @@ public Builder(SecretsMountPostgresql defaults) { this.name = defaults.name; this.password = defaults.password; this.pluginName = defaults.pluginName; + this.privateKey = defaults.privateKey; this.rootRotationStatements = defaults.rootRotationStatements; + this.selfManaged = defaults.selfManaged; this.serviceAccountJson = defaults.serviceAccountJson; + this.tlsCa = defaults.tlsCa; + this.tlsCertificate = defaults.tlsCertificate; this.username = defaults.username; this.usernameTemplate = defaults.usernameTemplate; this.verifyConnection = defaults.verifyConnection; @@ -337,6 +393,12 @@ public Builder pluginName(@Nullable String pluginName) { return this; } @CustomType.Setter + public Builder privateKey(@Nullable String privateKey) { + + this.privateKey = privateKey; + return this; + } + @CustomType.Setter public Builder rootRotationStatements(@Nullable List rootRotationStatements) { this.rootRotationStatements = rootRotationStatements; @@ -346,12 +408,30 @@ public Builder rootRotationStatements(String... rootRotationStatements) { return rootRotationStatements(List.of(rootRotationStatements)); } @CustomType.Setter + public Builder selfManaged(@Nullable Boolean selfManaged) { + + this.selfManaged = selfManaged; + return this; + } + @CustomType.Setter public Builder serviceAccountJson(@Nullable String serviceAccountJson) { this.serviceAccountJson = serviceAccountJson; return this; } @CustomType.Setter + public Builder tlsCa(@Nullable String tlsCa) { + + this.tlsCa = tlsCa; + return this; + } + @CustomType.Setter + public Builder tlsCertificate(@Nullable String tlsCertificate) { + + this.tlsCertificate = tlsCertificate; + return this; + } + @CustomType.Setter public Builder username(@Nullable String username) { this.username = username; @@ -382,8 +462,12 @@ public SecretsMountPostgresql build() { _resultValue.name = name; _resultValue.password = password; _resultValue.pluginName = pluginName; + _resultValue.privateKey = privateKey; _resultValue.rootRotationStatements = rootRotationStatements; + _resultValue.selfManaged = selfManaged; _resultValue.serviceAccountJson = serviceAccountJson; + _resultValue.tlsCa = tlsCa; + _resultValue.tlsCertificate = tlsCertificate; _resultValue.username = username; _resultValue.usernameTemplate = usernameTemplate; _resultValue.verifyConnection = verifyConnection; diff --git a/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccount.java b/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccount.java index c0f00bcd9..ea6e49ead 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccount.java +++ b/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccount.java @@ -169,6 +169,22 @@ public Output serviceAccountProject() { public Output>> tokenScopes() { return Codegen.optional(this.tokenScopes); } + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + @Export(name="ttl", refs={String.class}, tree="[0]") + private Output ttl; + + /** + * @return Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + public Output ttl() { + return this.ttl; + } /** * diff --git a/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccountArgs.java b/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccountArgs.java index 08d46a640..0c1a281e5 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccountArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/gcp/SecretImpersonatedAccountArgs.java @@ -92,6 +92,23 @@ public Optional>> tokenScopes() { return Optional.ofNullable(this.tokenScopes); } + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + @Import(name="ttl") + private @Nullable Output ttl; + + /** + * @return Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + public Optional> ttl() { + return Optional.ofNullable(this.ttl); + } + private SecretImpersonatedAccountArgs() {} private SecretImpersonatedAccountArgs(SecretImpersonatedAccountArgs $) { @@ -100,6 +117,7 @@ private SecretImpersonatedAccountArgs(SecretImpersonatedAccountArgs $) { this.namespace = $.namespace; this.serviceAccountEmail = $.serviceAccountEmail; this.tokenScopes = $.tokenScopes; + this.ttl = $.ttl; } public static Builder builder() { @@ -235,6 +253,29 @@ public Builder tokenScopes(String... tokenScopes) { return tokenScopes(List.of(tokenScopes)); } + /** + * @param ttl Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + * @return builder + * + */ + public Builder ttl(@Nullable Output ttl) { + $.ttl = ttl; + return this; + } + + /** + * @param ttl Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + * @return builder + * + */ + public Builder ttl(String ttl) { + return ttl(Output.of(ttl)); + } + public SecretImpersonatedAccountArgs build() { if ($.backend == null) { throw new MissingRequiredPropertyException("SecretImpersonatedAccountArgs", "backend"); diff --git a/sdk/java/src/main/java/com/pulumi/vault/gcp/inputs/SecretImpersonatedAccountState.java b/sdk/java/src/main/java/com/pulumi/vault/gcp/inputs/SecretImpersonatedAccountState.java index b86eeebbc..3e9d71782 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/gcp/inputs/SecretImpersonatedAccountState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/gcp/inputs/SecretImpersonatedAccountState.java @@ -106,6 +106,23 @@ public Optional>> tokenScopes() { return Optional.ofNullable(this.tokenScopes); } + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + @Import(name="ttl") + private @Nullable Output ttl; + + /** + * @return Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + */ + public Optional> ttl() { + return Optional.ofNullable(this.ttl); + } + private SecretImpersonatedAccountState() {} private SecretImpersonatedAccountState(SecretImpersonatedAccountState $) { @@ -115,6 +132,7 @@ private SecretImpersonatedAccountState(SecretImpersonatedAccountState $) { this.serviceAccountEmail = $.serviceAccountEmail; this.serviceAccountProject = $.serviceAccountProject; this.tokenScopes = $.tokenScopes; + this.ttl = $.ttl; } public static Builder builder() { @@ -271,6 +289,29 @@ public Builder tokenScopes(String... tokenScopes) { return tokenScopes(List.of(tokenScopes)); } + /** + * @param ttl Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + * @return builder + * + */ + public Builder ttl(@Nullable Output ttl) { + $.ttl = ttl; + return this; + } + + /** + * @param ttl Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + * + * @return builder + * + */ + public Builder ttl(String ttl) { + return ttl(Output.of(ttl)); + } + public SecretImpersonatedAccountState build() { return $; } diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfig.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfig.java index 1a46c8b60..f2312f38f 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfig.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfig.java @@ -213,6 +213,20 @@ public Output>> pemKeys() { public Output> tokenReviewerJwt() { return Codegen.optional(this.tokenReviewerJwt); } + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + @Export(name="useAnnotationsAsAliasMetadata", refs={Boolean.class}, tree="[0]") + private Output useAnnotationsAsAliasMetadata; + + /** + * @return Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Output useAnnotationsAsAliasMetadata() { + return this.useAnnotationsAsAliasMetadata; + } /** * diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfigArgs.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfigArgs.java index 7684343c8..ea69f902f 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfigArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/AuthBackendConfigArgs.java @@ -159,6 +159,21 @@ public Optional> tokenReviewerJwt() { return Optional.ofNullable(this.tokenReviewerJwt); } + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + @Import(name="useAnnotationsAsAliasMetadata") + private @Nullable Output useAnnotationsAsAliasMetadata; + + /** + * @return Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Optional> useAnnotationsAsAliasMetadata() { + return Optional.ofNullable(this.useAnnotationsAsAliasMetadata); + } + private AuthBackendConfigArgs() {} private AuthBackendConfigArgs(AuthBackendConfigArgs $) { @@ -171,6 +186,7 @@ private AuthBackendConfigArgs(AuthBackendConfigArgs $) { this.namespace = $.namespace; this.pemKeys = $.pemKeys; this.tokenReviewerJwt = $.tokenReviewerJwt; + this.useAnnotationsAsAliasMetadata = $.useAnnotationsAsAliasMetadata; } public static Builder builder() { @@ -396,6 +412,27 @@ public Builder tokenReviewerJwt(String tokenReviewerJwt) { return tokenReviewerJwt(Output.of(tokenReviewerJwt)); } + /** + * @param useAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(@Nullable Output useAnnotationsAsAliasMetadata) { + $.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; + return this; + } + + /** + * @param useAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(Boolean useAnnotationsAsAliasMetadata) { + return useAnnotationsAsAliasMetadata(Output.of(useAnnotationsAsAliasMetadata)); + } + public AuthBackendConfigArgs build() { if ($.kubernetesHost == null) { throw new MissingRequiredPropertyException("AuthBackendConfigArgs", "kubernetesHost"); diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/AuthBackendConfigState.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/AuthBackendConfigState.java index bd5294ba8..22ea2f0fa 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/AuthBackendConfigState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/AuthBackendConfigState.java @@ -158,6 +158,21 @@ public Optional> tokenReviewerJwt() { return Optional.ofNullable(this.tokenReviewerJwt); } + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + @Import(name="useAnnotationsAsAliasMetadata") + private @Nullable Output useAnnotationsAsAliasMetadata; + + /** + * @return Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Optional> useAnnotationsAsAliasMetadata() { + return Optional.ofNullable(this.useAnnotationsAsAliasMetadata); + } + private AuthBackendConfigState() {} private AuthBackendConfigState(AuthBackendConfigState $) { @@ -170,6 +185,7 @@ private AuthBackendConfigState(AuthBackendConfigState $) { this.namespace = $.namespace; this.pemKeys = $.pemKeys; this.tokenReviewerJwt = $.tokenReviewerJwt; + this.useAnnotationsAsAliasMetadata = $.useAnnotationsAsAliasMetadata; } public static Builder builder() { @@ -395,6 +411,27 @@ public Builder tokenReviewerJwt(String tokenReviewerJwt) { return tokenReviewerJwt(Output.of(tokenReviewerJwt)); } + /** + * @param useAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(@Nullable Output useAnnotationsAsAliasMetadata) { + $.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; + return this; + } + + /** + * @param useAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(Boolean useAnnotationsAsAliasMetadata) { + return useAnnotationsAsAliasMetadata(Output.of(useAnnotationsAsAliasMetadata)); + } + public AuthBackendConfigState build() { return $; } diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigArgs.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigArgs.java index 494cf6150..546c1515b 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigArgs.java @@ -34,16 +34,32 @@ public Optional> backend() { return Optional.ofNullable(this.backend); } + /** + * (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ @Import(name="disableIssValidation") private @Nullable Output disableIssValidation; + /** + * @return (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Optional> disableIssValidation() { return Optional.ofNullable(this.disableIssValidation); } + /** + * (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ @Import(name="disableLocalCaJwt") private @Nullable Output disableLocalCaJwt; + /** + * @return (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Optional> disableLocalCaJwt() { return Optional.ofNullable(this.disableLocalCaJwt); } @@ -129,6 +145,21 @@ public Optional>> pemKeys() { return Optional.ofNullable(this.pemKeys); } + /** + * (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + @Import(name="useAnnotationsAsAliasMetadata") + private @Nullable Output useAnnotationsAsAliasMetadata; + + /** + * @return (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Optional> useAnnotationsAsAliasMetadata() { + return Optional.ofNullable(this.useAnnotationsAsAliasMetadata); + } + private GetAuthBackendConfigArgs() {} private GetAuthBackendConfigArgs(GetAuthBackendConfigArgs $) { @@ -140,6 +171,7 @@ private GetAuthBackendConfigArgs(GetAuthBackendConfigArgs $) { this.kubernetesHost = $.kubernetesHost; this.namespace = $.namespace; this.pemKeys = $.pemKeys; + this.useAnnotationsAsAliasMetadata = $.useAnnotationsAsAliasMetadata; } public static Builder builder() { @@ -183,20 +215,44 @@ public Builder backend(String backend) { return backend(Output.of(backend)); } + /** + * @param disableIssValidation (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableIssValidation(@Nullable Output disableIssValidation) { $.disableIssValidation = disableIssValidation; return this; } + /** + * @param disableIssValidation (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableIssValidation(Boolean disableIssValidation) { return disableIssValidation(Output.of(disableIssValidation)); } + /** + * @param disableLocalCaJwt (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableLocalCaJwt(@Nullable Output disableLocalCaJwt) { $.disableLocalCaJwt = disableLocalCaJwt; return this; } + /** + * @param disableLocalCaJwt (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableLocalCaJwt(Boolean disableLocalCaJwt) { return disableLocalCaJwt(Output.of(disableLocalCaJwt)); } @@ -322,6 +378,27 @@ public Builder pemKeys(String... pemKeys) { return pemKeys(List.of(pemKeys)); } + /** + * @param useAnnotationsAsAliasMetadata (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(@Nullable Output useAnnotationsAsAliasMetadata) { + $.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; + return this; + } + + /** + * @param useAnnotationsAsAliasMetadata (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(Boolean useAnnotationsAsAliasMetadata) { + return useAnnotationsAsAliasMetadata(Output.of(useAnnotationsAsAliasMetadata)); + } + public GetAuthBackendConfigArgs build() { return $; } diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigPlainArgs.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigPlainArgs.java index f48eb1ddd..f58029a80 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigPlainArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/inputs/GetAuthBackendConfigPlainArgs.java @@ -33,16 +33,32 @@ public Optional backend() { return Optional.ofNullable(this.backend); } + /** + * (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ @Import(name="disableIssValidation") private @Nullable Boolean disableIssValidation; + /** + * @return (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Optional disableIssValidation() { return Optional.ofNullable(this.disableIssValidation); } + /** + * (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ @Import(name="disableLocalCaJwt") private @Nullable Boolean disableLocalCaJwt; + /** + * @return (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Optional disableLocalCaJwt() { return Optional.ofNullable(this.disableLocalCaJwt); } @@ -128,6 +144,21 @@ public Optional> pemKeys() { return Optional.ofNullable(this.pemKeys); } + /** + * (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + @Import(name="useAnnotationsAsAliasMetadata") + private @Nullable Boolean useAnnotationsAsAliasMetadata; + + /** + * @return (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Optional useAnnotationsAsAliasMetadata() { + return Optional.ofNullable(this.useAnnotationsAsAliasMetadata); + } + private GetAuthBackendConfigPlainArgs() {} private GetAuthBackendConfigPlainArgs(GetAuthBackendConfigPlainArgs $) { @@ -139,6 +170,7 @@ private GetAuthBackendConfigPlainArgs(GetAuthBackendConfigPlainArgs $) { this.kubernetesHost = $.kubernetesHost; this.namespace = $.namespace; this.pemKeys = $.pemKeys; + this.useAnnotationsAsAliasMetadata = $.useAnnotationsAsAliasMetadata; } public static Builder builder() { @@ -171,11 +203,23 @@ public Builder backend(@Nullable String backend) { return this; } + /** + * @param disableIssValidation (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableIssValidation(@Nullable Boolean disableIssValidation) { $.disableIssValidation = disableIssValidation; return this; } + /** + * @param disableLocalCaJwt (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + * @return builder + * + */ public Builder disableLocalCaJwt(@Nullable Boolean disableLocalCaJwt) { $.disableLocalCaJwt = disableLocalCaJwt; return this; @@ -249,6 +293,17 @@ public Builder pemKeys(String... pemKeys) { return pemKeys(List.of(pemKeys)); } + /** + * @param useAnnotationsAsAliasMetadata (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + * @return builder + * + */ + public Builder useAnnotationsAsAliasMetadata(@Nullable Boolean useAnnotationsAsAliasMetadata) { + $.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; + return this; + } + public GetAuthBackendConfigPlainArgs build() { return $; } diff --git a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/outputs/GetAuthBackendConfigResult.java b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/outputs/GetAuthBackendConfigResult.java index 983f65693..43d02458d 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kubernetes/outputs/GetAuthBackendConfigResult.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kubernetes/outputs/GetAuthBackendConfigResult.java @@ -15,7 +15,15 @@ @CustomType public final class GetAuthBackendConfigResult { private @Nullable String backend; + /** + * @return (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ private Boolean disableIssValidation; + /** + * @return (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ private Boolean disableLocalCaJwt; /** * @return The provider-assigned unique ID for this managed resource. @@ -43,14 +51,27 @@ public final class GetAuthBackendConfigResult { * */ private List pemKeys; + /** + * @return (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + private Boolean useAnnotationsAsAliasMetadata; private GetAuthBackendConfigResult() {} public Optional backend() { return Optional.ofNullable(this.backend); } + /** + * @return (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Boolean disableIssValidation() { return this.disableIssValidation; } + /** + * @return (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + * + */ public Boolean disableLocalCaJwt() { return this.disableLocalCaJwt; } @@ -92,6 +113,13 @@ public Optional namespace() { public List pemKeys() { return this.pemKeys; } + /** + * @return (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + * + */ + public Boolean useAnnotationsAsAliasMetadata() { + return this.useAnnotationsAsAliasMetadata; + } public static Builder builder() { return new Builder(); @@ -111,6 +139,7 @@ public static final class Builder { private String kubernetesHost; private @Nullable String namespace; private List pemKeys; + private Boolean useAnnotationsAsAliasMetadata; public Builder() {} public Builder(GetAuthBackendConfigResult defaults) { Objects.requireNonNull(defaults); @@ -123,6 +152,7 @@ public Builder(GetAuthBackendConfigResult defaults) { this.kubernetesHost = defaults.kubernetesHost; this.namespace = defaults.namespace; this.pemKeys = defaults.pemKeys; + this.useAnnotationsAsAliasMetadata = defaults.useAnnotationsAsAliasMetadata; } @CustomType.Setter @@ -196,6 +226,14 @@ public Builder pemKeys(List pemKeys) { public Builder pemKeys(String... pemKeys) { return pemKeys(List.of(pemKeys)); } + @CustomType.Setter + public Builder useAnnotationsAsAliasMetadata(Boolean useAnnotationsAsAliasMetadata) { + if (useAnnotationsAsAliasMetadata == null) { + throw new MissingRequiredPropertyException("GetAuthBackendConfigResult", "useAnnotationsAsAliasMetadata"); + } + this.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; + return this; + } public GetAuthBackendConfigResult build() { final var _resultValue = new GetAuthBackendConfigResult(); _resultValue.backend = backend; @@ -207,6 +245,7 @@ public GetAuthBackendConfigResult build() { _resultValue.kubernetesHost = kubernetesHost; _resultValue.namespace = namespace; _resultValue.pemKeys = pemKeys; + _resultValue.useAnnotationsAsAliasMetadata = useAnnotationsAsAliasMetadata; return _resultValue; } } diff --git a/sdk/java/src/main/java/com/pulumi/vault/kv/KvFunctions.java b/sdk/java/src/main/java/com/pulumi/vault/kv/KvFunctions.java index 49ef5e04a..8ce90821a 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/kv/KvFunctions.java +++ b/sdk/java/src/main/java/com/pulumi/vault/kv/KvFunctions.java @@ -595,7 +595,6 @@ public static CompletableFuture getSecretSubkeysV2Plai * var exampleSecretV2 = new SecretV2("exampleSecretV2", SecretV2Args.builder() * .mount(kvv2.path()) * .name("secret") - * .cas(1) * .deleteAllVersions(true) * .dataJson(serializeJson( * jsonObject( @@ -664,7 +663,6 @@ public static Output getSecretV2(GetSecretV2Args args) { * var exampleSecretV2 = new SecretV2("exampleSecretV2", SecretV2Args.builder() * .mount(kvv2.path()) * .name("secret") - * .cas(1) * .deleteAllVersions(true) * .dataJson(serializeJson( * jsonObject( @@ -733,7 +731,6 @@ public static CompletableFuture getSecretV2Plain(GetSecretV2P * var exampleSecretV2 = new SecretV2("exampleSecretV2", SecretV2Args.builder() * .mount(kvv2.path()) * .name("secret") - * .cas(1) * .deleteAllVersions(true) * .dataJson(serializeJson( * jsonObject( @@ -802,7 +799,6 @@ public static Output getSecretV2(GetSecretV2Args args, Invoke * var exampleSecretV2 = new SecretV2("exampleSecretV2", SecretV2Args.builder() * .mount(kvv2.path()) * .name("secret") - * .cas(1) * .deleteAllVersions(true) * .dataJson(serializeJson( * jsonObject( diff --git a/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackend.java b/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackend.java index 27efe3877..e622c51e6 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackend.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackend.java @@ -155,6 +155,20 @@ public Output clientTlsCert() { public Output clientTlsKey() { return this.clientTlsKey; } + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + @Export(name="connectionTimeout", refs={Integer.class}, tree="[0]") + private Output connectionTimeout; + + /** + * @return Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + public Output connectionTimeout() { + return this.connectionTimeout; + } /** * Prevents users from bypassing authentication when providing an empty password. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackendArgs.java b/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackendArgs.java index ed690ee86..b7181f120 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackendArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ldap/AuthBackendArgs.java @@ -93,6 +93,21 @@ public Optional> clientTlsKey() { return Optional.ofNullable(this.clientTlsKey); } + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + @Import(name="connectionTimeout") + private @Nullable Output connectionTimeout; + + /** + * @return Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + public Optional> connectionTimeout() { + return Optional.ofNullable(this.connectionTimeout); + } + /** * Prevents users from bypassing authentication when providing an empty password. * @@ -577,6 +592,7 @@ private AuthBackendArgs(AuthBackendArgs $) { this.certificate = $.certificate; this.clientTlsCert = $.clientTlsCert; this.clientTlsKey = $.clientTlsKey; + this.connectionTimeout = $.connectionTimeout; this.denyNullBind = $.denyNullBind; this.description = $.description; this.disableRemount = $.disableRemount; @@ -730,6 +746,27 @@ public Builder clientTlsKey(String clientTlsKey) { return clientTlsKey(Output.of(clientTlsKey)); } + /** + * @param connectionTimeout Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + * @return builder + * + */ + public Builder connectionTimeout(@Nullable Output connectionTimeout) { + $.connectionTimeout = connectionTimeout; + return this; + } + + /** + * @param connectionTimeout Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + * @return builder + * + */ + public Builder connectionTimeout(Integer connectionTimeout) { + return connectionTimeout(Output.of(connectionTimeout)); + } + /** * @param denyNullBind Prevents users from bypassing authentication when providing an empty password. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/ldap/inputs/AuthBackendState.java b/sdk/java/src/main/java/com/pulumi/vault/ldap/inputs/AuthBackendState.java index 8edb48550..2cb20ed4f 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ldap/inputs/AuthBackendState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ldap/inputs/AuthBackendState.java @@ -107,6 +107,21 @@ public Optional> clientTlsKey() { return Optional.ofNullable(this.clientTlsKey); } + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + @Import(name="connectionTimeout") + private @Nullable Output connectionTimeout; + + /** + * @return Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + */ + public Optional> connectionTimeout() { + return Optional.ofNullable(this.connectionTimeout); + } + /** * Prevents users from bypassing authentication when providing an empty password. * @@ -592,6 +607,7 @@ private AuthBackendState(AuthBackendState $) { this.certificate = $.certificate; this.clientTlsCert = $.clientTlsCert; this.clientTlsKey = $.clientTlsKey; + this.connectionTimeout = $.connectionTimeout; this.denyNullBind = $.denyNullBind; this.description = $.description; this.disableRemount = $.disableRemount; @@ -766,6 +782,27 @@ public Builder clientTlsKey(String clientTlsKey) { return clientTlsKey(Output.of(clientTlsKey)); } + /** + * @param connectionTimeout Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + * @return builder + * + */ + public Builder connectionTimeout(@Nullable Output connectionTimeout) { + $.connectionTimeout = connectionTimeout; + return this; + } + + /** + * @param connectionTimeout Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + * + * @return builder + * + */ + public Builder connectionTimeout(Integer connectionTimeout) { + return connectionTimeout(Output.of(connectionTimeout)); + } + /** * @param denyNullBind Prevents users from bypassing authentication when providing an empty password. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java index c976de293..430ecc781 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java @@ -114,6 +114,12 @@ public Output algorithmSigner() { public Output> allowBareDomains() { return Codegen.optional(this.allowBareDomains); } + @Export(name="allowEmptyPrincipals", refs={Boolean.class}, tree="[0]") + private Output allowEmptyPrincipals; + + public Output> allowEmptyPrincipals() { + return Codegen.optional(this.allowEmptyPrincipals); + } /** * Specifies if certificates are allowed to be signed for use as a 'host'. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java index 4579c427c..fd61d44c5 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java @@ -50,6 +50,13 @@ public Optional> allowBareDomains() { return Optional.ofNullable(this.allowBareDomains); } + @Import(name="allowEmptyPrincipals") + private @Nullable Output allowEmptyPrincipals; + + public Optional> allowEmptyPrincipals() { + return Optional.ofNullable(this.allowEmptyPrincipals); + } + /** * Specifies if certificates are allowed to be signed for use as a 'host'. * @@ -427,6 +434,7 @@ private SecretBackendRoleArgs() {} private SecretBackendRoleArgs(SecretBackendRoleArgs $) { this.algorithmSigner = $.algorithmSigner; this.allowBareDomains = $.allowBareDomains; + this.allowEmptyPrincipals = $.allowEmptyPrincipals; this.allowHostCertificates = $.allowHostCertificates; this.allowSubdomains = $.allowSubdomains; this.allowUserCertificates = $.allowUserCertificates; @@ -513,6 +521,15 @@ public Builder allowBareDomains(Boolean allowBareDomains) { return allowBareDomains(Output.of(allowBareDomains)); } + public Builder allowEmptyPrincipals(@Nullable Output allowEmptyPrincipals) { + $.allowEmptyPrincipals = allowEmptyPrincipals; + return this; + } + + public Builder allowEmptyPrincipals(Boolean allowEmptyPrincipals) { + return allowEmptyPrincipals(Output.of(allowEmptyPrincipals)); + } + /** * @param allowHostCertificates Specifies if certificates are allowed to be signed for use as a 'host'. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java index 87bca598b..9b1852c04 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java @@ -49,6 +49,13 @@ public Optional> allowBareDomains() { return Optional.ofNullable(this.allowBareDomains); } + @Import(name="allowEmptyPrincipals") + private @Nullable Output allowEmptyPrincipals; + + public Optional> allowEmptyPrincipals() { + return Optional.ofNullable(this.allowEmptyPrincipals); + } + /** * Specifies if certificates are allowed to be signed for use as a 'host'. * @@ -426,6 +433,7 @@ private SecretBackendRoleState() {} private SecretBackendRoleState(SecretBackendRoleState $) { this.algorithmSigner = $.algorithmSigner; this.allowBareDomains = $.allowBareDomains; + this.allowEmptyPrincipals = $.allowEmptyPrincipals; this.allowHostCertificates = $.allowHostCertificates; this.allowSubdomains = $.allowSubdomains; this.allowUserCertificates = $.allowUserCertificates; @@ -512,6 +520,15 @@ public Builder allowBareDomains(Boolean allowBareDomains) { return allowBareDomains(Output.of(allowBareDomains)); } + public Builder allowEmptyPrincipals(@Nullable Output allowEmptyPrincipals) { + $.allowEmptyPrincipals = allowEmptyPrincipals; + return this; + } + + public Builder allowEmptyPrincipals(Boolean allowEmptyPrincipals) { + return allowEmptyPrincipals(Output.of(allowEmptyPrincipals)); + } + /** * @param allowHostCertificates Specifies if certificates are allowed to be signed for use as a 'host'. * diff --git a/sdk/nodejs/approle/authBackendRoleSecretId.ts b/sdk/nodejs/approle/authBackendRoleSecretId.ts index c28ddc133..09884168c 100644 --- a/sdk/nodejs/approle/authBackendRoleSecretId.ts +++ b/sdk/nodejs/approle/authBackendRoleSecretId.ts @@ -87,6 +87,10 @@ export class AuthBackendRoleSecretId extends pulumi.CustomResource { * *Available only for Vault Enterprise*. */ public readonly namespace!: pulumi.Output; + /** + * The number of uses for the secret-id. + */ + public readonly numUses!: pulumi.Output; /** * The name of the role to create the SecretID for. */ @@ -96,6 +100,10 @@ export class AuthBackendRoleSecretId extends pulumi.CustomResource { * mode. Defaults to Vault auto-generating SecretIDs. */ public readonly secretId!: pulumi.Output; + /** + * The TTL duration of the SecretID. + */ + public readonly ttl!: pulumi.Output; /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -137,8 +145,10 @@ export class AuthBackendRoleSecretId extends pulumi.CustomResource { resourceInputs["cidrLists"] = state ? state.cidrLists : undefined; resourceInputs["metadata"] = state ? state.metadata : undefined; resourceInputs["namespace"] = state ? state.namespace : undefined; + resourceInputs["numUses"] = state ? state.numUses : undefined; resourceInputs["roleName"] = state ? state.roleName : undefined; resourceInputs["secretId"] = state ? state.secretId : undefined; + resourceInputs["ttl"] = state ? state.ttl : undefined; resourceInputs["withWrappedAccessor"] = state ? state.withWrappedAccessor : undefined; resourceInputs["wrappingAccessor"] = state ? state.wrappingAccessor : undefined; resourceInputs["wrappingToken"] = state ? state.wrappingToken : undefined; @@ -152,8 +162,10 @@ export class AuthBackendRoleSecretId extends pulumi.CustomResource { resourceInputs["cidrLists"] = args ? args.cidrLists : undefined; resourceInputs["metadata"] = args ? args.metadata : undefined; resourceInputs["namespace"] = args ? args.namespace : undefined; + resourceInputs["numUses"] = args ? args.numUses : undefined; resourceInputs["roleName"] = args ? args.roleName : undefined; resourceInputs["secretId"] = args?.secretId ? pulumi.secret(args.secretId) : undefined; + resourceInputs["ttl"] = args ? args.ttl : undefined; resourceInputs["withWrappedAccessor"] = args ? args.withWrappedAccessor : undefined; resourceInputs["wrappingTtl"] = args ? args.wrappingTtl : undefined; resourceInputs["accessor"] = undefined /*out*/; @@ -198,6 +210,10 @@ export interface AuthBackendRoleSecretIdState { * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; + /** + * The number of uses for the secret-id. + */ + numUses?: pulumi.Input; /** * The name of the role to create the SecretID for. */ @@ -207,6 +223,10 @@ export interface AuthBackendRoleSecretIdState { * mode. Defaults to Vault auto-generating SecretIDs. */ secretId?: pulumi.Input; + /** + * The TTL duration of the SecretID. + */ + ttl?: pulumi.Input; /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or @@ -256,6 +276,10 @@ export interface AuthBackendRoleSecretIdArgs { * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; + /** + * The number of uses for the secret-id. + */ + numUses?: pulumi.Input; /** * The name of the role to create the SecretID for. */ @@ -265,6 +289,10 @@ export interface AuthBackendRoleSecretIdArgs { * mode. Defaults to Vault auto-generating SecretIDs. */ secretId?: pulumi.Input; + /** + * The TTL duration of the SecretID. + */ + ttl?: pulumi.Input; /** * Set to `true` to use the wrapped secret-id accessor as the resource ID. * If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or diff --git a/sdk/nodejs/database/secretBackendStaticRole.ts b/sdk/nodejs/database/secretBackendStaticRole.ts index 0f0d0cfbe..3ee71c504 100644 --- a/sdk/nodejs/database/secretBackendStaticRole.ts +++ b/sdk/nodejs/database/secretBackendStaticRole.ts @@ -125,6 +125,12 @@ export class SecretBackendStaticRole extends pulumi.CustomResource { * from a given `rotationSchedule`. */ public readonly rotationWindow!: pulumi.Output; + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + */ + public readonly selfManagedPassword!: pulumi.Output; /** * The database username that this static role corresponds to. */ @@ -151,6 +157,7 @@ export class SecretBackendStaticRole extends pulumi.CustomResource { resourceInputs["rotationSchedule"] = state ? state.rotationSchedule : undefined; resourceInputs["rotationStatements"] = state ? state.rotationStatements : undefined; resourceInputs["rotationWindow"] = state ? state.rotationWindow : undefined; + resourceInputs["selfManagedPassword"] = state ? state.selfManagedPassword : undefined; resourceInputs["username"] = state ? state.username : undefined; } else { const args = argsOrState as SecretBackendStaticRoleArgs | undefined; @@ -171,9 +178,12 @@ export class SecretBackendStaticRole extends pulumi.CustomResource { resourceInputs["rotationSchedule"] = args ? args.rotationSchedule : undefined; resourceInputs["rotationStatements"] = args ? args.rotationStatements : undefined; resourceInputs["rotationWindow"] = args ? args.rotationWindow : undefined; + resourceInputs["selfManagedPassword"] = args?.selfManagedPassword ? pulumi.secret(args.selfManagedPassword) : undefined; resourceInputs["username"] = args ? args.username : undefined; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const secretOpts = { additionalSecretOutputs: ["selfManagedPassword"] }; + opts = pulumi.mergeOptions(opts, secretOpts); super(SecretBackendStaticRole.__pulumiType, name, resourceInputs, opts); } } @@ -223,6 +233,12 @@ export interface SecretBackendStaticRoleState { * from a given `rotationSchedule`. */ rotationWindow?: pulumi.Input; + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + */ + selfManagedPassword?: pulumi.Input; /** * The database username that this static role corresponds to. */ @@ -274,6 +290,12 @@ export interface SecretBackendStaticRoleArgs { * from a given `rotationSchedule`. */ rotationWindow?: pulumi.Input; + /** + * The password corresponding to the username in the database. + * Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + * select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + */ + selfManagedPassword?: pulumi.Input; /** * The database username that this static role corresponds to. */ diff --git a/sdk/nodejs/gcp/secretImpersonatedAccount.ts b/sdk/nodejs/gcp/secretImpersonatedAccount.ts index e91b04474..c76b2d9e4 100644 --- a/sdk/nodejs/gcp/secretImpersonatedAccount.ts +++ b/sdk/nodejs/gcp/secretImpersonatedAccount.ts @@ -93,6 +93,11 @@ export class SecretImpersonatedAccount extends pulumi.CustomResource { * List of OAuth scopes to assign to access tokens generated under this impersonated account. */ public readonly tokenScopes!: pulumi.Output; + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + */ + public readonly ttl!: pulumi.Output; /** * Create a SecretImpersonatedAccount resource with the given unique name, arguments, and options. @@ -113,6 +118,7 @@ export class SecretImpersonatedAccount extends pulumi.CustomResource { resourceInputs["serviceAccountEmail"] = state ? state.serviceAccountEmail : undefined; resourceInputs["serviceAccountProject"] = state ? state.serviceAccountProject : undefined; resourceInputs["tokenScopes"] = state ? state.tokenScopes : undefined; + resourceInputs["ttl"] = state ? state.ttl : undefined; } else { const args = argsOrState as SecretImpersonatedAccountArgs | undefined; if ((!args || args.backend === undefined) && !opts.urn) { @@ -129,6 +135,7 @@ export class SecretImpersonatedAccount extends pulumi.CustomResource { resourceInputs["namespace"] = args ? args.namespace : undefined; resourceInputs["serviceAccountEmail"] = args ? args.serviceAccountEmail : undefined; resourceInputs["tokenScopes"] = args ? args.tokenScopes : undefined; + resourceInputs["ttl"] = args ? args.ttl : undefined; resourceInputs["serviceAccountProject"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); @@ -164,6 +171,11 @@ export interface SecretImpersonatedAccountState { * List of OAuth scopes to assign to access tokens generated under this impersonated account. */ tokenScopes?: pulumi.Input[]>; + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + */ + ttl?: pulumi.Input; } /** @@ -190,4 +202,9 @@ export interface SecretImpersonatedAccountArgs { * List of OAuth scopes to assign to access tokens generated under this impersonated account. */ tokenScopes?: pulumi.Input[]>; + /** + * Specifies the default TTL for service principals generated using this role. + * Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + */ + ttl?: pulumi.Input; } diff --git a/sdk/nodejs/kubernetes/authBackendConfig.ts b/sdk/nodejs/kubernetes/authBackendConfig.ts index 1e7533888..820e81b08 100644 --- a/sdk/nodejs/kubernetes/authBackendConfig.ts +++ b/sdk/nodejs/kubernetes/authBackendConfig.ts @@ -103,6 +103,10 @@ export class AuthBackendConfig extends pulumi.CustomResource { * A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. */ public readonly tokenReviewerJwt!: pulumi.Output; + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + public readonly useAnnotationsAsAliasMetadata!: pulumi.Output; /** * Create a AuthBackendConfig resource with the given unique name, arguments, and options. @@ -126,6 +130,7 @@ export class AuthBackendConfig extends pulumi.CustomResource { resourceInputs["namespace"] = state ? state.namespace : undefined; resourceInputs["pemKeys"] = state ? state.pemKeys : undefined; resourceInputs["tokenReviewerJwt"] = state ? state.tokenReviewerJwt : undefined; + resourceInputs["useAnnotationsAsAliasMetadata"] = state ? state.useAnnotationsAsAliasMetadata : undefined; } else { const args = argsOrState as AuthBackendConfigArgs | undefined; if ((!args || args.kubernetesHost === undefined) && !opts.urn) { @@ -140,6 +145,7 @@ export class AuthBackendConfig extends pulumi.CustomResource { resourceInputs["namespace"] = args ? args.namespace : undefined; resourceInputs["pemKeys"] = args ? args.pemKeys : undefined; resourceInputs["tokenReviewerJwt"] = args?.tokenReviewerJwt ? pulumi.secret(args.tokenReviewerJwt) : undefined; + resourceInputs["useAnnotationsAsAliasMetadata"] = args ? args.useAnnotationsAsAliasMetadata : undefined; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); const secretOpts = { additionalSecretOutputs: ["tokenReviewerJwt"] }; @@ -191,6 +197,10 @@ export interface AuthBackendConfigState { * A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. */ tokenReviewerJwt?: pulumi.Input; + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + useAnnotationsAsAliasMetadata?: pulumi.Input; } /** @@ -236,4 +246,8 @@ export interface AuthBackendConfigArgs { * A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. */ tokenReviewerJwt?: pulumi.Input; + /** + * Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + useAnnotationsAsAliasMetadata?: pulumi.Input; } diff --git a/sdk/nodejs/kubernetes/getAuthBackendConfig.ts b/sdk/nodejs/kubernetes/getAuthBackendConfig.ts index c49177bbb..c15ffa0e8 100644 --- a/sdk/nodejs/kubernetes/getAuthBackendConfig.ts +++ b/sdk/nodejs/kubernetes/getAuthBackendConfig.ts @@ -21,6 +21,7 @@ export function getAuthBackendConfig(args?: GetAuthBackendConfigArgs, opts?: pul "kubernetesHost": args.kubernetesHost, "namespace": args.namespace, "pemKeys": args.pemKeys, + "useAnnotationsAsAliasMetadata": args.useAnnotationsAsAliasMetadata, }, opts); } @@ -33,7 +34,13 @@ export interface GetAuthBackendConfigArgs { * retrieve Role attributes for resides in. Defaults to "kubernetes". */ backend?: string; + /** + * (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ disableIssValidation?: boolean; + /** + * (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ disableLocalCaJwt?: boolean; /** * Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. @@ -58,6 +65,10 @@ export interface GetAuthBackendConfigArgs { * Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. */ pemKeys?: string[]; + /** + * (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + useAnnotationsAsAliasMetadata?: boolean; } /** @@ -65,7 +76,13 @@ export interface GetAuthBackendConfigArgs { */ export interface GetAuthBackendConfigResult { readonly backend?: string; + /** + * (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ readonly disableIssValidation: boolean; + /** + * (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ readonly disableLocalCaJwt: boolean; /** * The provider-assigned unique ID for this managed resource. @@ -88,6 +105,10 @@ export interface GetAuthBackendConfigResult { * Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. */ readonly pemKeys: string[]; + /** + * (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + readonly useAnnotationsAsAliasMetadata: boolean; } /** * Reads the Role of an Kubernetes from a Vault server. See the [Vault @@ -106,6 +127,7 @@ export function getAuthBackendConfigOutput(args?: GetAuthBackendConfigOutputArgs "kubernetesHost": args.kubernetesHost, "namespace": args.namespace, "pemKeys": args.pemKeys, + "useAnnotationsAsAliasMetadata": args.useAnnotationsAsAliasMetadata, }, opts); } @@ -118,7 +140,13 @@ export interface GetAuthBackendConfigOutputArgs { * retrieve Role attributes for resides in. Defaults to "kubernetes". */ backend?: pulumi.Input; + /** + * (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ disableIssValidation?: pulumi.Input; + /** + * (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + */ disableLocalCaJwt?: pulumi.Input; /** * Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. @@ -143,4 +171,8 @@ export interface GetAuthBackendConfigOutputArgs { * Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. */ pemKeys?: pulumi.Input[]>; + /** + * (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + */ + useAnnotationsAsAliasMetadata?: pulumi.Input; } diff --git a/sdk/nodejs/kv/getSecretV2.ts b/sdk/nodejs/kv/getSecretV2.ts index 4c9f0322e..a6afd6950 100644 --- a/sdk/nodejs/kv/getSecretV2.ts +++ b/sdk/nodejs/kv/getSecretV2.ts @@ -22,7 +22,6 @@ import * as utilities from "../utilities"; * const exampleSecretV2 = new vault.kv.SecretV2("example", { * mount: kvv2.path, * name: "secret", - * cas: 1, * deleteAllVersions: true, * dataJson: JSON.stringify({ * zip: "zap", @@ -143,7 +142,6 @@ export interface GetSecretV2Result { * const exampleSecretV2 = new vault.kv.SecretV2("example", { * mount: kvv2.path, * name: "secret", - * cas: 1, * deleteAllVersions: true, * dataJson: JSON.stringify({ * zip: "zap", diff --git a/sdk/nodejs/ldap/authBackend.ts b/sdk/nodejs/ldap/authBackend.ts index 1111a52fe..9bce7e7ee 100644 --- a/sdk/nodejs/ldap/authBackend.ts +++ b/sdk/nodejs/ldap/authBackend.ts @@ -83,6 +83,10 @@ export class AuthBackend extends pulumi.CustomResource { public readonly certificate!: pulumi.Output; public readonly clientTlsCert!: pulumi.Output; public readonly clientTlsKey!: pulumi.Output; + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + */ + public readonly connectionTimeout!: pulumi.Output; /** * Prevents users from bypassing authentication when providing an empty password. */ @@ -233,6 +237,7 @@ export class AuthBackend extends pulumi.CustomResource { resourceInputs["certificate"] = state ? state.certificate : undefined; resourceInputs["clientTlsCert"] = state ? state.clientTlsCert : undefined; resourceInputs["clientTlsKey"] = state ? state.clientTlsKey : undefined; + resourceInputs["connectionTimeout"] = state ? state.connectionTimeout : undefined; resourceInputs["denyNullBind"] = state ? state.denyNullBind : undefined; resourceInputs["description"] = state ? state.description : undefined; resourceInputs["disableRemount"] = state ? state.disableRemount : undefined; @@ -275,6 +280,7 @@ export class AuthBackend extends pulumi.CustomResource { resourceInputs["certificate"] = args ? args.certificate : undefined; resourceInputs["clientTlsCert"] = args ? args.clientTlsCert : undefined; resourceInputs["clientTlsKey"] = args?.clientTlsKey ? pulumi.secret(args.clientTlsKey) : undefined; + resourceInputs["connectionTimeout"] = args ? args.connectionTimeout : undefined; resourceInputs["denyNullBind"] = args ? args.denyNullBind : undefined; resourceInputs["description"] = args ? args.description : undefined; resourceInputs["disableRemount"] = args ? args.disableRemount : undefined; @@ -341,6 +347,10 @@ export interface AuthBackendState { certificate?: pulumi.Input; clientTlsCert?: pulumi.Input; clientTlsKey?: pulumi.Input; + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + */ + connectionTimeout?: pulumi.Input; /** * Prevents users from bypassing authentication when providing an empty password. */ @@ -494,6 +504,10 @@ export interface AuthBackendArgs { certificate?: pulumi.Input; clientTlsCert?: pulumi.Input; clientTlsKey?: pulumi.Input; + /** + * Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + */ + connectionTimeout?: pulumi.Input; /** * Prevents users from bypassing authentication when providing an empty password. */ diff --git a/sdk/nodejs/ssh/secretBackendRole.ts b/sdk/nodejs/ssh/secretBackendRole.ts index 97c6c2768..44f073a72 100644 --- a/sdk/nodejs/ssh/secretBackendRole.ts +++ b/sdk/nodejs/ssh/secretBackendRole.ts @@ -77,6 +77,7 @@ export class SecretBackendRole extends pulumi.CustomResource { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ public readonly allowBareDomains!: pulumi.Output; + public readonly allowEmptyPrincipals!: pulumi.Output; /** * Specifies if certificates are allowed to be signed for use as a 'host'. */ @@ -195,6 +196,7 @@ export class SecretBackendRole extends pulumi.CustomResource { const state = argsOrState as SecretBackendRoleState | undefined; resourceInputs["algorithmSigner"] = state ? state.algorithmSigner : undefined; resourceInputs["allowBareDomains"] = state ? state.allowBareDomains : undefined; + resourceInputs["allowEmptyPrincipals"] = state ? state.allowEmptyPrincipals : undefined; resourceInputs["allowHostCertificates"] = state ? state.allowHostCertificates : undefined; resourceInputs["allowSubdomains"] = state ? state.allowSubdomains : undefined; resourceInputs["allowUserCertificates"] = state ? state.allowUserCertificates : undefined; @@ -229,6 +231,7 @@ export class SecretBackendRole extends pulumi.CustomResource { } resourceInputs["algorithmSigner"] = args ? args.algorithmSigner : undefined; resourceInputs["allowBareDomains"] = args ? args.allowBareDomains : undefined; + resourceInputs["allowEmptyPrincipals"] = args ? args.allowEmptyPrincipals : undefined; resourceInputs["allowHostCertificates"] = args ? args.allowHostCertificates : undefined; resourceInputs["allowSubdomains"] = args ? args.allowSubdomains : undefined; resourceInputs["allowUserCertificates"] = args ? args.allowUserCertificates : undefined; @@ -271,6 +274,7 @@ export interface SecretBackendRoleState { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ allowBareDomains?: pulumi.Input; + allowEmptyPrincipals?: pulumi.Input; /** * Specifies if certificates are allowed to be signed for use as a 'host'. */ @@ -387,6 +391,7 @@ export interface SecretBackendRoleArgs { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ allowBareDomains?: pulumi.Input; + allowEmptyPrincipals?: pulumi.Input; /** * Specifies if certificates are allowed to be signed for use as a 'host'. */ diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts index 31ae319be..a137cc0e1 100644 --- a/sdk/nodejs/types/input.ts +++ b/sdk/nodejs/types/input.ts @@ -620,6 +620,10 @@ export namespace database { * The CQL protocol version to use. */ protocolVersion?: pulumi.Input; + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + */ + skipVerification?: pulumi.Input; /** * Whether to use TLS when connecting to Cassandra. */ @@ -1123,10 +1127,26 @@ export namespace database { * The root credential password used in the connection URL */ password?: pulumi.Input; + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + */ + privateKey?: pulumi.Input; + /** + * If set, allows onboarding static roles with a rootless connection configuration. + */ + selfManaged?: pulumi.Input; /** * A JSON encoded credential for use with IAM authorization */ serviceAccountJson?: pulumi.Input; + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + */ + tlsCa?: pulumi.Input; + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + */ + tlsCertificate?: pulumi.Input; /** * The root credential username used in the connection URL */ @@ -1309,6 +1329,10 @@ export namespace database { * A list of database statements to be executed to rotate the root user's credentials. */ rootRotationStatements?: pulumi.Input[]>; + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + */ + skipVerification?: pulumi.Input; /** * Whether to use TLS when connecting to Cassandra. */ @@ -2172,14 +2196,30 @@ export namespace database { * Specifies the name of the plugin to use. */ pluginName?: pulumi.Input; + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + */ + privateKey?: pulumi.Input; /** * A list of database statements to be executed to rotate the root user's credentials. */ rootRotationStatements?: pulumi.Input[]>; + /** + * If set, allows onboarding static roles with a rootless connection configuration. + */ + selfManaged?: pulumi.Input; /** * A JSON encoded credential for use with IAM authorization */ serviceAccountJson?: pulumi.Input; + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + */ + tlsCa?: pulumi.Input; + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + */ + tlsCertificate?: pulumi.Input; /** * The root credential username used in the connection URL */ diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts index d18cdd908..7c960b2b2 100644 --- a/sdk/nodejs/types/output.ts +++ b/sdk/nodejs/types/output.ts @@ -566,6 +566,10 @@ export namespace database { * The CQL protocol version to use. */ protocolVersion?: number; + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + */ + skipVerification?: boolean; /** * Whether to use TLS when connecting to Cassandra. */ @@ -1069,10 +1073,26 @@ export namespace database { * The root credential password used in the connection URL */ password?: string; + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + */ + privateKey?: string; + /** + * If set, allows onboarding static roles with a rootless connection configuration. + */ + selfManaged?: boolean; /** * A JSON encoded credential for use with IAM authorization */ serviceAccountJson?: string; + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + */ + tlsCa?: string; + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + */ + tlsCertificate?: string; /** * The root credential username used in the connection URL */ @@ -1255,6 +1275,10 @@ export namespace database { * A list of database statements to be executed to rotate the root user's credentials. */ rootRotationStatements?: string[]; + /** + * Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + */ + skipVerification?: boolean; /** * Whether to use TLS when connecting to Cassandra. */ @@ -2118,14 +2142,30 @@ export namespace database { * Specifies the name of the plugin to use. */ pluginName: string; + /** + * The secret key used for the x509 client certificate. Must be PEM encoded. + */ + privateKey?: string; /** * A list of database statements to be executed to rotate the root user's credentials. */ rootRotationStatements?: string[]; + /** + * If set, allows onboarding static roles with a rootless connection configuration. + */ + selfManaged?: boolean; /** * A JSON encoded credential for use with IAM authorization */ serviceAccountJson?: string; + /** + * The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + */ + tlsCa?: string; + /** + * The x509 client certificate for connecting to the database. Must be PEM encoded. + */ + tlsCertificate?: string; /** * The root credential username used in the connection URL */ diff --git a/sdk/python/pulumi_vault/approle/auth_backend_role_secret_id.py b/sdk/python/pulumi_vault/approle/auth_backend_role_secret_id.py index 2113f1345..fe398abb2 100644 --- a/sdk/python/pulumi_vault/approle/auth_backend_role_secret_id.py +++ b/sdk/python/pulumi_vault/approle/auth_backend_role_secret_id.py @@ -24,7 +24,9 @@ def __init__(__self__, *, cidr_lists: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, metadata: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, + num_uses: Optional[pulumi.Input[int]] = None, secret_id: Optional[pulumi.Input[str]] = None, + ttl: Optional[pulumi.Input[int]] = None, with_wrapped_accessor: Optional[pulumi.Input[bool]] = None, wrapping_ttl: Optional[pulumi.Input[str]] = None): """ @@ -39,8 +41,10 @@ def __init__(__self__, *, The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*. + :param pulumi.Input[int] num_uses: The number of uses for the secret-id. :param pulumi.Input[str] secret_id: The SecretID to be created. If set, uses "Push" mode. Defaults to Vault auto-generating SecretIDs. + :param pulumi.Input[int] ttl: The TTL duration of the SecretID. :param pulumi.Input[bool] with_wrapped_accessor: Set to `true` to use the wrapped secret-id accessor as the resource ID. If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. @@ -58,8 +62,12 @@ def __init__(__self__, *, pulumi.set(__self__, "metadata", metadata) if namespace is not None: pulumi.set(__self__, "namespace", namespace) + if num_uses is not None: + pulumi.set(__self__, "num_uses", num_uses) if secret_id is not None: pulumi.set(__self__, "secret_id", secret_id) + if ttl is not None: + pulumi.set(__self__, "ttl", ttl) if with_wrapped_accessor is not None: pulumi.set(__self__, "with_wrapped_accessor", with_wrapped_accessor) if wrapping_ttl is not None: @@ -130,6 +138,18 @@ def namespace(self) -> Optional[pulumi.Input[str]]: def namespace(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "namespace", value) + @property + @pulumi.getter(name="numUses") + def num_uses(self) -> Optional[pulumi.Input[int]]: + """ + The number of uses for the secret-id. + """ + return pulumi.get(self, "num_uses") + + @num_uses.setter + def num_uses(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "num_uses", value) + @property @pulumi.getter(name="secretId") def secret_id(self) -> Optional[pulumi.Input[str]]: @@ -143,6 +163,18 @@ def secret_id(self) -> Optional[pulumi.Input[str]]: def secret_id(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "secret_id", value) + @property + @pulumi.getter + def ttl(self) -> Optional[pulumi.Input[int]]: + """ + The TTL duration of the SecretID. + """ + return pulumi.get(self, "ttl") + + @ttl.setter + def ttl(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "ttl", value) + @property @pulumi.getter(name="withWrappedAccessor") def with_wrapped_accessor(self) -> Optional[pulumi.Input[bool]]: @@ -181,8 +213,10 @@ def __init__(__self__, *, cidr_lists: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, metadata: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, + num_uses: Optional[pulumi.Input[int]] = None, role_name: Optional[pulumi.Input[str]] = None, secret_id: Optional[pulumi.Input[str]] = None, + ttl: Optional[pulumi.Input[int]] = None, with_wrapped_accessor: Optional[pulumi.Input[bool]] = None, wrapping_accessor: Optional[pulumi.Input[str]] = None, wrapping_token: Optional[pulumi.Input[str]] = None, @@ -199,9 +233,11 @@ def __init__(__self__, *, The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*. + :param pulumi.Input[int] num_uses: The number of uses for the secret-id. :param pulumi.Input[str] role_name: The name of the role to create the SecretID for. :param pulumi.Input[str] secret_id: The SecretID to be created. If set, uses "Push" mode. Defaults to Vault auto-generating SecretIDs. + :param pulumi.Input[int] ttl: The TTL duration of the SecretID. :param pulumi.Input[bool] with_wrapped_accessor: Set to `true` to use the wrapped secret-id accessor as the resource ID. If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. @@ -223,10 +259,14 @@ def __init__(__self__, *, pulumi.set(__self__, "metadata", metadata) if namespace is not None: pulumi.set(__self__, "namespace", namespace) + if num_uses is not None: + pulumi.set(__self__, "num_uses", num_uses) if role_name is not None: pulumi.set(__self__, "role_name", role_name) if secret_id is not None: pulumi.set(__self__, "secret_id", secret_id) + if ttl is not None: + pulumi.set(__self__, "ttl", ttl) if with_wrapped_accessor is not None: pulumi.set(__self__, "with_wrapped_accessor", with_wrapped_accessor) if wrapping_accessor is not None: @@ -301,6 +341,18 @@ def namespace(self) -> Optional[pulumi.Input[str]]: def namespace(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "namespace", value) + @property + @pulumi.getter(name="numUses") + def num_uses(self) -> Optional[pulumi.Input[int]]: + """ + The number of uses for the secret-id. + """ + return pulumi.get(self, "num_uses") + + @num_uses.setter + def num_uses(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "num_uses", value) + @property @pulumi.getter(name="roleName") def role_name(self) -> Optional[pulumi.Input[str]]: @@ -326,6 +378,18 @@ def secret_id(self) -> Optional[pulumi.Input[str]]: def secret_id(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "secret_id", value) + @property + @pulumi.getter + def ttl(self) -> Optional[pulumi.Input[int]]: + """ + The TTL duration of the SecretID. + """ + return pulumi.get(self, "ttl") + + @ttl.setter + def ttl(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "ttl", value) + @property @pulumi.getter(name="withWrappedAccessor") def with_wrapped_accessor(self) -> Optional[pulumi.Input[bool]]: @@ -390,8 +454,10 @@ def __init__(__self__, cidr_lists: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, metadata: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, + num_uses: Optional[pulumi.Input[int]] = None, role_name: Optional[pulumi.Input[str]] = None, secret_id: Optional[pulumi.Input[str]] = None, + ttl: Optional[pulumi.Input[int]] = None, with_wrapped_accessor: Optional[pulumi.Input[bool]] = None, wrapping_ttl: Optional[pulumi.Input[str]] = None, __props__=None): @@ -435,9 +501,11 @@ def __init__(__self__, The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*. + :param pulumi.Input[int] num_uses: The number of uses for the secret-id. :param pulumi.Input[str] role_name: The name of the role to create the SecretID for. :param pulumi.Input[str] secret_id: The SecretID to be created. If set, uses "Push" mode. Defaults to Vault auto-generating SecretIDs. + :param pulumi.Input[int] ttl: The TTL duration of the SecretID. :param pulumi.Input[bool] with_wrapped_accessor: Set to `true` to use the wrapped secret-id accessor as the resource ID. If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. @@ -500,8 +568,10 @@ def _internal_init(__self__, cidr_lists: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, metadata: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, + num_uses: Optional[pulumi.Input[int]] = None, role_name: Optional[pulumi.Input[str]] = None, secret_id: Optional[pulumi.Input[str]] = None, + ttl: Optional[pulumi.Input[int]] = None, with_wrapped_accessor: Optional[pulumi.Input[bool]] = None, wrapping_ttl: Optional[pulumi.Input[str]] = None, __props__=None): @@ -517,10 +587,12 @@ def _internal_init(__self__, __props__.__dict__["cidr_lists"] = cidr_lists __props__.__dict__["metadata"] = metadata __props__.__dict__["namespace"] = namespace + __props__.__dict__["num_uses"] = num_uses if role_name is None and not opts.urn: raise TypeError("Missing required property 'role_name'") __props__.__dict__["role_name"] = role_name __props__.__dict__["secret_id"] = None if secret_id is None else pulumi.Output.secret(secret_id) + __props__.__dict__["ttl"] = ttl __props__.__dict__["with_wrapped_accessor"] = with_wrapped_accessor __props__.__dict__["wrapping_ttl"] = wrapping_ttl __props__.__dict__["accessor"] = None @@ -545,8 +617,10 @@ def get(resource_name: str, cidr_lists: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, metadata: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, + num_uses: Optional[pulumi.Input[int]] = None, role_name: Optional[pulumi.Input[str]] = None, secret_id: Optional[pulumi.Input[str]] = None, + ttl: Optional[pulumi.Input[int]] = None, with_wrapped_accessor: Optional[pulumi.Input[bool]] = None, wrapping_accessor: Optional[pulumi.Input[str]] = None, wrapping_token: Optional[pulumi.Input[str]] = None, @@ -568,9 +642,11 @@ def get(resource_name: str, The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*. + :param pulumi.Input[int] num_uses: The number of uses for the secret-id. :param pulumi.Input[str] role_name: The name of the role to create the SecretID for. :param pulumi.Input[str] secret_id: The SecretID to be created. If set, uses "Push" mode. Defaults to Vault auto-generating SecretIDs. + :param pulumi.Input[int] ttl: The TTL duration of the SecretID. :param pulumi.Input[bool] with_wrapped_accessor: Set to `true` to use the wrapped secret-id accessor as the resource ID. If `false` (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. @@ -591,8 +667,10 @@ def get(resource_name: str, __props__.__dict__["cidr_lists"] = cidr_lists __props__.__dict__["metadata"] = metadata __props__.__dict__["namespace"] = namespace + __props__.__dict__["num_uses"] = num_uses __props__.__dict__["role_name"] = role_name __props__.__dict__["secret_id"] = secret_id + __props__.__dict__["ttl"] = ttl __props__.__dict__["with_wrapped_accessor"] = with_wrapped_accessor __props__.__dict__["wrapping_accessor"] = wrapping_accessor __props__.__dict__["wrapping_token"] = wrapping_token @@ -644,6 +722,14 @@ def namespace(self) -> pulumi.Output[Optional[str]]: """ return pulumi.get(self, "namespace") + @property + @pulumi.getter(name="numUses") + def num_uses(self) -> pulumi.Output[Optional[int]]: + """ + The number of uses for the secret-id. + """ + return pulumi.get(self, "num_uses") + @property @pulumi.getter(name="roleName") def role_name(self) -> pulumi.Output[str]: @@ -661,6 +747,14 @@ def secret_id(self) -> pulumi.Output[str]: """ return pulumi.get(self, "secret_id") + @property + @pulumi.getter + def ttl(self) -> pulumi.Output[Optional[int]]: + """ + The TTL duration of the SecretID. + """ + return pulumi.get(self, "ttl") + @property @pulumi.getter(name="withWrappedAccessor") def with_wrapped_accessor(self) -> pulumi.Output[Optional[bool]]: diff --git a/sdk/python/pulumi_vault/database/_inputs.py b/sdk/python/pulumi_vault/database/_inputs.py index c16f8409f..5c5aaa464 100644 --- a/sdk/python/pulumi_vault/database/_inputs.py +++ b/sdk/python/pulumi_vault/database/_inputs.py @@ -125,6 +125,10 @@ class SecretBackendConnectionCassandraArgsDict(TypedDict): """ The CQL protocol version to use. """ + skip_verification: NotRequired[pulumi.Input[bool]] + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ tls: NotRequired[pulumi.Input[bool]] """ Whether to use TLS when connecting to Cassandra. @@ -147,6 +151,7 @@ def __init__(__self__, *, pem_json: Optional[pulumi.Input[str]] = None, port: Optional[pulumi.Input[int]] = None, protocol_version: Optional[pulumi.Input[int]] = None, + skip_verification: Optional[pulumi.Input[bool]] = None, tls: Optional[pulumi.Input[bool]] = None, username: Optional[pulumi.Input[str]] = None): """ @@ -158,6 +163,7 @@ def __init__(__self__, *, :param pulumi.Input[str] pem_json: Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. :param pulumi.Input[int] port: The transport port to use to connect to Cassandra. :param pulumi.Input[int] protocol_version: The CQL protocol version to use. + :param pulumi.Input[bool] skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. :param pulumi.Input[bool] tls: Whether to use TLS when connecting to Cassandra. :param pulumi.Input[str] username: The username to use when authenticating with Cassandra. """ @@ -177,6 +183,8 @@ def __init__(__self__, *, pulumi.set(__self__, "port", port) if protocol_version is not None: pulumi.set(__self__, "protocol_version", protocol_version) + if skip_verification is not None: + pulumi.set(__self__, "skip_verification", skip_verification) if tls is not None: pulumi.set(__self__, "tls", tls) if username is not None: @@ -278,6 +286,18 @@ def protocol_version(self) -> Optional[pulumi.Input[int]]: def protocol_version(self, value: Optional[pulumi.Input[int]]): pulumi.set(self, "protocol_version", value) + @property + @pulumi.getter(name="skipVerification") + def skip_verification(self) -> Optional[pulumi.Input[bool]]: + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ + return pulumi.get(self, "skip_verification") + + @skip_verification.setter + def skip_verification(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "skip_verification", value) + @property @pulumi.getter def tls(self) -> Optional[pulumi.Input[bool]]: @@ -2605,10 +2625,26 @@ class SecretBackendConnectionPostgresqlArgsDict(TypedDict): """ The root credential password used in the connection URL """ + private_key: NotRequired[pulumi.Input[str]] + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ + self_managed: NotRequired[pulumi.Input[bool]] + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ service_account_json: NotRequired[pulumi.Input[str]] """ A JSON encoded credential for use with IAM authorization """ + tls_ca: NotRequired[pulumi.Input[str]] + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + tls_certificate: NotRequired[pulumi.Input[str]] + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ username: NotRequired[pulumi.Input[str]] """ The root credential username used in the connection URL @@ -2630,7 +2666,11 @@ def __init__(__self__, *, max_idle_connections: Optional[pulumi.Input[int]] = None, max_open_connections: Optional[pulumi.Input[int]] = None, password: Optional[pulumi.Input[str]] = None, + private_key: Optional[pulumi.Input[str]] = None, + self_managed: Optional[pulumi.Input[bool]] = None, service_account_json: Optional[pulumi.Input[str]] = None, + tls_ca: Optional[pulumi.Input[str]] = None, + tls_certificate: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None): """ @@ -2641,7 +2681,11 @@ def __init__(__self__, *, :param pulumi.Input[int] max_idle_connections: Maximum number of idle connections to the database. :param pulumi.Input[int] max_open_connections: Maximum number of open connections to the database. :param pulumi.Input[str] password: The root credential password used in the connection URL + :param pulumi.Input[str] private_key: The secret key used for the x509 client certificate. Must be PEM encoded. + :param pulumi.Input[bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param pulumi.Input[str] service_account_json: A JSON encoded credential for use with IAM authorization + :param pulumi.Input[str] tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + :param pulumi.Input[str] tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded. :param pulumi.Input[str] username: The root credential username used in the connection URL :param pulumi.Input[str] username_template: Username generation template. """ @@ -2659,8 +2703,16 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if private_key is not None: + pulumi.set(__self__, "private_key", private_key) + if self_managed is not None: + pulumi.set(__self__, "self_managed", self_managed) if service_account_json is not None: pulumi.set(__self__, "service_account_json", service_account_json) + if tls_ca is not None: + pulumi.set(__self__, "tls_ca", tls_ca) + if tls_certificate is not None: + pulumi.set(__self__, "tls_certificate", tls_certificate) if username is not None: pulumi.set(__self__, "username", username) if username_template is not None: @@ -2750,6 +2802,30 @@ def password(self) -> Optional[pulumi.Input[str]]: def password(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "password", value) + @property + @pulumi.getter(name="privateKey") + def private_key(self) -> Optional[pulumi.Input[str]]: + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ + return pulumi.get(self, "private_key") + + @private_key.setter + def private_key(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "private_key", value) + + @property + @pulumi.getter(name="selfManaged") + def self_managed(self) -> Optional[pulumi.Input[bool]]: + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ + return pulumi.get(self, "self_managed") + + @self_managed.setter + def self_managed(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "self_managed", value) + @property @pulumi.getter(name="serviceAccountJson") def service_account_json(self) -> Optional[pulumi.Input[str]]: @@ -2762,6 +2838,30 @@ def service_account_json(self) -> Optional[pulumi.Input[str]]: def service_account_json(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "service_account_json", value) + @property + @pulumi.getter(name="tlsCa") + def tls_ca(self) -> Optional[pulumi.Input[str]]: + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + return pulumi.get(self, "tls_ca") + + @tls_ca.setter + def tls_ca(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "tls_ca", value) + + @property + @pulumi.getter(name="tlsCertificate") + def tls_certificate(self) -> Optional[pulumi.Input[str]]: + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ + return pulumi.get(self, "tls_certificate") + + @tls_certificate.setter + def tls_certificate(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "tls_certificate", value) + @property @pulumi.getter def username(self) -> Optional[pulumi.Input[str]]: @@ -3408,6 +3508,10 @@ class SecretsMountCassandraArgsDict(TypedDict): """ A list of database statements to be executed to rotate the root user's credentials. """ + skip_verification: NotRequired[pulumi.Input[bool]] + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ tls: NotRequired[pulumi.Input[bool]] """ Whether to use TLS when connecting to Cassandra. @@ -3440,6 +3544,7 @@ def __init__(__self__, *, port: Optional[pulumi.Input[int]] = None, protocol_version: Optional[pulumi.Input[int]] = None, root_rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + skip_verification: Optional[pulumi.Input[bool]] = None, tls: Optional[pulumi.Input[bool]] = None, username: Optional[pulumi.Input[str]] = None, verify_connection: Optional[pulumi.Input[bool]] = None): @@ -3460,6 +3565,7 @@ def __init__(__self__, *, :param pulumi.Input[int] port: The transport port to use to connect to Cassandra. :param pulumi.Input[int] protocol_version: The CQL protocol version to use. :param pulumi.Input[Sequence[pulumi.Input[str]]] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. + :param pulumi.Input[bool] skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. :param pulumi.Input[bool] tls: Whether to use TLS when connecting to Cassandra. :param pulumi.Input[str] username: The username to use when authenticating with Cassandra. :param pulumi.Input[bool] verify_connection: Whether the connection should be verified on @@ -3490,6 +3596,8 @@ def __init__(__self__, *, pulumi.set(__self__, "protocol_version", protocol_version) if root_rotation_statements is not None: pulumi.set(__self__, "root_rotation_statements", root_rotation_statements) + if skip_verification is not None: + pulumi.set(__self__, "skip_verification", skip_verification) if tls is not None: pulumi.set(__self__, "tls", tls) if username is not None: @@ -3656,6 +3764,18 @@ def root_rotation_statements(self) -> Optional[pulumi.Input[Sequence[pulumi.Inpu def root_rotation_statements(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): pulumi.set(self, "root_rotation_statements", value) + @property + @pulumi.getter(name="skipVerification") + def skip_verification(self) -> Optional[pulumi.Input[bool]]: + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ + return pulumi.get(self, "skip_verification") + + @skip_verification.setter + def skip_verification(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "skip_verification", value) + @property @pulumi.getter def tls(self) -> Optional[pulumi.Input[bool]]: @@ -7587,14 +7707,30 @@ class SecretsMountPostgresqlArgsDict(TypedDict): """ Specifies the name of the plugin to use. """ + private_key: NotRequired[pulumi.Input[str]] + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ root_rotation_statements: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]] """ A list of database statements to be executed to rotate the root user's credentials. """ + self_managed: NotRequired[pulumi.Input[bool]] + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ service_account_json: NotRequired[pulumi.Input[str]] """ A JSON encoded credential for use with IAM authorization """ + tls_ca: NotRequired[pulumi.Input[str]] + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + tls_certificate: NotRequired[pulumi.Input[str]] + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ username: NotRequired[pulumi.Input[str]] """ The root credential username used in the connection URL @@ -7625,8 +7761,12 @@ def __init__(__self__, *, max_open_connections: Optional[pulumi.Input[int]] = None, password: Optional[pulumi.Input[str]] = None, plugin_name: Optional[pulumi.Input[str]] = None, + private_key: Optional[pulumi.Input[str]] = None, root_rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + self_managed: Optional[pulumi.Input[bool]] = None, service_account_json: Optional[pulumi.Input[str]] = None, + tls_ca: Optional[pulumi.Input[str]] = None, + tls_certificate: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None, verify_connection: Optional[pulumi.Input[bool]] = None): @@ -7645,8 +7785,12 @@ def __init__(__self__, *, :param pulumi.Input[int] max_open_connections: Maximum number of open connections to the database. :param pulumi.Input[str] password: The root credential password used in the connection URL :param pulumi.Input[str] plugin_name: Specifies the name of the plugin to use. + :param pulumi.Input[str] private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param pulumi.Input[Sequence[pulumi.Input[str]]] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. + :param pulumi.Input[bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param pulumi.Input[str] service_account_json: A JSON encoded credential for use with IAM authorization + :param pulumi.Input[str] tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + :param pulumi.Input[str] tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded. :param pulumi.Input[str] username: The root credential username used in the connection URL :param pulumi.Input[str] username_template: Username generation template. :param pulumi.Input[bool] verify_connection: Whether the connection should be verified on @@ -7673,10 +7817,18 @@ def __init__(__self__, *, pulumi.set(__self__, "password", password) if plugin_name is not None: pulumi.set(__self__, "plugin_name", plugin_name) + if private_key is not None: + pulumi.set(__self__, "private_key", private_key) if root_rotation_statements is not None: pulumi.set(__self__, "root_rotation_statements", root_rotation_statements) + if self_managed is not None: + pulumi.set(__self__, "self_managed", self_managed) if service_account_json is not None: pulumi.set(__self__, "service_account_json", service_account_json) + if tls_ca is not None: + pulumi.set(__self__, "tls_ca", tls_ca) + if tls_certificate is not None: + pulumi.set(__self__, "tls_certificate", tls_certificate) if username is not None: pulumi.set(__self__, "username", username) if username_template is not None: @@ -7819,6 +7971,18 @@ def plugin_name(self) -> Optional[pulumi.Input[str]]: def plugin_name(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "plugin_name", value) + @property + @pulumi.getter(name="privateKey") + def private_key(self) -> Optional[pulumi.Input[str]]: + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ + return pulumi.get(self, "private_key") + + @private_key.setter + def private_key(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "private_key", value) + @property @pulumi.getter(name="rootRotationStatements") def root_rotation_statements(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: @@ -7831,6 +7995,18 @@ def root_rotation_statements(self) -> Optional[pulumi.Input[Sequence[pulumi.Inpu def root_rotation_statements(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): pulumi.set(self, "root_rotation_statements", value) + @property + @pulumi.getter(name="selfManaged") + def self_managed(self) -> Optional[pulumi.Input[bool]]: + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ + return pulumi.get(self, "self_managed") + + @self_managed.setter + def self_managed(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "self_managed", value) + @property @pulumi.getter(name="serviceAccountJson") def service_account_json(self) -> Optional[pulumi.Input[str]]: @@ -7843,6 +8019,30 @@ def service_account_json(self) -> Optional[pulumi.Input[str]]: def service_account_json(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "service_account_json", value) + @property + @pulumi.getter(name="tlsCa") + def tls_ca(self) -> Optional[pulumi.Input[str]]: + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + return pulumi.get(self, "tls_ca") + + @tls_ca.setter + def tls_ca(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "tls_ca", value) + + @property + @pulumi.getter(name="tlsCertificate") + def tls_certificate(self) -> Optional[pulumi.Input[str]]: + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ + return pulumi.get(self, "tls_certificate") + + @tls_certificate.setter + def tls_certificate(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "tls_certificate", value) + @property @pulumi.getter def username(self) -> Optional[pulumi.Input[str]]: diff --git a/sdk/python/pulumi_vault/database/outputs.py b/sdk/python/pulumi_vault/database/outputs.py index 65cc8a4e3..2c6f2d36d 100644 --- a/sdk/python/pulumi_vault/database/outputs.py +++ b/sdk/python/pulumi_vault/database/outputs.py @@ -68,6 +68,8 @@ def __key_warning(key: str): suggest = "pem_json" elif key == "protocolVersion": suggest = "protocol_version" + elif key == "skipVerification": + suggest = "skip_verification" if suggest: pulumi.log.warn(f"Key '{key}' not found in SecretBackendConnectionCassandra. Access the value via the '{suggest}' property getter instead.") @@ -89,6 +91,7 @@ def __init__(__self__, *, pem_json: Optional[str] = None, port: Optional[int] = None, protocol_version: Optional[int] = None, + skip_verification: Optional[bool] = None, tls: Optional[bool] = None, username: Optional[str] = None): """ @@ -100,6 +103,7 @@ def __init__(__self__, *, :param str pem_json: Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. :param int port: The transport port to use to connect to Cassandra. :param int protocol_version: The CQL protocol version to use. + :param bool skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. :param bool tls: Whether to use TLS when connecting to Cassandra. :param str username: The username to use when authenticating with Cassandra. """ @@ -119,6 +123,8 @@ def __init__(__self__, *, pulumi.set(__self__, "port", port) if protocol_version is not None: pulumi.set(__self__, "protocol_version", protocol_version) + if skip_verification is not None: + pulumi.set(__self__, "skip_verification", skip_verification) if tls is not None: pulumi.set(__self__, "tls", tls) if username is not None: @@ -188,6 +194,14 @@ def protocol_version(self) -> Optional[int]: """ return pulumi.get(self, "protocol_version") + @property + @pulumi.getter(name="skipVerification") + def skip_verification(self) -> Optional[bool]: + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ + return pulumi.get(self, "skip_verification") + @property @pulumi.getter def tls(self) -> Optional[bool]: @@ -1914,8 +1928,16 @@ def __key_warning(key: str): suggest = "max_idle_connections" elif key == "maxOpenConnections": suggest = "max_open_connections" + elif key == "privateKey": + suggest = "private_key" + elif key == "selfManaged": + suggest = "self_managed" elif key == "serviceAccountJson": suggest = "service_account_json" + elif key == "tlsCa": + suggest = "tls_ca" + elif key == "tlsCertificate": + suggest = "tls_certificate" elif key == "usernameTemplate": suggest = "username_template" @@ -1938,7 +1960,11 @@ def __init__(__self__, *, max_idle_connections: Optional[int] = None, max_open_connections: Optional[int] = None, password: Optional[str] = None, + private_key: Optional[str] = None, + self_managed: Optional[bool] = None, service_account_json: Optional[str] = None, + tls_ca: Optional[str] = None, + tls_certificate: Optional[str] = None, username: Optional[str] = None, username_template: Optional[str] = None): """ @@ -1949,7 +1975,11 @@ def __init__(__self__, *, :param int max_idle_connections: Maximum number of idle connections to the database. :param int max_open_connections: Maximum number of open connections to the database. :param str password: The root credential password used in the connection URL + :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded. + :param bool self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param str service_account_json: A JSON encoded credential for use with IAM authorization + :param str tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + :param str tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded. :param str username: The root credential username used in the connection URL :param str username_template: Username generation template. """ @@ -1967,8 +1997,16 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if private_key is not None: + pulumi.set(__self__, "private_key", private_key) + if self_managed is not None: + pulumi.set(__self__, "self_managed", self_managed) if service_account_json is not None: pulumi.set(__self__, "service_account_json", service_account_json) + if tls_ca is not None: + pulumi.set(__self__, "tls_ca", tls_ca) + if tls_certificate is not None: + pulumi.set(__self__, "tls_certificate", tls_certificate) if username is not None: pulumi.set(__self__, "username", username) if username_template is not None: @@ -2030,6 +2068,22 @@ def password(self) -> Optional[str]: """ return pulumi.get(self, "password") + @property + @pulumi.getter(name="privateKey") + def private_key(self) -> Optional[str]: + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ + return pulumi.get(self, "private_key") + + @property + @pulumi.getter(name="selfManaged") + def self_managed(self) -> Optional[bool]: + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ + return pulumi.get(self, "self_managed") + @property @pulumi.getter(name="serviceAccountJson") def service_account_json(self) -> Optional[str]: @@ -2038,6 +2092,22 @@ def service_account_json(self) -> Optional[str]: """ return pulumi.get(self, "service_account_json") + @property + @pulumi.getter(name="tlsCa") + def tls_ca(self) -> Optional[str]: + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + return pulumi.get(self, "tls_ca") + + @property + @pulumi.getter(name="tlsCertificate") + def tls_certificate(self) -> Optional[str]: + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ + return pulumi.get(self, "tls_certificate") + @property @pulumi.getter def username(self) -> Optional[str]: @@ -2483,6 +2553,8 @@ def __key_warning(key: str): suggest = "protocol_version" elif key == "rootRotationStatements": suggest = "root_rotation_statements" + elif key == "skipVerification": + suggest = "skip_verification" elif key == "verifyConnection": suggest = "verify_connection" @@ -2511,6 +2583,7 @@ def __init__(__self__, *, port: Optional[int] = None, protocol_version: Optional[int] = None, root_rotation_statements: Optional[Sequence[str]] = None, + skip_verification: Optional[bool] = None, tls: Optional[bool] = None, username: Optional[str] = None, verify_connection: Optional[bool] = None): @@ -2531,6 +2604,7 @@ def __init__(__self__, *, :param int port: The transport port to use to connect to Cassandra. :param int protocol_version: The CQL protocol version to use. :param Sequence[str] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. + :param bool skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. :param bool tls: Whether to use TLS when connecting to Cassandra. :param str username: The username to use when authenticating with Cassandra. :param bool verify_connection: Whether the connection should be verified on @@ -2561,6 +2635,8 @@ def __init__(__self__, *, pulumi.set(__self__, "protocol_version", protocol_version) if root_rotation_statements is not None: pulumi.set(__self__, "root_rotation_statements", root_rotation_statements) + if skip_verification is not None: + pulumi.set(__self__, "skip_verification", skip_verification) if tls is not None: pulumi.set(__self__, "tls", tls) if username is not None: @@ -2675,6 +2751,14 @@ def root_rotation_statements(self) -> Optional[Sequence[str]]: """ return pulumi.get(self, "root_rotation_statements") + @property + @pulumi.getter(name="skipVerification") + def skip_verification(self) -> Optional[bool]: + """ + Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + """ + return pulumi.get(self, "skip_verification") + @property @pulumi.getter def tls(self) -> Optional[bool]: @@ -5458,10 +5542,18 @@ def __key_warning(key: str): suggest = "max_open_connections" elif key == "pluginName": suggest = "plugin_name" + elif key == "privateKey": + suggest = "private_key" elif key == "rootRotationStatements": suggest = "root_rotation_statements" + elif key == "selfManaged": + suggest = "self_managed" elif key == "serviceAccountJson": suggest = "service_account_json" + elif key == "tlsCa": + suggest = "tls_ca" + elif key == "tlsCertificate": + suggest = "tls_certificate" elif key == "usernameTemplate": suggest = "username_template" elif key == "verifyConnection": @@ -5490,8 +5582,12 @@ def __init__(__self__, *, max_open_connections: Optional[int] = None, password: Optional[str] = None, plugin_name: Optional[str] = None, + private_key: Optional[str] = None, root_rotation_statements: Optional[Sequence[str]] = None, + self_managed: Optional[bool] = None, service_account_json: Optional[str] = None, + tls_ca: Optional[str] = None, + tls_certificate: Optional[str] = None, username: Optional[str] = None, username_template: Optional[str] = None, verify_connection: Optional[bool] = None): @@ -5510,8 +5606,12 @@ def __init__(__self__, *, :param int max_open_connections: Maximum number of open connections to the database. :param str password: The root credential password used in the connection URL :param str plugin_name: Specifies the name of the plugin to use. + :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param Sequence[str] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. + :param bool self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param str service_account_json: A JSON encoded credential for use with IAM authorization + :param str tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + :param str tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded. :param str username: The root credential username used in the connection URL :param str username_template: Username generation template. :param bool verify_connection: Whether the connection should be verified on @@ -5538,10 +5638,18 @@ def __init__(__self__, *, pulumi.set(__self__, "password", password) if plugin_name is not None: pulumi.set(__self__, "plugin_name", plugin_name) + if private_key is not None: + pulumi.set(__self__, "private_key", private_key) if root_rotation_statements is not None: pulumi.set(__self__, "root_rotation_statements", root_rotation_statements) + if self_managed is not None: + pulumi.set(__self__, "self_managed", self_managed) if service_account_json is not None: pulumi.set(__self__, "service_account_json", service_account_json) + if tls_ca is not None: + pulumi.set(__self__, "tls_ca", tls_ca) + if tls_certificate is not None: + pulumi.set(__self__, "tls_certificate", tls_certificate) if username is not None: pulumi.set(__self__, "username", username) if username_template is not None: @@ -5640,6 +5748,14 @@ def plugin_name(self) -> Optional[str]: """ return pulumi.get(self, "plugin_name") + @property + @pulumi.getter(name="privateKey") + def private_key(self) -> Optional[str]: + """ + The secret key used for the x509 client certificate. Must be PEM encoded. + """ + return pulumi.get(self, "private_key") + @property @pulumi.getter(name="rootRotationStatements") def root_rotation_statements(self) -> Optional[Sequence[str]]: @@ -5648,6 +5764,14 @@ def root_rotation_statements(self) -> Optional[Sequence[str]]: """ return pulumi.get(self, "root_rotation_statements") + @property + @pulumi.getter(name="selfManaged") + def self_managed(self) -> Optional[bool]: + """ + If set, allows onboarding static roles with a rootless connection configuration. + """ + return pulumi.get(self, "self_managed") + @property @pulumi.getter(name="serviceAccountJson") def service_account_json(self) -> Optional[str]: @@ -5656,6 +5780,22 @@ def service_account_json(self) -> Optional[str]: """ return pulumi.get(self, "service_account_json") + @property + @pulumi.getter(name="tlsCa") + def tls_ca(self) -> Optional[str]: + """ + The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded. + """ + return pulumi.get(self, "tls_ca") + + @property + @pulumi.getter(name="tlsCertificate") + def tls_certificate(self) -> Optional[str]: + """ + The x509 client certificate for connecting to the database. Must be PEM encoded. + """ + return pulumi.get(self, "tls_certificate") + @property @pulumi.getter def username(self) -> Optional[str]: diff --git a/sdk/python/pulumi_vault/database/secret_backend_static_role.py b/sdk/python/pulumi_vault/database/secret_backend_static_role.py index 70f7abe62..b24b92482 100644 --- a/sdk/python/pulumi_vault/database/secret_backend_static_role.py +++ b/sdk/python/pulumi_vault/database/secret_backend_static_role.py @@ -27,7 +27,8 @@ def __init__(__self__, *, rotation_period: Optional[pulumi.Input[int]] = None, rotation_schedule: Optional[pulumi.Input[str]] = None, rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, - rotation_window: Optional[pulumi.Input[int]] = None): + rotation_window: Optional[pulumi.Input[int]] = None, + self_managed_password: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a SecretBackendStaticRole resource. :param pulumi.Input[str] backend: The unique name of the Vault mount to configure. @@ -48,6 +49,9 @@ def __init__(__self__, *, :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user. :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting from a given `rotation_schedule`. + :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. """ pulumi.set(__self__, "backend", backend) pulumi.set(__self__, "db_name", db_name) @@ -64,6 +68,8 @@ def __init__(__self__, *, pulumi.set(__self__, "rotation_statements", rotation_statements) if rotation_window is not None: pulumi.set(__self__, "rotation_window", rotation_window) + if self_managed_password is not None: + pulumi.set(__self__, "self_managed_password", self_managed_password) @property @pulumi.getter @@ -182,6 +188,20 @@ def rotation_window(self) -> Optional[pulumi.Input[int]]: def rotation_window(self, value: Optional[pulumi.Input[int]]): pulumi.set(self, "rotation_window", value) + @property + @pulumi.getter(name="selfManagedPassword") + def self_managed_password(self) -> Optional[pulumi.Input[str]]: + """ + The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + """ + return pulumi.get(self, "self_managed_password") + + @self_managed_password.setter + def self_managed_password(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "self_managed_password", value) + @pulumi.input_type class _SecretBackendStaticRoleState: @@ -194,6 +214,7 @@ def __init__(__self__, *, rotation_schedule: Optional[pulumi.Input[str]] = None, rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, rotation_window: Optional[pulumi.Input[int]] = None, + self_managed_password: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering SecretBackendStaticRole resources. @@ -214,6 +235,9 @@ def __init__(__self__, *, :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user. :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting from a given `rotation_schedule`. + :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. :param pulumi.Input[str] username: The database username that this static role corresponds to. """ if backend is not None: @@ -232,6 +256,8 @@ def __init__(__self__, *, pulumi.set(__self__, "rotation_statements", rotation_statements) if rotation_window is not None: pulumi.set(__self__, "rotation_window", rotation_window) + if self_managed_password is not None: + pulumi.set(__self__, "self_managed_password", self_managed_password) if username is not None: pulumi.set(__self__, "username", username) @@ -340,6 +366,20 @@ def rotation_window(self) -> Optional[pulumi.Input[int]]: def rotation_window(self, value: Optional[pulumi.Input[int]]): pulumi.set(self, "rotation_window", value) + @property + @pulumi.getter(name="selfManagedPassword") + def self_managed_password(self) -> Optional[pulumi.Input[str]]: + """ + The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + """ + return pulumi.get(self, "self_managed_password") + + @self_managed_password.setter + def self_managed_password(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "self_managed_password", value) + @property @pulumi.getter def username(self) -> Optional[pulumi.Input[str]]: @@ -366,6 +406,7 @@ def __init__(__self__, rotation_schedule: Optional[pulumi.Input[str]] = None, rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, rotation_window: Optional[pulumi.Input[int]] = None, + self_managed_password: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None, __props__=None): """ @@ -435,6 +476,9 @@ def __init__(__self__, :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user. :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting from a given `rotation_schedule`. + :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. :param pulumi.Input[str] username: The database username that this static role corresponds to. """ ... @@ -514,6 +558,7 @@ def _internal_init(__self__, rotation_schedule: Optional[pulumi.Input[str]] = None, rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, rotation_window: Optional[pulumi.Input[int]] = None, + self_managed_password: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None, __props__=None): opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) @@ -536,9 +581,12 @@ def _internal_init(__self__, __props__.__dict__["rotation_schedule"] = rotation_schedule __props__.__dict__["rotation_statements"] = rotation_statements __props__.__dict__["rotation_window"] = rotation_window + __props__.__dict__["self_managed_password"] = None if self_managed_password is None else pulumi.Output.secret(self_managed_password) if username is None and not opts.urn: raise TypeError("Missing required property 'username'") __props__.__dict__["username"] = username + secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"]) + opts = pulumi.ResourceOptions.merge(opts, secret_opts) super(SecretBackendStaticRole, __self__).__init__( 'vault:database/secretBackendStaticRole:SecretBackendStaticRole', resource_name, @@ -557,6 +605,7 @@ def get(resource_name: str, rotation_schedule: Optional[pulumi.Input[str]] = None, rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, rotation_window: Optional[pulumi.Input[int]] = None, + self_managed_password: Optional[pulumi.Input[str]] = None, username: Optional[pulumi.Input[str]] = None) -> 'SecretBackendStaticRole': """ Get an existing SecretBackendStaticRole resource's state with the given name, id, and optional extra @@ -582,6 +631,9 @@ def get(resource_name: str, :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user. :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting from a given `rotation_schedule`. + :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. :param pulumi.Input[str] username: The database username that this static role corresponds to. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -596,6 +648,7 @@ def get(resource_name: str, __props__.__dict__["rotation_schedule"] = rotation_schedule __props__.__dict__["rotation_statements"] = rotation_statements __props__.__dict__["rotation_window"] = rotation_window + __props__.__dict__["self_managed_password"] = self_managed_password __props__.__dict__["username"] = username return SecretBackendStaticRole(resource_name, opts=opts, __props__=__props__) @@ -672,6 +725,16 @@ def rotation_window(self) -> pulumi.Output[Optional[int]]: """ return pulumi.get(self, "rotation_window") + @property + @pulumi.getter(name="selfManagedPassword") + def self_managed_password(self) -> pulumi.Output[Optional[str]]: + """ + The password corresponding to the username in the database. + Required when using the Rootless Password Rotation workflow for static roles. Only enabled for + select DB engines (Postgres). Requires Vault 1.18+ Enterprise. + """ + return pulumi.get(self, "self_managed_password") + @property @pulumi.getter def username(self) -> pulumi.Output[str]: diff --git a/sdk/python/pulumi_vault/gcp/secret_impersonated_account.py b/sdk/python/pulumi_vault/gcp/secret_impersonated_account.py index 17d8a467d..0929c6d60 100644 --- a/sdk/python/pulumi_vault/gcp/secret_impersonated_account.py +++ b/sdk/python/pulumi_vault/gcp/secret_impersonated_account.py @@ -23,7 +23,8 @@ def __init__(__self__, *, impersonated_account: pulumi.Input[str], service_account_email: pulumi.Input[str], namespace: Optional[pulumi.Input[str]] = None, - token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): + token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + ttl: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a SecretImpersonatedAccount resource. :param pulumi.Input[str] backend: Path where the GCP Secrets Engine is mounted @@ -31,6 +32,8 @@ def __init__(__self__, *, :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate. :param pulumi.Input[str] namespace: Target namespace. (requires Enterprise) :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account. + :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. """ pulumi.set(__self__, "backend", backend) pulumi.set(__self__, "impersonated_account", impersonated_account) @@ -39,6 +42,8 @@ def __init__(__self__, *, pulumi.set(__self__, "namespace", namespace) if token_scopes is not None: pulumi.set(__self__, "token_scopes", token_scopes) + if ttl is not None: + pulumi.set(__self__, "ttl", ttl) @property @pulumi.getter @@ -100,6 +105,19 @@ def token_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: def token_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): pulumi.set(self, "token_scopes", value) + @property + @pulumi.getter + def ttl(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + """ + return pulumi.get(self, "ttl") + + @ttl.setter + def ttl(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "ttl", value) + @pulumi.input_type class _SecretImpersonatedAccountState: @@ -109,7 +127,8 @@ def __init__(__self__, *, namespace: Optional[pulumi.Input[str]] = None, service_account_email: Optional[pulumi.Input[str]] = None, service_account_project: Optional[pulumi.Input[str]] = None, - token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): + token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + ttl: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering SecretImpersonatedAccount resources. :param pulumi.Input[str] backend: Path where the GCP Secrets Engine is mounted @@ -118,6 +137,8 @@ def __init__(__self__, *, :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate. :param pulumi.Input[str] service_account_project: Project the service account belongs to. :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account. + :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. """ if backend is not None: pulumi.set(__self__, "backend", backend) @@ -131,6 +152,8 @@ def __init__(__self__, *, pulumi.set(__self__, "service_account_project", service_account_project) if token_scopes is not None: pulumi.set(__self__, "token_scopes", token_scopes) + if ttl is not None: + pulumi.set(__self__, "ttl", ttl) @property @pulumi.getter @@ -204,6 +227,19 @@ def token_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: def token_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): pulumi.set(self, "token_scopes", value) + @property + @pulumi.getter + def ttl(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + """ + return pulumi.get(self, "ttl") + + @ttl.setter + def ttl(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "ttl", value) + class SecretImpersonatedAccount(pulumi.CustomResource): @overload @@ -215,6 +251,7 @@ def __init__(__self__, namespace: Optional[pulumi.Input[str]] = None, service_account_email: Optional[pulumi.Input[str]] = None, token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + ttl: Optional[pulumi.Input[str]] = None, __props__=None): """ Creates a Impersonated Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault. @@ -256,6 +293,8 @@ def __init__(__self__, :param pulumi.Input[str] namespace: Target namespace. (requires Enterprise) :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate. :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account. + :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. """ ... @overload @@ -316,6 +355,7 @@ def _internal_init(__self__, namespace: Optional[pulumi.Input[str]] = None, service_account_email: Optional[pulumi.Input[str]] = None, token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + ttl: Optional[pulumi.Input[str]] = None, __props__=None): opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) if not isinstance(opts, pulumi.ResourceOptions): @@ -336,6 +376,7 @@ def _internal_init(__self__, raise TypeError("Missing required property 'service_account_email'") __props__.__dict__["service_account_email"] = service_account_email __props__.__dict__["token_scopes"] = token_scopes + __props__.__dict__["ttl"] = ttl __props__.__dict__["service_account_project"] = None super(SecretImpersonatedAccount, __self__).__init__( 'vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount', @@ -352,7 +393,8 @@ def get(resource_name: str, namespace: Optional[pulumi.Input[str]] = None, service_account_email: Optional[pulumi.Input[str]] = None, service_account_project: Optional[pulumi.Input[str]] = None, - token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None) -> 'SecretImpersonatedAccount': + token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + ttl: Optional[pulumi.Input[str]] = None) -> 'SecretImpersonatedAccount': """ Get an existing SecretImpersonatedAccount resource's state with the given name, id, and optional extra properties used to qualify the lookup. @@ -366,6 +408,8 @@ def get(resource_name: str, :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate. :param pulumi.Input[str] service_account_project: Project the service account belongs to. :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account. + :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -377,6 +421,7 @@ def get(resource_name: str, __props__.__dict__["service_account_email"] = service_account_email __props__.__dict__["service_account_project"] = service_account_project __props__.__dict__["token_scopes"] = token_scopes + __props__.__dict__["ttl"] = ttl return SecretImpersonatedAccount(resource_name, opts=opts, __props__=__props__) @property @@ -427,3 +472,12 @@ def token_scopes(self) -> pulumi.Output[Optional[Sequence[str]]]: """ return pulumi.get(self, "token_scopes") + @property + @pulumi.getter + def ttl(self) -> pulumi.Output[str]: + """ + Specifies the default TTL for service principals generated using this role. + Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. + """ + return pulumi.get(self, "ttl") + diff --git a/sdk/python/pulumi_vault/kubernetes/auth_backend_config.py b/sdk/python/pulumi_vault/kubernetes/auth_backend_config.py index 30a2d0feb..6ab3b4614 100644 --- a/sdk/python/pulumi_vault/kubernetes/auth_backend_config.py +++ b/sdk/python/pulumi_vault/kubernetes/auth_backend_config.py @@ -27,7 +27,8 @@ def __init__(__self__, *, kubernetes_ca_cert: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, - token_reviewer_jwt: Optional[pulumi.Input[str]] = None): + token_reviewer_jwt: Optional[pulumi.Input[str]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None): """ The set of arguments for constructing a AuthBackendConfig resource. :param pulumi.Input[str] kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. @@ -42,6 +43,7 @@ def __init__(__self__, *, *Available only for Vault Enterprise*. :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ pulumi.set(__self__, "kubernetes_host", kubernetes_host) if backend is not None: @@ -60,6 +62,8 @@ def __init__(__self__, *, pulumi.set(__self__, "pem_keys", pem_keys) if token_reviewer_jwt is not None: pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt) + if use_annotations_as_alias_metadata is not None: + pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata) @property @pulumi.getter(name="kubernetesHost") @@ -172,6 +176,18 @@ def token_reviewer_jwt(self) -> Optional[pulumi.Input[str]]: def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "token_reviewer_jwt", value) + @property + @pulumi.getter(name="useAnnotationsAsAliasMetadata") + def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]: + """ + Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + """ + return pulumi.get(self, "use_annotations_as_alias_metadata") + + @use_annotations_as_alias_metadata.setter + def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "use_annotations_as_alias_metadata", value) + @pulumi.input_type class _AuthBackendConfigState: @@ -184,7 +200,8 @@ def __init__(__self__, *, kubernetes_host: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, - token_reviewer_jwt: Optional[pulumi.Input[str]] = None): + token_reviewer_jwt: Optional[pulumi.Input[str]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None): """ Input properties used for looking up and filtering AuthBackendConfig resources. :param pulumi.Input[str] backend: Unique name of the kubernetes backend to configure. @@ -199,6 +216,7 @@ def __init__(__self__, *, *Available only for Vault Enterprise*. :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ if backend is not None: pulumi.set(__self__, "backend", backend) @@ -218,6 +236,8 @@ def __init__(__self__, *, pulumi.set(__self__, "pem_keys", pem_keys) if token_reviewer_jwt is not None: pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt) + if use_annotations_as_alias_metadata is not None: + pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata) @property @pulumi.getter @@ -330,6 +350,18 @@ def token_reviewer_jwt(self) -> Optional[pulumi.Input[str]]: def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "token_reviewer_jwt", value) + @property + @pulumi.getter(name="useAnnotationsAsAliasMetadata") + def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]: + """ + Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + """ + return pulumi.get(self, "use_annotations_as_alias_metadata") + + @use_annotations_as_alias_metadata.setter + def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "use_annotations_as_alias_metadata", value) + class AuthBackendConfig(pulumi.CustomResource): @overload @@ -345,6 +377,7 @@ def __init__(__self__, namespace: Optional[pulumi.Input[str]] = None, pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, token_reviewer_jwt: Optional[pulumi.Input[str]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None, __props__=None): """ Manages an Kubernetes auth backend config in a Vault server. See the [Vault @@ -391,6 +424,7 @@ def __init__(__self__, *Available only for Vault Enterprise*. :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ ... @overload @@ -453,6 +487,7 @@ def _internal_init(__self__, namespace: Optional[pulumi.Input[str]] = None, pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, token_reviewer_jwt: Optional[pulumi.Input[str]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None, __props__=None): opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) if not isinstance(opts, pulumi.ResourceOptions): @@ -473,6 +508,7 @@ def _internal_init(__self__, __props__.__dict__["namespace"] = namespace __props__.__dict__["pem_keys"] = pem_keys __props__.__dict__["token_reviewer_jwt"] = None if token_reviewer_jwt is None else pulumi.Output.secret(token_reviewer_jwt) + __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["tokenReviewerJwt"]) opts = pulumi.ResourceOptions.merge(opts, secret_opts) super(AuthBackendConfig, __self__).__init__( @@ -493,7 +529,8 @@ def get(resource_name: str, kubernetes_host: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, - token_reviewer_jwt: Optional[pulumi.Input[str]] = None) -> 'AuthBackendConfig': + token_reviewer_jwt: Optional[pulumi.Input[str]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None) -> 'AuthBackendConfig': """ Get an existing AuthBackendConfig resource's state with the given name, id, and optional extra properties used to qualify the lookup. @@ -513,6 +550,7 @@ def get(resource_name: str, *Available only for Vault Enterprise*. :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -527,6 +565,7 @@ def get(resource_name: str, __props__.__dict__["namespace"] = namespace __props__.__dict__["pem_keys"] = pem_keys __props__.__dict__["token_reviewer_jwt"] = token_reviewer_jwt + __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata return AuthBackendConfig(resource_name, opts=opts, __props__=__props__) @property @@ -604,3 +643,11 @@ def token_reviewer_jwt(self) -> pulumi.Output[Optional[str]]: """ return pulumi.get(self, "token_reviewer_jwt") + @property + @pulumi.getter(name="useAnnotationsAsAliasMetadata") + def use_annotations_as_alias_metadata(self) -> pulumi.Output[bool]: + """ + Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + """ + return pulumi.get(self, "use_annotations_as_alias_metadata") + diff --git a/sdk/python/pulumi_vault/kubernetes/get_auth_backend_config.py b/sdk/python/pulumi_vault/kubernetes/get_auth_backend_config.py index be6ad763c..49194eb3e 100644 --- a/sdk/python/pulumi_vault/kubernetes/get_auth_backend_config.py +++ b/sdk/python/pulumi_vault/kubernetes/get_auth_backend_config.py @@ -26,7 +26,7 @@ class GetAuthBackendConfigResult: """ A collection of values returned by getAuthBackendConfig. """ - def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None): + def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None, use_annotations_as_alias_metadata=None): if backend and not isinstance(backend, str): raise TypeError("Expected argument 'backend' to be a str") pulumi.set(__self__, "backend", backend) @@ -54,6 +54,9 @@ def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ if pem_keys and not isinstance(pem_keys, list): raise TypeError("Expected argument 'pem_keys' to be a list") pulumi.set(__self__, "pem_keys", pem_keys) + if use_annotations_as_alias_metadata and not isinstance(use_annotations_as_alias_metadata, bool): + raise TypeError("Expected argument 'use_annotations_as_alias_metadata' to be a bool") + pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata) @property @pulumi.getter @@ -63,11 +66,17 @@ def backend(self) -> Optional[str]: @property @pulumi.getter(name="disableIssValidation") def disable_iss_validation(self) -> bool: + """ + (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + """ return pulumi.get(self, "disable_iss_validation") @property @pulumi.getter(name="disableLocalCaJwt") def disable_local_ca_jwt(self) -> bool: + """ + (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + """ return pulumi.get(self, "disable_local_ca_jwt") @property @@ -115,6 +124,14 @@ def pem_keys(self) -> Sequence[str]: """ return pulumi.get(self, "pem_keys") + @property + @pulumi.getter(name="useAnnotationsAsAliasMetadata") + def use_annotations_as_alias_metadata(self) -> bool: + """ + (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` + """ + return pulumi.get(self, "use_annotations_as_alias_metadata") + class AwaitableGetAuthBackendConfigResult(GetAuthBackendConfigResult): # pylint: disable=using-constant-test @@ -130,7 +147,8 @@ def __await__(self): kubernetes_ca_cert=self.kubernetes_ca_cert, kubernetes_host=self.kubernetes_host, namespace=self.namespace, - pem_keys=self.pem_keys) + pem_keys=self.pem_keys, + use_annotations_as_alias_metadata=self.use_annotations_as_alias_metadata) def get_auth_backend_config(backend: Optional[str] = None, @@ -141,6 +159,7 @@ def get_auth_backend_config(backend: Optional[str] = None, kubernetes_host: Optional[str] = None, namespace: Optional[str] = None, pem_keys: Optional[Sequence[str]] = None, + use_annotations_as_alias_metadata: Optional[bool] = None, opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetAuthBackendConfigResult: """ Reads the Role of an Kubernetes from a Vault server. See the [Vault @@ -150,6 +169,8 @@ def get_auth_backend_config(backend: Optional[str] = None, :param str backend: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes". + :param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + :param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` :param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. :param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. :param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. @@ -158,6 +179,7 @@ def get_auth_backend_config(backend: Optional[str] = None, The `namespace` is always relative to the provider's configured namespace. *Available only for Vault Enterprise*. :param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + :param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ __args__ = dict() __args__['backend'] = backend @@ -168,6 +190,7 @@ def get_auth_backend_config(backend: Optional[str] = None, __args__['kubernetesHost'] = kubernetes_host __args__['namespace'] = namespace __args__['pemKeys'] = pem_keys + __args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts) __ret__ = pulumi.runtime.invoke('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult).value @@ -180,7 +203,8 @@ def get_auth_backend_config(backend: Optional[str] = None, kubernetes_ca_cert=pulumi.get(__ret__, 'kubernetes_ca_cert'), kubernetes_host=pulumi.get(__ret__, 'kubernetes_host'), namespace=pulumi.get(__ret__, 'namespace'), - pem_keys=pulumi.get(__ret__, 'pem_keys')) + pem_keys=pulumi.get(__ret__, 'pem_keys'), + use_annotations_as_alias_metadata=pulumi.get(__ret__, 'use_annotations_as_alias_metadata')) def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]] = None, disable_iss_validation: Optional[pulumi.Input[Optional[bool]]] = None, disable_local_ca_jwt: Optional[pulumi.Input[Optional[bool]]] = None, @@ -189,6 +213,7 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]] kubernetes_host: Optional[pulumi.Input[Optional[str]]] = None, namespace: Optional[pulumi.Input[Optional[str]]] = None, pem_keys: Optional[pulumi.Input[Optional[Sequence[str]]]] = None, + use_annotations_as_alias_metadata: Optional[pulumi.Input[Optional[bool]]] = None, opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetAuthBackendConfigResult]: """ Reads the Role of an Kubernetes from a Vault server. See the [Vault @@ -198,6 +223,8 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]] :param str backend: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes". + :param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` + :param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` :param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. :param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. :param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. @@ -206,6 +233,7 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]] The `namespace` is always relative to the provider's configured namespace. *Available only for Vault Enterprise*. :param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + :param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+` """ __args__ = dict() __args__['backend'] = backend @@ -216,6 +244,7 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]] __args__['kubernetesHost'] = kubernetes_host __args__['namespace'] = namespace __args__['pemKeys'] = pem_keys + __args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts) __ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult) return __ret__.apply(lambda __response__: GetAuthBackendConfigResult( @@ -227,4 +256,5 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]] kubernetes_ca_cert=pulumi.get(__response__, 'kubernetes_ca_cert'), kubernetes_host=pulumi.get(__response__, 'kubernetes_host'), namespace=pulumi.get(__response__, 'namespace'), - pem_keys=pulumi.get(__response__, 'pem_keys'))) + pem_keys=pulumi.get(__response__, 'pem_keys'), + use_annotations_as_alias_metadata=pulumi.get(__response__, 'use_annotations_as_alias_metadata'))) diff --git a/sdk/python/pulumi_vault/kv/get_secret_v2.py b/sdk/python/pulumi_vault/kv/get_secret_v2.py index 39373d3f8..dee8b813e 100644 --- a/sdk/python/pulumi_vault/kv/get_secret_v2.py +++ b/sdk/python/pulumi_vault/kv/get_secret_v2.py @@ -199,7 +199,6 @@ def get_secret_v2(mount: Optional[str] = None, example_secret_v2 = vault.kv.SecretV2("example", mount=kvv2.path, name="secret", - cas=1, delete_all_versions=True, data_json=json.dumps({ "zip": "zap", @@ -269,7 +268,6 @@ def get_secret_v2_output(mount: Optional[pulumi.Input[str]] = None, example_secret_v2 = vault.kv.SecretV2("example", mount=kvv2.path, name="secret", - cas=1, delete_all_versions=True, data_json=json.dumps({ "zip": "zap", diff --git a/sdk/python/pulumi_vault/ldap/auth_backend.py b/sdk/python/pulumi_vault/ldap/auth_backend.py index c747d23a1..1303105ce 100644 --- a/sdk/python/pulumi_vault/ldap/auth_backend.py +++ b/sdk/python/pulumi_vault/ldap/auth_backend.py @@ -26,6 +26,7 @@ def __init__(__self__, *, certificate: Optional[pulumi.Input[str]] = None, client_tls_cert: Optional[pulumi.Input[str]] = None, client_tls_key: Optional[pulumi.Input[str]] = None, + connection_timeout: Optional[pulumi.Input[int]] = None, deny_null_bind: Optional[pulumi.Input[bool]] = None, description: Optional[pulumi.Input[str]] = None, disable_remount: Optional[pulumi.Input[bool]] = None, @@ -63,6 +64,7 @@ def __init__(__self__, *, :param pulumi.Input[str] bindpass: Password to use with `binddn` when performing user search :param pulumi.Input[bool] case_sensitive_names: Control case senstivity of objects fetched from LDAP, this is used for object matching in vault :param pulumi.Input[str] certificate: Trusted CA to validate TLS certificate + :param pulumi.Input[int] connection_timeout: Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) :param pulumi.Input[bool] deny_null_bind: Prevents users from bypassing authentication when providing an empty password. :param pulumi.Input[str] description: Description for the LDAP auth backend mount :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates. @@ -112,6 +114,8 @@ def __init__(__self__, *, pulumi.set(__self__, "client_tls_cert", client_tls_cert) if client_tls_key is not None: pulumi.set(__self__, "client_tls_key", client_tls_key) + if connection_timeout is not None: + pulumi.set(__self__, "connection_timeout", connection_timeout) if deny_null_bind is not None: pulumi.set(__self__, "deny_null_bind", deny_null_bind) if description is not None: @@ -251,6 +255,18 @@ def client_tls_key(self) -> Optional[pulumi.Input[str]]: def client_tls_key(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "client_tls_key", value) + @property + @pulumi.getter(name="connectionTimeout") + def connection_timeout(self) -> Optional[pulumi.Input[int]]: + """ + Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + """ + return pulumi.get(self, "connection_timeout") + + @connection_timeout.setter + def connection_timeout(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "connection_timeout", value) + @property @pulumi.getter(name="denyNullBind") def deny_null_bind(self) -> Optional[pulumi.Input[bool]]: @@ -627,6 +643,7 @@ def __init__(__self__, *, certificate: Optional[pulumi.Input[str]] = None, client_tls_cert: Optional[pulumi.Input[str]] = None, client_tls_key: Optional[pulumi.Input[str]] = None, + connection_timeout: Optional[pulumi.Input[int]] = None, deny_null_bind: Optional[pulumi.Input[bool]] = None, description: Optional[pulumi.Input[str]] = None, disable_remount: Optional[pulumi.Input[bool]] = None, @@ -665,6 +682,7 @@ def __init__(__self__, *, :param pulumi.Input[str] bindpass: Password to use with `binddn` when performing user search :param pulumi.Input[bool] case_sensitive_names: Control case senstivity of objects fetched from LDAP, this is used for object matching in vault :param pulumi.Input[str] certificate: Trusted CA to validate TLS certificate + :param pulumi.Input[int] connection_timeout: Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) :param pulumi.Input[bool] deny_null_bind: Prevents users from bypassing authentication when providing an empty password. :param pulumi.Input[str] description: Description for the LDAP auth backend mount :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates. @@ -716,6 +734,8 @@ def __init__(__self__, *, pulumi.set(__self__, "client_tls_cert", client_tls_cert) if client_tls_key is not None: pulumi.set(__self__, "client_tls_key", client_tls_key) + if connection_timeout is not None: + pulumi.set(__self__, "connection_timeout", connection_timeout) if deny_null_bind is not None: pulumi.set(__self__, "deny_null_bind", deny_null_bind) if description is not None: @@ -857,6 +877,18 @@ def client_tls_key(self) -> Optional[pulumi.Input[str]]: def client_tls_key(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "client_tls_key", value) + @property + @pulumi.getter(name="connectionTimeout") + def connection_timeout(self) -> Optional[pulumi.Input[int]]: + """ + Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + """ + return pulumi.get(self, "connection_timeout") + + @connection_timeout.setter + def connection_timeout(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "connection_timeout", value) + @property @pulumi.getter(name="denyNullBind") def deny_null_bind(self) -> Optional[pulumi.Input[bool]]: @@ -1246,6 +1278,7 @@ def __init__(__self__, certificate: Optional[pulumi.Input[str]] = None, client_tls_cert: Optional[pulumi.Input[str]] = None, client_tls_key: Optional[pulumi.Input[str]] = None, + connection_timeout: Optional[pulumi.Input[int]] = None, deny_null_bind: Optional[pulumi.Input[bool]] = None, description: Optional[pulumi.Input[str]] = None, disable_remount: Optional[pulumi.Input[bool]] = None, @@ -1312,6 +1345,7 @@ def __init__(__self__, :param pulumi.Input[str] bindpass: Password to use with `binddn` when performing user search :param pulumi.Input[bool] case_sensitive_names: Control case senstivity of objects fetched from LDAP, this is used for object matching in vault :param pulumi.Input[str] certificate: Trusted CA to validate TLS certificate + :param pulumi.Input[int] connection_timeout: Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) :param pulumi.Input[bool] deny_null_bind: Prevents users from bypassing authentication when providing an empty password. :param pulumi.Input[str] description: Description for the LDAP auth backend mount :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates. @@ -1404,6 +1438,7 @@ def _internal_init(__self__, certificate: Optional[pulumi.Input[str]] = None, client_tls_cert: Optional[pulumi.Input[str]] = None, client_tls_key: Optional[pulumi.Input[str]] = None, + connection_timeout: Optional[pulumi.Input[int]] = None, deny_null_bind: Optional[pulumi.Input[bool]] = None, description: Optional[pulumi.Input[str]] = None, disable_remount: Optional[pulumi.Input[bool]] = None, @@ -1450,6 +1485,7 @@ def _internal_init(__self__, __props__.__dict__["certificate"] = certificate __props__.__dict__["client_tls_cert"] = client_tls_cert __props__.__dict__["client_tls_key"] = None if client_tls_key is None else pulumi.Output.secret(client_tls_key) + __props__.__dict__["connection_timeout"] = connection_timeout __props__.__dict__["deny_null_bind"] = deny_null_bind __props__.__dict__["description"] = description __props__.__dict__["disable_remount"] = disable_remount @@ -1503,6 +1539,7 @@ def get(resource_name: str, certificate: Optional[pulumi.Input[str]] = None, client_tls_cert: Optional[pulumi.Input[str]] = None, client_tls_key: Optional[pulumi.Input[str]] = None, + connection_timeout: Optional[pulumi.Input[int]] = None, deny_null_bind: Optional[pulumi.Input[bool]] = None, description: Optional[pulumi.Input[str]] = None, disable_remount: Optional[pulumi.Input[bool]] = None, @@ -1546,6 +1583,7 @@ def get(resource_name: str, :param pulumi.Input[str] bindpass: Password to use with `binddn` when performing user search :param pulumi.Input[bool] case_sensitive_names: Control case senstivity of objects fetched from LDAP, this is used for object matching in vault :param pulumi.Input[str] certificate: Trusted CA to validate TLS certificate + :param pulumi.Input[int] connection_timeout: Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) :param pulumi.Input[bool] deny_null_bind: Prevents users from bypassing authentication when providing an empty password. :param pulumi.Input[str] description: Description for the LDAP auth backend mount :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates. @@ -1594,6 +1632,7 @@ def get(resource_name: str, __props__.__dict__["certificate"] = certificate __props__.__dict__["client_tls_cert"] = client_tls_cert __props__.__dict__["client_tls_key"] = client_tls_key + __props__.__dict__["connection_timeout"] = connection_timeout __props__.__dict__["deny_null_bind"] = deny_null_bind __props__.__dict__["description"] = description __props__.__dict__["disable_remount"] = disable_remount @@ -1677,6 +1716,14 @@ def client_tls_cert(self) -> pulumi.Output[str]: def client_tls_key(self) -> pulumi.Output[str]: return pulumi.get(self, "client_tls_key") + @property + @pulumi.getter(name="connectionTimeout") + def connection_timeout(self) -> pulumi.Output[int]: + """ + Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30) + """ + return pulumi.get(self, "connection_timeout") + @property @pulumi.getter(name="denyNullBind") def deny_null_bind(self) -> pulumi.Output[bool]: diff --git a/sdk/python/pulumi_vault/ssh/secret_backend_role.py b/sdk/python/pulumi_vault/ssh/secret_backend_role.py index 2c59416d5..488ba1753 100644 --- a/sdk/python/pulumi_vault/ssh/secret_backend_role.py +++ b/sdk/python/pulumi_vault/ssh/secret_backend_role.py @@ -25,6 +25,7 @@ def __init__(__self__, *, key_type: pulumi.Input[str], algorithm_signer: Optional[pulumi.Input[str]] = None, allow_bare_domains: Optional[pulumi.Input[bool]] = None, + allow_empty_principals: Optional[pulumi.Input[bool]] = None, allow_host_certificates: Optional[pulumi.Input[bool]] = None, allow_subdomains: Optional[pulumi.Input[bool]] = None, allow_user_certificates: Optional[pulumi.Input[bool]] = None, @@ -88,6 +89,8 @@ def __init__(__self__, *, pulumi.set(__self__, "algorithm_signer", algorithm_signer) if allow_bare_domains is not None: pulumi.set(__self__, "allow_bare_domains", allow_bare_domains) + if allow_empty_principals is not None: + pulumi.set(__self__, "allow_empty_principals", allow_empty_principals) if allow_host_certificates is not None: pulumi.set(__self__, "allow_host_certificates", allow_host_certificates) if allow_subdomains is not None: @@ -181,6 +184,15 @@ def allow_bare_domains(self) -> Optional[pulumi.Input[bool]]: def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]): pulumi.set(self, "allow_bare_domains", value) + @property + @pulumi.getter(name="allowEmptyPrincipals") + def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]: + return pulumi.get(self, "allow_empty_principals") + + @allow_empty_principals.setter + def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "allow_empty_principals", value) + @property @pulumi.getter(name="allowHostCertificates") def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]: @@ -457,6 +469,7 @@ class _SecretBackendRoleState: def __init__(__self__, *, algorithm_signer: Optional[pulumi.Input[str]] = None, allow_bare_domains: Optional[pulumi.Input[bool]] = None, + allow_empty_principals: Optional[pulumi.Input[bool]] = None, allow_host_certificates: Optional[pulumi.Input[bool]] = None, allow_subdomains: Optional[pulumi.Input[bool]] = None, allow_user_certificates: Optional[pulumi.Input[bool]] = None, @@ -520,6 +533,8 @@ def __init__(__self__, *, pulumi.set(__self__, "algorithm_signer", algorithm_signer) if allow_bare_domains is not None: pulumi.set(__self__, "allow_bare_domains", allow_bare_domains) + if allow_empty_principals is not None: + pulumi.set(__self__, "allow_empty_principals", allow_empty_principals) if allow_host_certificates is not None: pulumi.set(__self__, "allow_host_certificates", allow_host_certificates) if allow_subdomains is not None: @@ -593,6 +608,15 @@ def allow_bare_domains(self) -> Optional[pulumi.Input[bool]]: def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]): pulumi.set(self, "allow_bare_domains", value) + @property + @pulumi.getter(name="allowEmptyPrincipals") + def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]: + return pulumi.get(self, "allow_empty_principals") + + @allow_empty_principals.setter + def allow_empty_principals(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "allow_empty_principals", value) + @property @pulumi.getter(name="allowHostCertificates") def allow_host_certificates(self) -> Optional[pulumi.Input[bool]]: @@ -895,6 +919,7 @@ def __init__(__self__, opts: Optional[pulumi.ResourceOptions] = None, algorithm_signer: Optional[pulumi.Input[str]] = None, allow_bare_domains: Optional[pulumi.Input[bool]] = None, + allow_empty_principals: Optional[pulumi.Input[bool]] = None, allow_host_certificates: Optional[pulumi.Input[bool]] = None, allow_subdomains: Optional[pulumi.Input[bool]] = None, allow_user_certificates: Optional[pulumi.Input[bool]] = None, @@ -1044,6 +1069,7 @@ def _internal_init(__self__, opts: Optional[pulumi.ResourceOptions] = None, algorithm_signer: Optional[pulumi.Input[str]] = None, allow_bare_domains: Optional[pulumi.Input[bool]] = None, + allow_empty_principals: Optional[pulumi.Input[bool]] = None, allow_host_certificates: Optional[pulumi.Input[bool]] = None, allow_subdomains: Optional[pulumi.Input[bool]] = None, allow_user_certificates: Optional[pulumi.Input[bool]] = None, @@ -1079,6 +1105,7 @@ def _internal_init(__self__, __props__.__dict__["algorithm_signer"] = algorithm_signer __props__.__dict__["allow_bare_domains"] = allow_bare_domains + __props__.__dict__["allow_empty_principals"] = allow_empty_principals __props__.__dict__["allow_host_certificates"] = allow_host_certificates __props__.__dict__["allow_subdomains"] = allow_subdomains __props__.__dict__["allow_user_certificates"] = allow_user_certificates @@ -1119,6 +1146,7 @@ def get(resource_name: str, opts: Optional[pulumi.ResourceOptions] = None, algorithm_signer: Optional[pulumi.Input[str]] = None, allow_bare_domains: Optional[pulumi.Input[bool]] = None, + allow_empty_principals: Optional[pulumi.Input[bool]] = None, allow_host_certificates: Optional[pulumi.Input[bool]] = None, allow_subdomains: Optional[pulumi.Input[bool]] = None, allow_user_certificates: Optional[pulumi.Input[bool]] = None, @@ -1189,6 +1217,7 @@ def get(resource_name: str, __props__.__dict__["algorithm_signer"] = algorithm_signer __props__.__dict__["allow_bare_domains"] = allow_bare_domains + __props__.__dict__["allow_empty_principals"] = allow_empty_principals __props__.__dict__["allow_host_certificates"] = allow_host_certificates __props__.__dict__["allow_subdomains"] = allow_subdomains __props__.__dict__["allow_user_certificates"] = allow_user_certificates @@ -1231,6 +1260,11 @@ def allow_bare_domains(self) -> pulumi.Output[Optional[bool]]: """ return pulumi.get(self, "allow_bare_domains") + @property + @pulumi.getter(name="allowEmptyPrincipals") + def allow_empty_principals(self) -> pulumi.Output[Optional[bool]]: + return pulumi.get(self, "allow_empty_principals") + @property @pulumi.getter(name="allowHostCertificates") def allow_host_certificates(self) -> pulumi.Output[Optional[bool]]: diff --git a/upstream b/upstream index 32c490c02..c96967c1b 160000 --- a/upstream +++ b/upstream @@ -1 +1 @@ -Subproject commit 32c490c0268310e70e180ce2cd749d9428eb34bd +Subproject commit c96967c1b8009fc6e99a057760a6adc2d691b8fd