diff --git a/provider/cmd/pulumi-resource-vault/bridge-metadata.json b/provider/cmd/pulumi-resource-vault/bridge-metadata.json index c3b6877b..1b4552a5 100644 --- a/provider/cmd/pulumi-resource-vault/bridge-metadata.json +++ b/provider/cmd/pulumi-resource-vault/bridge-metadata.json @@ -187,7 +187,15 @@ }, "vault_aws_secret_backend": { "current": "vault:aws/secretBackend:SecretBackend", - "majorVersion": 6 + "majorVersion": 6, + "fields": { + "sts_fallback_endpoints": { + "maxItemsOne": false + }, + "sts_fallback_regions": { + "maxItemsOne": false + } + } }, "vault_aws_secret_backend_role": { "current": "vault:aws/secretBackendRole:SecretBackendRole", @@ -1431,6 +1439,10 @@ "current": "vault:index/passwordPolicy:PasswordPolicy", "majorVersion": 6 }, + "vault_pki_secret_backend_acme_eab": { + "current": "vault:pkiSecret/backendAcmeEab:BackendAcmeEab", + "majorVersion": 6 + }, "vault_pki_secret_backend_cert": { "current": "vault:pkiSecret/secretBackendCert:SecretBackendCert", "majorVersion": 6, @@ -1452,6 +1464,18 @@ } } }, + "vault_pki_secret_backend_config_acme": { + "current": "vault:pkiSecret/backendConfigAcme:BackendConfigAcme", + "majorVersion": 6, + "fields": { + "allowed_issuers": { + "maxItemsOne": false + }, + "allowed_roles": { + "maxItemsOne": false + } + } + }, "vault_pki_secret_backend_config_ca": { "current": "vault:pkiSecret/secretBackendConfigCa:SecretBackendConfigCa", "majorVersion": 6 @@ -1460,6 +1484,18 @@ "current": "vault:pkiSecret/backendConfigCluster:BackendConfigCluster", "majorVersion": 6 }, + "vault_pki_secret_backend_config_cmpv2": { + "current": "vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", + "majorVersion": 6, + "fields": { + "audit_fields": { + "maxItemsOne": false + }, + "authenticators": { + "maxItemsOne": true + } + } + }, "vault_pki_secret_backend_config_est": { "current": "vault:pkiSecret/backendConfigEst:BackendConfigEst", "majorVersion": 6, @@ -1566,6 +1602,9 @@ "allowed_user_ids": { "maxItemsOne": false }, + "cn_validations": { + "maxItemsOne": false + }, "country": { "maxItemsOne": false }, @@ -2161,6 +2200,18 @@ "current": "vault:index/getNomadAccessToken:getNomadAccessToken", "majorVersion": 6 }, + "vault_pki_secret_backend_config_cmpv2": { + "current": "vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", + "majorVersion": 6, + "fields": { + "audit_fields": { + "maxItemsOne": false + }, + "authenticators": { + "maxItemsOne": false + } + } + }, "vault_pki_secret_backend_config_est": { "current": "vault:pkiSecret/getBackendConfigEst:getBackendConfigEst", "majorVersion": 6, diff --git a/provider/cmd/pulumi-resource-vault/schema.json b/provider/cmd/pulumi-resource-vault/schema.json index 1095e144..9345b2ca 100644 --- a/provider/cmd/pulumi-resource-vault/schema.json +++ b/provider/cmd/pulumi-resource-vault/schema.json @@ -1462,6 +1462,10 @@ "description": "The root credential password used in the connection URL\n", "secret": true }, + "passwordAuthentication": { + "type": "string", + "description": "When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL.\n" + }, "privateKey": { "type": "string", "description": "The secret key used for the x509 client certificate. Must be PEM encoded.\n", @@ -2846,6 +2850,10 @@ "description": "The root credential password used in the connection URL\n", "secret": true }, + "passwordAuthentication": { + "type": "string", + "description": "When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL.\n" + }, "pluginName": { "type": "string", "description": "Specifies the name of the plugin to use.\n" @@ -4528,6 +4536,18 @@ "username" ] }, + "vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators": { + "properties": { + "cert": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "\"The accessor (required) and cert_role (optional) properties for cert auth backends\".\n" + } + }, + "type": "object" + }, "vault:pkiSecret/BackendConfigEstAuthenticators:BackendConfigEstAuthenticators": { "properties": { "cert": { @@ -4567,6 +4587,18 @@ "oid" ] }, + "vault:pkiSecret/getBackendConfigCmpv2Authenticator:getBackendConfigCmpv2Authenticator": { + "properties": { + "cert": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "The accessor and cert_role properties for cert auth backends\n" + } + }, + "type": "object" + }, "vault:pkiSecret/getBackendConfigEstAuthenticator:getBackendConfigEstAuthenticator": { "properties": { "cert": { @@ -7907,6 +7939,10 @@ "type": "string", "description": "The path the AWS auth backend being configured was\nmounted at. Defaults to `aws`.\n" }, + "externalId": { + "type": "string", + "description": "External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n" + }, "namespace": { "type": "string", "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n" @@ -7930,6 +7966,10 @@ "description": "The path the AWS auth backend being configured was\nmounted at. Defaults to `aws`.\n", "willReplaceOnChanges": true }, + "externalId": { + "type": "string", + "description": "External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n" + }, "namespace": { "type": "string", "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", @@ -7956,6 +7996,10 @@ "description": "The path the AWS auth backend being configured was\nmounted at. Defaults to `aws`.\n", "willReplaceOnChanges": true }, + "externalId": { + "type": "string", + "description": "External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n" + }, "namespace": { "type": "string", "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", @@ -8038,6 +8082,24 @@ "type": "string", "description": "Specifies a custom HTTP STS endpoint to use.\n" }, + "stsFallbackEndpoints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+\n" + }, + "stsFallbackRegions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n" + }, + "stsRegion": { + "type": "string", + "description": "Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+\n" + }, "usernameTemplate": { "type": "string", "description": "Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n" @@ -8119,6 +8181,24 @@ "type": "string", "description": "Specifies a custom HTTP STS endpoint to use.\n" }, + "stsFallbackEndpoints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+\n" + }, + "stsFallbackRegions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n" + }, + "stsRegion": { + "type": "string", + "description": "Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+\n" + }, "usernameTemplate": { "type": "string", "description": "Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n" @@ -8195,6 +8275,24 @@ "type": "string", "description": "Specifies a custom HTTP STS endpoint to use.\n" }, + "stsFallbackEndpoints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+\n" + }, + "stsFallbackRegions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n" + }, + "stsRegion": { + "type": "string", + "description": "Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+\n" + }, "usernameTemplate": { "type": "string", "description": "Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n" @@ -24510,6 +24608,283 @@ "type": "object" } }, + "vault:pkiSecret/backendAcmeEab:BackendAcmeEab": { + "description": "Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.Mount(\"test\", {\n path: \"pki\",\n type: \"pki\",\n description: \"PKI secret engine mount\",\n});\nconst testBackendAcmeEab = new vault.pkisecret.BackendAcmeEab(\"test\", {backend: test.path});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.Mount(\"test\",\n path=\"pki\",\n type=\"pki\",\n description=\"PKI secret engine mount\")\ntest_backend_acme_eab = vault.pki_secret.BackendAcmeEab(\"test\", backend=test.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var test = new Vault.Mount(\"test\", new()\n {\n Path = \"pki\",\n Type = \"pki\",\n Description = \"PKI secret engine mount\",\n });\n\n var testBackendAcmeEab = new Vault.PkiSecret.BackendAcmeEab(\"test\", new()\n {\n Backend = test.Path,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := vault.NewMount(ctx, \"test\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"pki\"),\n\t\t\tType: pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendAcmeEab(ctx, \"test\", \u0026pkisecret.BackendAcmeEabArgs{\n\t\t\tBackend: test.Path,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendAcmeEab;\nimport com.pulumi.vault.pkiSecret.BackendAcmeEabArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var test = new Mount(\"test\", MountArgs.builder()\n .path(\"pki\")\n .type(\"pki\")\n .description(\"PKI secret engine mount\")\n .build());\n\n var testBackendAcmeEab = new BackendAcmeEab(\"testBackendAcmeEab\", BackendAcmeEabArgs.builder()\n .backend(test.path())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n test:\n type: vault:Mount\n properties:\n path: pki\n type: pki\n description: PKI secret engine mount\n testBackendAcmeEab:\n type: vault:pkiSecret:BackendAcmeEab\n name: test\n properties:\n backend: ${test.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAs EAB tokens are only available on initial creation there is no possibility to \n\nimport or update this resource.\n\n", + "properties": { + "acmeDirectory": { + "type": "string", + "description": "The ACME directory to which the key belongs\n" + }, + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n" + }, + "createdOn": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created\n" + }, + "eabId": { + "type": "string", + "description": "The identifier of a specific ACME EAB token\n" + }, + "issuer": { + "type": "string", + "description": "Create an EAB token that is specific to an issuer's ACME directory.\n" + }, + "key": { + "type": "string", + "description": "The EAB token\n", + "secret": true + }, + "keyType": { + "type": "string", + "description": "The key type of the EAB key\n" + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n" + }, + "role": { + "type": "string", + "description": "Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n" + } + }, + "required": [ + "acmeDirectory", + "backend", + "createdOn", + "eabId", + "key", + "keyType" + ], + "inputProperties": { + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "issuer": { + "type": "string", + "description": "Create an EAB token that is specific to an issuer's ACME directory.\n", + "willReplaceOnChanges": true + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + }, + "role": { + "type": "string", + "description": "Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n", + "willReplaceOnChanges": true + } + }, + "requiredInputs": [ + "backend" + ], + "stateInputs": { + "description": "Input properties used for looking up and filtering BackendAcmeEab resources.\n", + "properties": { + "acmeDirectory": { + "type": "string", + "description": "The ACME directory to which the key belongs\n" + }, + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "createdOn": { + "type": "string", + "description": "An RFC3339 formatted date time when the EAB token was created\n" + }, + "eabId": { + "type": "string", + "description": "The identifier of a specific ACME EAB token\n" + }, + "issuer": { + "type": "string", + "description": "Create an EAB token that is specific to an issuer's ACME directory.\n", + "willReplaceOnChanges": true + }, + "key": { + "type": "string", + "description": "The EAB token\n", + "secret": true + }, + "keyType": { + "type": "string", + "description": "The key type of the EAB key\n" + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + }, + "role": { + "type": "string", + "description": "Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n", + "willReplaceOnChanges": true + } + }, + "type": "object" + } + }, + "vault:pkiSecret/backendConfigAcme:BackendConfigAcme": { + "description": "Allows setting the ACME server configuration used by specified mount.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n path: \"pki\",\n type: \"pki\",\n defaultLeaseTtlSeconds: 3600,\n maxLeaseTtlSeconds: 86400,\n});\nconst pkiConfigCluster = new vault.pkisecret.BackendConfigCluster(\"pki_config_cluster\", {\n backend: pki.path,\n path: \"http://127.0.0.1:8200/v1/pki\",\n aiaPath: \"http://127.0.0.1:8200/v1/pki\",\n});\nconst example = new vault.pkisecret.BackendConfigAcme(\"example\", {\n backend: pki.path,\n enabled: true,\n allowedIssuers: [\"*\"],\n allowedRoles: [\"*\"],\n allowRoleExtKeyUsage: false,\n defaultDirectoryPolicy: \"sign-verbatim\",\n dnsResolver: \"\",\n eabPolicy: \"not-required\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n path=\"pki\",\n type=\"pki\",\n default_lease_ttl_seconds=3600,\n max_lease_ttl_seconds=86400)\npki_config_cluster = vault.pki_secret.BackendConfigCluster(\"pki_config_cluster\",\n backend=pki.path,\n path=\"http://127.0.0.1:8200/v1/pki\",\n aia_path=\"http://127.0.0.1:8200/v1/pki\")\nexample = vault.pki_secret.BackendConfigAcme(\"example\",\n backend=pki.path,\n enabled=True,\n allowed_issuers=[\"*\"],\n allowed_roles=[\"*\"],\n allow_role_ext_key_usage=False,\n default_directory_policy=\"sign-verbatim\",\n dns_resolver=\"\",\n eab_policy=\"not-required\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var pki = new Vault.Mount(\"pki\", new()\n {\n Path = \"pki\",\n Type = \"pki\",\n DefaultLeaseTtlSeconds = 3600,\n MaxLeaseTtlSeconds = 86400,\n });\n\n var pkiConfigCluster = new Vault.PkiSecret.BackendConfigCluster(\"pki_config_cluster\", new()\n {\n Backend = pki.Path,\n Path = \"http://127.0.0.1:8200/v1/pki\",\n AiaPath = \"http://127.0.0.1:8200/v1/pki\",\n });\n\n var example = new Vault.PkiSecret.BackendConfigAcme(\"example\", new()\n {\n Backend = pki.Path,\n Enabled = true,\n AllowedIssuers = new[]\n {\n \"*\",\n },\n AllowedRoles = new[]\n {\n \"*\",\n },\n AllowRoleExtKeyUsage = false,\n DefaultDirectoryPolicy = \"sign-verbatim\",\n DnsResolver = \"\",\n EabPolicy = \"not-required\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"pki\"),\n\t\t\tType: pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds: pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigCluster(ctx, \"pki_config_cluster\", \u0026pkisecret.BackendConfigClusterArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki\"),\n\t\t\tAiaPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigAcme(ctx, \"example\", \u0026pkisecret.BackendConfigAcmeArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAllowedIssuers: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tAllowRoleExtKeyUsage: pulumi.Bool(false),\n\t\t\tDefaultDirectoryPolicy: pulumi.String(\"sign-verbatim\"),\n\t\t\tDnsResolver: pulumi.String(\"\"),\n\t\t\tEabPolicy: pulumi.String(\"not-required\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigCluster;\nimport com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigAcme;\nimport com.pulumi.vault.pkiSecret.BackendConfigAcmeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var pki = new Mount(\"pki\", MountArgs.builder()\n .path(\"pki\")\n .type(\"pki\")\n .defaultLeaseTtlSeconds(3600)\n .maxLeaseTtlSeconds(86400)\n .build());\n\n var pkiConfigCluster = new BackendConfigCluster(\"pkiConfigCluster\", BackendConfigClusterArgs.builder()\n .backend(pki.path())\n .path(\"http://127.0.0.1:8200/v1/pki\")\n .aiaPath(\"http://127.0.0.1:8200/v1/pki\")\n .build());\n\n var example = new BackendConfigAcme(\"example\", BackendConfigAcmeArgs.builder()\n .backend(pki.path())\n .enabled(true)\n .allowedIssuers(\"*\")\n .allowedRoles(\"*\")\n .allowRoleExtKeyUsage(false)\n .defaultDirectoryPolicy(\"sign-verbatim\")\n .dnsResolver(\"\")\n .eabPolicy(\"not-required\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n pki:\n type: vault:Mount\n properties:\n path: pki\n type: pki\n defaultLeaseTtlSeconds: 3600\n maxLeaseTtlSeconds: 86400\n pkiConfigCluster:\n type: vault:pkiSecret:BackendConfigCluster\n name: pki_config_cluster\n properties:\n backend: ${pki.path}\n path: http://127.0.0.1:8200/v1/pki\n aiaPath: http://127.0.0.1:8200/v1/pki\n example:\n type: vault:pkiSecret:BackendConfigAcme\n properties:\n backend: ${pki.path}\n enabled: true\n allowedIssuers:\n - '*'\n allowedRoles:\n - '*'\n allowRoleExtKeyUsage: false\n defaultDirectoryPolicy: sign-verbatim\n dnsResolver: \"\"\n eabPolicy: not-required\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe ACME configuration can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki/config/acme`,\nwhere the `pki` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme\n```\n", + "properties": { + "allowRoleExtKeyUsage": { + "type": "boolean", + "description": "Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n" + }, + "allowedIssuers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which issuers are allowed for use with ACME.\n" + }, + "allowedRoles": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which roles are allowed for use with ACME.\n" + }, + "backend": { + "type": "string", + "description": "The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n" + }, + "defaultDirectoryPolicy": { + "type": "string", + "description": "Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are `forbid`, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n" + }, + "dnsResolver": { + "type": "string", + "description": "DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n" + }, + "eabPolicy": { + "type": "string", + "description": "Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether ACME is enabled.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n" + } + }, + "required": [ + "allowedIssuers", + "allowedRoles", + "backend", + "defaultDirectoryPolicy", + "eabPolicy", + "enabled" + ], + "inputProperties": { + "allowRoleExtKeyUsage": { + "type": "boolean", + "description": "Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n" + }, + "allowedIssuers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which issuers are allowed for use with ACME.\n" + }, + "allowedRoles": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which roles are allowed for use with ACME.\n" + }, + "backend": { + "type": "string", + "description": "The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "defaultDirectoryPolicy": { + "type": "string", + "description": "Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are `forbid`, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n" + }, + "dnsResolver": { + "type": "string", + "description": "DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n" + }, + "eabPolicy": { + "type": "string", + "description": "Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether ACME is enabled.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + } + }, + "requiredInputs": [ + "backend", + "enabled" + ], + "stateInputs": { + "description": "Input properties used for looking up and filtering BackendConfigAcme resources.\n", + "properties": { + "allowRoleExtKeyUsage": { + "type": "boolean", + "description": "Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n" + }, + "allowedIssuers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which issuers are allowed for use with ACME.\n" + }, + "allowedRoles": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specifies which roles are allowed for use with ACME.\n" + }, + "backend": { + "type": "string", + "description": "The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "defaultDirectoryPolicy": { + "type": "string", + "description": "Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are `forbid`, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n" + }, + "dnsResolver": { + "type": "string", + "description": "DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n" + }, + "eabPolicy": { + "type": "string", + "description": "Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether ACME is enabled.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + } + }, + "type": "object" + } + }, "vault:pkiSecret/backendConfigCluster:BackendConfigCluster": { "description": "Allows setting the cluster-local's API mount path and AIA distribution point on a particular performance replication cluster.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst root = new vault.Mount(\"root\", {\n path: \"pki-root\",\n type: \"pki\",\n description: \"root PKI\",\n defaultLeaseTtlSeconds: 8640000,\n maxLeaseTtlSeconds: 8640000,\n});\nconst example = new vault.pkisecret.BackendConfigCluster(\"example\", {\n backend: root.path,\n path: \"http://127.0.0.1:8200/v1/pki-root\",\n aiaPath: \"http://127.0.0.1:8200/v1/pki-root\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nroot = vault.Mount(\"root\",\n path=\"pki-root\",\n type=\"pki\",\n description=\"root PKI\",\n default_lease_ttl_seconds=8640000,\n max_lease_ttl_seconds=8640000)\nexample = vault.pki_secret.BackendConfigCluster(\"example\",\n backend=root.path,\n path=\"http://127.0.0.1:8200/v1/pki-root\",\n aia_path=\"http://127.0.0.1:8200/v1/pki-root\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var root = new Vault.Mount(\"root\", new()\n {\n Path = \"pki-root\",\n Type = \"pki\",\n Description = \"root PKI\",\n DefaultLeaseTtlSeconds = 8640000,\n MaxLeaseTtlSeconds = 8640000,\n });\n\n var example = new Vault.PkiSecret.BackendConfigCluster(\"example\", new()\n {\n Backend = root.Path,\n Path = \"http://127.0.0.1:8200/v1/pki-root\",\n AiaPath = \"http://127.0.0.1:8200/v1/pki-root\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\troot, err := vault.NewMount(ctx, \"root\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"pki-root\"),\n\t\t\tType: pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"root PKI\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(8640000),\n\t\t\tMaxLeaseTtlSeconds: pulumi.Int(8640000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigCluster(ctx, \"example\", \u0026pkisecret.BackendConfigClusterArgs{\n\t\t\tBackend: root.Path,\n\t\t\tPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki-root\"),\n\t\t\tAiaPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki-root\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigCluster;\nimport com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var root = new Mount(\"root\", MountArgs.builder()\n .path(\"pki-root\")\n .type(\"pki\")\n .description(\"root PKI\")\n .defaultLeaseTtlSeconds(8640000)\n .maxLeaseTtlSeconds(8640000)\n .build());\n\n var example = new BackendConfigCluster(\"example\", BackendConfigClusterArgs.builder()\n .backend(root.path())\n .path(\"http://127.0.0.1:8200/v1/pki-root\")\n .aiaPath(\"http://127.0.0.1:8200/v1/pki-root\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n root:\n type: vault:Mount\n properties:\n path: pki-root\n type: pki\n description: root PKI\n defaultLeaseTtlSeconds: 8.64e+06\n maxLeaseTtlSeconds: 8.64e+06\n example:\n type: vault:pkiSecret:BackendConfigCluster\n properties:\n backend: ${root.path}\n path: http://127.0.0.1:8200/v1/pki-root\n aiaPath: http://127.0.0.1:8200/v1/pki-root\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/cluster`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigCluster:BackendConfigCluster example pki-root/config/cluster\n```\n", "properties": { @@ -24581,6 +24956,133 @@ "type": "object" } }, + "vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2": { + "description": "Allows setting the CMPv2 configuration on a PKI Secret Backend\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/cmpv2`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2\n```\n", + "properties": { + "auditFields": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n" + }, + "authenticators": { + "$ref": "#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators", + "description": "Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n" + }, + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n" + }, + "defaultPathPolicy": { + "type": "string", + "description": "Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n" + }, + "enableSentinelParsing": { + "type": "boolean", + "description": "If set, parse out fields from the provided CSR making them available for Sentinel policies.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether CMPv2 is enabled.\n" + }, + "lastUpdated": { + "type": "string", + "description": "A read-only timestamp representing the last time the configuration was updated.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n" + } + }, + "required": [ + "auditFields", + "authenticators", + "backend", + "lastUpdated" + ], + "inputProperties": { + "auditFields": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n" + }, + "authenticators": { + "$ref": "#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators", + "description": "Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n" + }, + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "defaultPathPolicy": { + "type": "string", + "description": "Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n" + }, + "enableSentinelParsing": { + "type": "boolean", + "description": "If set, parse out fields from the provided CSR making them available for Sentinel policies.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether CMPv2 is enabled.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + } + }, + "requiredInputs": [ + "backend" + ], + "stateInputs": { + "description": "Input properties used for looking up and filtering BackendConfigCmpv2 resources.\n", + "properties": { + "auditFields": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n" + }, + "authenticators": { + "$ref": "#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators", + "description": "Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n" + }, + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n", + "willReplaceOnChanges": true + }, + "defaultPathPolicy": { + "type": "string", + "description": "Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n" + }, + "enableSentinelParsing": { + "type": "boolean", + "description": "If set, parse out fields from the provided CSR making them available for Sentinel policies.\n" + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether CMPv2 is enabled.\n" + }, + "lastUpdated": { + "type": "string", + "description": "A read-only timestamp representing the last time the configuration was updated.\n" + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + } + }, + "type": "object" + } + }, "vault:pkiSecret/backendConfigEst:BackendConfigEst": { "description": "Allows setting the EST configuration on a PKI Secret Backend\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/est`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigEst:BackendConfigEst example pki-root/config/est\n```\n", "properties": { @@ -26537,6 +27039,13 @@ "type": "boolean", "description": "Flag to specify certificates for client use\n" }, + "cnValidations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`\n" + }, "codeSigningFlag": { "type": "boolean", "description": "Flag to specify certificates for code signing use\n" @@ -26693,6 +27202,7 @@ "required": [ "allowedUriSansTemplate", "backend", + "cnValidations", "issuerRef", "keyUsages", "maxTtl", @@ -26785,6 +27295,13 @@ "type": "boolean", "description": "Flag to specify certificates for client use\n" }, + "cnValidations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`\n" + }, "codeSigningFlag": { "type": "boolean", "description": "Flag to specify certificates for code signing use\n" @@ -27030,6 +27547,13 @@ "type": "boolean", "description": "Flag to specify certificates for client use\n" }, + "cnValidations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled`\n" + }, "codeSigningFlag": { "type": "boolean", "description": "Flag to specify certificates for code signing use\n" @@ -30319,7 +30843,8 @@ "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, "allowEmptyPrincipals": { - "type": "boolean" + "type": "boolean", + "description": "Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n" }, "allowHostCertificates": { "type": "boolean", @@ -30447,7 +30972,8 @@ "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, "allowEmptyPrincipals": { - "type": "boolean" + "type": "boolean", + "description": "Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n" }, "allowHostCertificates": { "type": "boolean", @@ -30574,7 +31100,8 @@ "description": "Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`.\n" }, "allowEmptyPrincipals": { - "type": "boolean" + "type": "boolean", + "description": "Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n" }, "allowHostCertificates": { "type": "boolean", @@ -34700,6 +35227,78 @@ "type": "object" } }, + "vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2": { + "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n path: \"pki\",\n type: \"pki\",\n description: \"PKI secret engine mount\",\n});\nconst cmpv2Config = vault.pkiSecret.getBackendConfigCmpv2Output({\n backend: pki.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n path=\"pki\",\n type=\"pki\",\n description=\"PKI secret engine mount\")\ncmpv2_config = vault.pkiSecret.get_backend_config_cmpv2_output(backend=pki.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var pki = new Vault.Mount(\"pki\", new()\n {\n Path = \"pki\",\n Type = \"pki\",\n Description = \"PKI secret engine mount\",\n });\n\n var cmpv2Config = Vault.PkiSecret.GetBackendConfigCmpv2.Invoke(new()\n {\n Backend = pki.Path,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"pki\"),\n\t\t\tType: pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendConfigCmpv2Output(ctx, pkisecret.GetBackendConfigCmpv2OutputArgs{\n\t\t\tBackend: pki.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var pki = new Mount(\"pki\", MountArgs.builder()\n .path(\"pki\")\n .type(\"pki\")\n .description(\"PKI secret engine mount\")\n .build());\n\n final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()\n .backend(pki.path())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n pki:\n type: vault:Mount\n properties:\n path: pki\n type: pki\n description: PKI secret engine mount\nvariables:\n cmpv2Config:\n fn::invoke:\n function: vault:pkiSecret:getBackendConfigCmpv2\n arguments:\n backend: ${pki.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", + "inputs": { + "description": "A collection of arguments for invoking getBackendConfigCmpv2.\n", + "properties": { + "backend": { + "type": "string", + "description": "The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n\n# Attributes Reference\n", + "willReplaceOnChanges": true + }, + "namespace": { + "type": "string", + "description": "The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n", + "willReplaceOnChanges": true + } + }, + "type": "object", + "required": [ + "backend" + ] + }, + "outputs": { + "description": "A collection of values returned by getBackendConfigCmpv2.\n", + "properties": { + "auditFields": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authenticators": { + "items": { + "$ref": "#/types/vault:pkiSecret/getBackendConfigCmpv2Authenticator:getBackendConfigCmpv2Authenticator" + }, + "type": "array" + }, + "backend": { + "type": "string" + }, + "defaultPathPolicy": { + "type": "string" + }, + "enableSentinelParsing": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "id": { + "description": "The provider-assigned unique ID for this managed resource.\n", + "type": "string" + }, + "lastUpdated": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "auditFields", + "authenticators", + "backend", + "defaultPathPolicy", + "enableSentinelParsing", + "enabled", + "lastUpdated", + "id" + ], + "type": "object" + } + }, "vault:pkiSecret/getBackendConfigEst:getBackendConfigEst": { "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n path: \"pki\",\n type: \"pki\",\n description: \"PKI secret engine mount\",\n});\nconst estConfig = vault.pkiSecret.getBackendConfigEstOutput({\n backend: pki.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n path=\"pki\",\n type=\"pki\",\n description=\"PKI secret engine mount\")\nest_config = vault.pkiSecret.get_backend_config_est_output(backend=pki.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var pki = new Vault.Mount(\"pki\", new()\n {\n Path = \"pki\",\n Type = \"pki\",\n Description = \"PKI secret engine mount\",\n });\n\n var estConfig = Vault.PkiSecret.GetBackendConfigEst.Invoke(new()\n {\n Backend = pki.Path,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"pki\"),\n\t\t\tType: pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendConfigEstOutput(ctx, pkisecret.GetBackendConfigEstOutputArgs{\n\t\t\tBackend: pki.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendConfigEstArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var pki = new Mount(\"pki\", MountArgs.builder()\n .path(\"pki\")\n .type(\"pki\")\n .description(\"PKI secret engine mount\")\n .build());\n\n final var estConfig = PkiSecretFunctions.getBackendConfigEst(GetBackendConfigEstArgs.builder()\n .backend(pki.path())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n pki:\n type: vault:Mount\n properties:\n path: pki\n type: pki\n description: PKI secret engine mount\nvariables:\n estConfig:\n fn::invoke:\n function: vault:pkiSecret:getBackendConfigEst\n arguments:\n backend: ${pki.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { diff --git a/sdk/dotnet/Aws/AuthBackendStsRole.cs b/sdk/dotnet/Aws/AuthBackendStsRole.cs index 63a6d50a..5be1c30b 100644 --- a/sdk/dotnet/Aws/AuthBackendStsRole.cs +++ b/sdk/dotnet/Aws/AuthBackendStsRole.cs @@ -59,6 +59,12 @@ public partial class AuthBackendStsRole : global::Pulumi.CustomResource [Output("backend")] public Output Backend { get; private set; } = null!; + /// + /// External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + /// + [Output("externalId")] + public Output ExternalId { get; private set; } = null!; + /// /// The namespace to provision the resource in. /// The value should not contain leading or trailing forward slashes. @@ -134,6 +140,12 @@ public sealed class AuthBackendStsRoleArgs : global::Pulumi.ResourceArgs [Input("backend")] public Input? Backend { get; set; } + /// + /// External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + /// + [Input("externalId")] + public Input? ExternalId { get; set; } + /// /// The namespace to provision the resource in. /// The value should not contain leading or trailing forward slashes. @@ -171,6 +183,12 @@ public sealed class AuthBackendStsRoleState : global::Pulumi.ResourceArgs [Input("backend")] public Input? Backend { get; set; } + /// + /// External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + /// + [Input("externalId")] + public Input? ExternalId { get; set; } + /// /// The namespace to provision the resource in. /// The value should not contain leading or trailing forward slashes. diff --git a/sdk/dotnet/Aws/SecretBackend.cs b/sdk/dotnet/Aws/SecretBackend.cs index e9d483ba..b0b2e424 100644 --- a/sdk/dotnet/Aws/SecretBackend.cs +++ b/sdk/dotnet/Aws/SecretBackend.cs @@ -134,6 +134,24 @@ public partial class SecretBackend : global::Pulumi.CustomResource [Output("stsEndpoint")] public Output StsEndpoint { get; private set; } = null!; + /// + /// Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + /// + [Output("stsFallbackEndpoints")] + public Output> StsFallbackEndpoints { get; private set; } = null!; + + /// + /// Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + /// + [Output("stsFallbackRegions")] + public Output> StsFallbackRegions { get; private set; } = null!; + + /// + /// Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + /// + [Output("stsRegion")] + public Output StsRegion { get; private set; } = null!; + /// /// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: /// @@ -324,6 +342,36 @@ public Input? SecretKey [Input("stsEndpoint")] public Input? StsEndpoint { get; set; } + [Input("stsFallbackEndpoints")] + private InputList? _stsFallbackEndpoints; + + /// + /// Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + /// + public InputList StsFallbackEndpoints + { + get => _stsFallbackEndpoints ?? (_stsFallbackEndpoints = new InputList()); + set => _stsFallbackEndpoints = value; + } + + [Input("stsFallbackRegions")] + private InputList? _stsFallbackRegions; + + /// + /// Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + /// + public InputList StsFallbackRegions + { + get => _stsFallbackRegions ?? (_stsFallbackRegions = new InputList()); + set => _stsFallbackRegions = value; + } + + /// + /// Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + /// + [Input("stsRegion")] + public Input? StsRegion { get; set; } + /// /// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: /// @@ -471,6 +519,36 @@ public Input? SecretKey [Input("stsEndpoint")] public Input? StsEndpoint { get; set; } + [Input("stsFallbackEndpoints")] + private InputList? _stsFallbackEndpoints; + + /// + /// Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + /// + public InputList StsFallbackEndpoints + { + get => _stsFallbackEndpoints ?? (_stsFallbackEndpoints = new InputList()); + set => _stsFallbackEndpoints = value; + } + + [Input("stsFallbackRegions")] + private InputList? _stsFallbackRegions; + + /// + /// Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + /// + public InputList StsFallbackRegions + { + get => _stsFallbackRegions ?? (_stsFallbackRegions = new InputList()); + set => _stsFallbackRegions = value; + } + + /// + /// Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + /// + [Input("stsRegion")] + public Input? StsRegion { get; set; } + /// /// Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: /// diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs index 8d41f572..bbf83375 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlArgs.cs @@ -64,6 +64,12 @@ public Input? Password } } + /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + [Input("passwordAuthentication")] + public Input? PasswordAuthentication { get; set; } + [Input("privateKey")] private Input? _privateKey; diff --git a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs index 7287b3c7..e2e9670d 100644 --- a/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretBackendConnectionPostgresqlGetArgs.cs @@ -64,6 +64,12 @@ public Input? Password } } + /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + [Input("passwordAuthentication")] + public Input? PasswordAuthentication { get; set; } + [Input("privateKey")] private Input? _privateKey; diff --git a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs index 061463c4..68299a05 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlArgs.cs @@ -97,6 +97,12 @@ public Input? Password } } + /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + [Input("passwordAuthentication")] + public Input? PasswordAuthentication { get; set; } + /// /// Specifies the name of the plugin to use. /// diff --git a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs index e94e494c..4cc16db2 100644 --- a/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs +++ b/sdk/dotnet/Database/Inputs/SecretsMountPostgresqlGetArgs.cs @@ -97,6 +97,12 @@ public Input? Password } } + /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + [Input("passwordAuthentication")] + public Input? PasswordAuthentication { get; set; } + /// /// Specifies the name of the plugin to use. /// diff --git a/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs b/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs index 211145d7..7e388281 100644 --- a/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs +++ b/sdk/dotnet/Database/Outputs/SecretBackendConnectionPostgresql.cs @@ -42,6 +42,10 @@ public sealed class SecretBackendConnectionPostgresql /// public readonly string? Password; /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + public readonly string? PasswordAuthentication; + /// /// The secret key used for the x509 client certificate. Must be PEM encoded. /// public readonly string? PrivateKey; @@ -86,6 +90,8 @@ private SecretBackendConnectionPostgresql( string? password, + string? passwordAuthentication, + string? privateKey, bool? selfManaged, @@ -107,6 +113,7 @@ private SecretBackendConnectionPostgresql( MaxIdleConnections = maxIdleConnections; MaxOpenConnections = maxOpenConnections; Password = password; + PasswordAuthentication = passwordAuthentication; PrivateKey = privateKey; SelfManaged = selfManaged; ServiceAccountJson = serviceAccountJson; diff --git a/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs b/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs index e5a911da..996171aa 100644 --- a/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs +++ b/sdk/dotnet/Database/Outputs/SecretsMountPostgresql.cs @@ -57,6 +57,10 @@ public sealed class SecretsMountPostgresql /// public readonly string? Password; /// + /// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + /// + public readonly string? PasswordAuthentication; + /// /// Specifies the name of the plugin to use. /// public readonly string? PluginName; @@ -120,6 +124,8 @@ private SecretsMountPostgresql( string? password, + string? passwordAuthentication, + string? pluginName, string? privateKey, @@ -150,6 +156,7 @@ private SecretsMountPostgresql( MaxOpenConnections = maxOpenConnections; Name = name; Password = password; + PasswordAuthentication = passwordAuthentication; PluginName = pluginName; PrivateKey = privateKey; RootRotationStatements = rootRotationStatements; diff --git a/sdk/dotnet/PkiSecret/BackendAcmeEab.cs b/sdk/dotnet/PkiSecret/BackendAcmeEab.cs new file mode 100644 index 00000000..e3cd7acb --- /dev/null +++ b/sdk/dotnet/PkiSecret/BackendAcmeEab.cs @@ -0,0 +1,287 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret +{ + /// + /// Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Vault = Pulumi.Vault; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var test = new Vault.Mount("test", new() + /// { + /// Path = "pki", + /// Type = "pki", + /// Description = "PKI secret engine mount", + /// }); + /// + /// var testBackendAcmeEab = new Vault.PkiSecret.BackendAcmeEab("test", new() + /// { + /// Backend = test.Path, + /// }); + /// + /// }); + /// ``` + /// + /// ## Import + /// + /// As EAB tokens are only available on initial creation there is no possibility to + /// + /// import or update this resource. + /// + [VaultResourceType("vault:pkiSecret/backendAcmeEab:BackendAcmeEab")] + public partial class BackendAcmeEab : global::Pulumi.CustomResource + { + /// + /// The ACME directory to which the key belongs + /// + [Output("acmeDirectory")] + public Output AcmeDirectory { get; private set; } = null!; + + /// + /// The path to the PKI secret backend to + /// create the EAB token within, with no leading or trailing `/`s. + /// + [Output("backend")] + public Output Backend { get; private set; } = null!; + + /// + /// An RFC3339 formatted date time when the EAB token was created + /// + [Output("createdOn")] + public Output CreatedOn { get; private set; } = null!; + + /// + /// The identifier of a specific ACME EAB token + /// + [Output("eabId")] + public Output EabId { get; private set; } = null!; + + /// + /// Create an EAB token that is specific to an issuer's ACME directory. + /// + [Output("issuer")] + public Output Issuer { get; private set; } = null!; + + /// + /// The EAB token + /// + [Output("key")] + public Output Key { get; private set; } = null!; + + /// + /// The key type of the EAB key + /// + [Output("keyType")] + public Output KeyType { get; private set; } = null!; + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Output("namespace")] + public Output Namespace { get; private set; } = null!; + + /// + /// Create an EAB token that is specific to a role's ACME directory. + /// + /// **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + /// + /// 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + /// 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + /// 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + /// 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + /// + [Output("role")] + public Output Role { get; private set; } = null!; + + + /// + /// Create a BackendAcmeEab resource with the given unique name, arguments, and options. + /// + /// + /// The unique name of the resource + /// The arguments used to populate this resource's properties + /// A bag of options that control this resource's behavior + public BackendAcmeEab(string name, BackendAcmeEabArgs args, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, args ?? new BackendAcmeEabArgs(), MakeResourceOptions(options, "")) + { + } + + private BackendAcmeEab(string name, Input id, BackendAcmeEabState? state = null, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, state, MakeResourceOptions(options, id)) + { + } + + private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input? id) + { + var defaultOptions = new CustomResourceOptions + { + Version = Utilities.Version, + AdditionalSecretOutputs = + { + "key", + }, + }; + var merged = CustomResourceOptions.Merge(defaultOptions, options); + // Override the ID if one was specified for consistency with other language SDKs. + merged.Id = id ?? merged.Id; + return merged; + } + /// + /// Get an existing BackendAcmeEab resource's state with the given name, ID, and optional extra + /// properties used to qualify the lookup. + /// + /// + /// The unique name of the resulting resource. + /// The unique provider ID of the resource to lookup. + /// Any extra arguments used during the lookup. + /// A bag of options that control this resource's behavior + public static BackendAcmeEab Get(string name, Input id, BackendAcmeEabState? state = null, CustomResourceOptions? options = null) + { + return new BackendAcmeEab(name, id, state, options); + } + } + + public sealed class BackendAcmeEabArgs : global::Pulumi.ResourceArgs + { + /// + /// The path to the PKI secret backend to + /// create the EAB token within, with no leading or trailing `/`s. + /// + [Input("backend", required: true)] + public Input Backend { get; set; } = null!; + + /// + /// Create an EAB token that is specific to an issuer's ACME directory. + /// + [Input("issuer")] + public Input? Issuer { get; set; } + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + /// + /// Create an EAB token that is specific to a role's ACME directory. + /// + /// **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + /// + /// 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + /// 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + /// 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + /// 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + /// + [Input("role")] + public Input? Role { get; set; } + + public BackendAcmeEabArgs() + { + } + public static new BackendAcmeEabArgs Empty => new BackendAcmeEabArgs(); + } + + public sealed class BackendAcmeEabState : global::Pulumi.ResourceArgs + { + /// + /// The ACME directory to which the key belongs + /// + [Input("acmeDirectory")] + public Input? AcmeDirectory { get; set; } + + /// + /// The path to the PKI secret backend to + /// create the EAB token within, with no leading or trailing `/`s. + /// + [Input("backend")] + public Input? Backend { get; set; } + + /// + /// An RFC3339 formatted date time when the EAB token was created + /// + [Input("createdOn")] + public Input? CreatedOn { get; set; } + + /// + /// The identifier of a specific ACME EAB token + /// + [Input("eabId")] + public Input? EabId { get; set; } + + /// + /// Create an EAB token that is specific to an issuer's ACME directory. + /// + [Input("issuer")] + public Input? Issuer { get; set; } + + [Input("key")] + private Input? _key; + + /// + /// The EAB token + /// + public Input? Key + { + get => _key; + set + { + var emptySecret = Output.CreateSecret(0); + _key = Output.Tuple?, int>(value, emptySecret).Apply(t => t.Item1); + } + } + + /// + /// The key type of the EAB key + /// + [Input("keyType")] + public Input? KeyType { get; set; } + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + /// + /// Create an EAB token that is specific to a role's ACME directory. + /// + /// **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + /// + /// 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + /// 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + /// 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + /// 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + /// + [Input("role")] + public Input? Role { get; set; } + + public BackendAcmeEabState() + { + } + public static new BackendAcmeEabState Empty => new BackendAcmeEabState(); + } +} diff --git a/sdk/dotnet/PkiSecret/BackendConfigAcme.cs b/sdk/dotnet/PkiSecret/BackendConfigAcme.cs new file mode 100644 index 00000000..cb3a1892 --- /dev/null +++ b/sdk/dotnet/PkiSecret/BackendConfigAcme.cs @@ -0,0 +1,337 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret +{ + /// + /// Allows setting the ACME server configuration used by specified mount. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Vault = Pulumi.Vault; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var pki = new Vault.Mount("pki", new() + /// { + /// Path = "pki", + /// Type = "pki", + /// DefaultLeaseTtlSeconds = 3600, + /// MaxLeaseTtlSeconds = 86400, + /// }); + /// + /// var pkiConfigCluster = new Vault.PkiSecret.BackendConfigCluster("pki_config_cluster", new() + /// { + /// Backend = pki.Path, + /// Path = "http://127.0.0.1:8200/v1/pki", + /// AiaPath = "http://127.0.0.1:8200/v1/pki", + /// }); + /// + /// var example = new Vault.PkiSecret.BackendConfigAcme("example", new() + /// { + /// Backend = pki.Path, + /// Enabled = true, + /// AllowedIssuers = new[] + /// { + /// "*", + /// }, + /// AllowedRoles = new[] + /// { + /// "*", + /// }, + /// AllowRoleExtKeyUsage = false, + /// DefaultDirectoryPolicy = "sign-verbatim", + /// DnsResolver = "", + /// EabPolicy = "not-required", + /// }); + /// + /// }); + /// ``` + /// + /// ## Import + /// + /// The ACME configuration can be imported using the resource's `id`. + /// In the case of the example above the `id` would be `pki/config/acme`, + /// where the `pki` component is the resource's `backend`, e.g. + /// + /// ```sh + /// $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme + /// ``` + /// + [VaultResourceType("vault:pkiSecret/backendConfigAcme:BackendConfigAcme")] + public partial class BackendConfigAcme : global::Pulumi.CustomResource + { + /// + /// Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + /// + [Output("allowRoleExtKeyUsage")] + public Output AllowRoleExtKeyUsage { get; private set; } = null!; + + /// + /// Specifies which issuers are allowed for use with ACME. + /// + [Output("allowedIssuers")] + public Output> AllowedIssuers { get; private set; } = null!; + + /// + /// Specifies which roles are allowed for use with ACME. + /// + [Output("allowedRoles")] + public Output> AllowedRoles { get; private set; } = null!; + + /// + /// The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + /// + [Output("backend")] + public Output Backend { get; private set; } = null!; + + /// + /// Specifies the policy to be used for non-role-qualified ACME requests. + /// Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + /// + [Output("defaultDirectoryPolicy")] + public Output DefaultDirectoryPolicy { get; private set; } = null!; + + /// + /// DNS resolver to use for domain resolution on this mount. + /// Must be in the format `<host>:<port>`, with both parts mandatory. + /// + [Output("dnsResolver")] + public Output DnsResolver { get; private set; } = null!; + + /// + /// Specifies the policy to use for external account binding behaviour. + /// Allowed values are `not-required`, `new-account-required` or `always-required`. + /// + [Output("eabPolicy")] + public Output EabPolicy { get; private set; } = null!; + + /// + /// Specifies whether ACME is enabled. + /// + [Output("enabled")] + public Output Enabled { get; private set; } = null!; + + /// + /// The namespace to provision the resource in. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + /// *Available only for Vault Enterprise*. + /// + [Output("namespace")] + public Output Namespace { get; private set; } = null!; + + + /// + /// Create a BackendConfigAcme resource with the given unique name, arguments, and options. + /// + /// + /// The unique name of the resource + /// The arguments used to populate this resource's properties + /// A bag of options that control this resource's behavior + public BackendConfigAcme(string name, BackendConfigAcmeArgs args, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, args ?? new BackendConfigAcmeArgs(), MakeResourceOptions(options, "")) + { + } + + private BackendConfigAcme(string name, Input id, BackendConfigAcmeState? state = null, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, state, MakeResourceOptions(options, id)) + { + } + + private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input? id) + { + var defaultOptions = new CustomResourceOptions + { + Version = Utilities.Version, + }; + var merged = CustomResourceOptions.Merge(defaultOptions, options); + // Override the ID if one was specified for consistency with other language SDKs. + merged.Id = id ?? merged.Id; + return merged; + } + /// + /// Get an existing BackendConfigAcme resource's state with the given name, ID, and optional extra + /// properties used to qualify the lookup. + /// + /// + /// The unique name of the resulting resource. + /// The unique provider ID of the resource to lookup. + /// Any extra arguments used during the lookup. + /// A bag of options that control this resource's behavior + public static BackendConfigAcme Get(string name, Input id, BackendConfigAcmeState? state = null, CustomResourceOptions? options = null) + { + return new BackendConfigAcme(name, id, state, options); + } + } + + public sealed class BackendConfigAcmeArgs : global::Pulumi.ResourceArgs + { + /// + /// Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + /// + [Input("allowRoleExtKeyUsage")] + public Input? AllowRoleExtKeyUsage { get; set; } + + [Input("allowedIssuers")] + private InputList? _allowedIssuers; + + /// + /// Specifies which issuers are allowed for use with ACME. + /// + public InputList AllowedIssuers + { + get => _allowedIssuers ?? (_allowedIssuers = new InputList()); + set => _allowedIssuers = value; + } + + [Input("allowedRoles")] + private InputList? _allowedRoles; + + /// + /// Specifies which roles are allowed for use with ACME. + /// + public InputList AllowedRoles + { + get => _allowedRoles ?? (_allowedRoles = new InputList()); + set => _allowedRoles = value; + } + + /// + /// The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + /// + [Input("backend", required: true)] + public Input Backend { get; set; } = null!; + + /// + /// Specifies the policy to be used for non-role-qualified ACME requests. + /// Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + /// + [Input("defaultDirectoryPolicy")] + public Input? DefaultDirectoryPolicy { get; set; } + + /// + /// DNS resolver to use for domain resolution on this mount. + /// Must be in the format `<host>:<port>`, with both parts mandatory. + /// + [Input("dnsResolver")] + public Input? DnsResolver { get; set; } + + /// + /// Specifies the policy to use for external account binding behaviour. + /// Allowed values are `not-required`, `new-account-required` or `always-required`. + /// + [Input("eabPolicy")] + public Input? EabPolicy { get; set; } + + /// + /// Specifies whether ACME is enabled. + /// + [Input("enabled", required: true)] + public Input Enabled { get; set; } = null!; + + /// + /// The namespace to provision the resource in. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + public BackendConfigAcmeArgs() + { + } + public static new BackendConfigAcmeArgs Empty => new BackendConfigAcmeArgs(); + } + + public sealed class BackendConfigAcmeState : global::Pulumi.ResourceArgs + { + /// + /// Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + /// + [Input("allowRoleExtKeyUsage")] + public Input? AllowRoleExtKeyUsage { get; set; } + + [Input("allowedIssuers")] + private InputList? _allowedIssuers; + + /// + /// Specifies which issuers are allowed for use with ACME. + /// + public InputList AllowedIssuers + { + get => _allowedIssuers ?? (_allowedIssuers = new InputList()); + set => _allowedIssuers = value; + } + + [Input("allowedRoles")] + private InputList? _allowedRoles; + + /// + /// Specifies which roles are allowed for use with ACME. + /// + public InputList AllowedRoles + { + get => _allowedRoles ?? (_allowedRoles = new InputList()); + set => _allowedRoles = value; + } + + /// + /// The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + /// + [Input("backend")] + public Input? Backend { get; set; } + + /// + /// Specifies the policy to be used for non-role-qualified ACME requests. + /// Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + /// + [Input("defaultDirectoryPolicy")] + public Input? DefaultDirectoryPolicy { get; set; } + + /// + /// DNS resolver to use for domain resolution on this mount. + /// Must be in the format `<host>:<port>`, with both parts mandatory. + /// + [Input("dnsResolver")] + public Input? DnsResolver { get; set; } + + /// + /// Specifies the policy to use for external account binding behaviour. + /// Allowed values are `not-required`, `new-account-required` or `always-required`. + /// + [Input("eabPolicy")] + public Input? EabPolicy { get; set; } + + /// + /// Specifies whether ACME is enabled. + /// + [Input("enabled")] + public Input? Enabled { get; set; } + + /// + /// The namespace to provision the resource in. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + public BackendConfigAcmeState() + { + } + public static new BackendConfigAcmeState Empty => new BackendConfigAcmeState(); + } +} diff --git a/sdk/dotnet/PkiSecret/BackendConfigCmpv2.cs b/sdk/dotnet/PkiSecret/BackendConfigCmpv2.cs new file mode 100644 index 00000000..24a71f53 --- /dev/null +++ b/sdk/dotnet/PkiSecret/BackendConfigCmpv2.cs @@ -0,0 +1,255 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret +{ + /// + /// Allows setting the CMPv2 configuration on a PKI Secret Backend + /// + /// ## Import + /// + /// The PKI config cluster can be imported using the resource's `id`. + /// In the case of the example above the `id` would be `pki-root/config/cmpv2`, + /// where the `pki-root` component is the resource's `backend`, e.g. + /// + /// ```sh + /// $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 + /// ``` + /// + [VaultResourceType("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2")] + public partial class BackendConfigCmpv2 : global::Pulumi.CustomResource + { + /// + /// Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + /// + /// <a id="nestedatt--authenticators"></a> + /// + [Output("auditFields")] + public Output> AuditFields { get; private set; } = null!; + + /// + /// Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + /// + [Output("authenticators")] + public Output Authenticators { get; private set; } = null!; + + /// + /// The path to the PKI secret backend to + /// read the CMPv2 configuration from, with no leading or trailing `/`s. + /// + [Output("backend")] + public Output Backend { get; private set; } = null!; + + /// + /// Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + /// + [Output("defaultPathPolicy")] + public Output DefaultPathPolicy { get; private set; } = null!; + + /// + /// If set, parse out fields from the provided CSR making them available for Sentinel policies. + /// + [Output("enableSentinelParsing")] + public Output EnableSentinelParsing { get; private set; } = null!; + + /// + /// Specifies whether CMPv2 is enabled. + /// + [Output("enabled")] + public Output Enabled { get; private set; } = null!; + + /// + /// A read-only timestamp representing the last time the configuration was updated. + /// + [Output("lastUpdated")] + public Output LastUpdated { get; private set; } = null!; + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Output("namespace")] + public Output Namespace { get; private set; } = null!; + + + /// + /// Create a BackendConfigCmpv2 resource with the given unique name, arguments, and options. + /// + /// + /// The unique name of the resource + /// The arguments used to populate this resource's properties + /// A bag of options that control this resource's behavior + public BackendConfigCmpv2(string name, BackendConfigCmpv2Args args, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, args ?? new BackendConfigCmpv2Args(), MakeResourceOptions(options, "")) + { + } + + private BackendConfigCmpv2(string name, Input id, BackendConfigCmpv2State? state = null, CustomResourceOptions? options = null) + : base("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, state, MakeResourceOptions(options, id)) + { + } + + private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input? id) + { + var defaultOptions = new CustomResourceOptions + { + Version = Utilities.Version, + }; + var merged = CustomResourceOptions.Merge(defaultOptions, options); + // Override the ID if one was specified for consistency with other language SDKs. + merged.Id = id ?? merged.Id; + return merged; + } + /// + /// Get an existing BackendConfigCmpv2 resource's state with the given name, ID, and optional extra + /// properties used to qualify the lookup. + /// + /// + /// The unique name of the resulting resource. + /// The unique provider ID of the resource to lookup. + /// Any extra arguments used during the lookup. + /// A bag of options that control this resource's behavior + public static BackendConfigCmpv2 Get(string name, Input id, BackendConfigCmpv2State? state = null, CustomResourceOptions? options = null) + { + return new BackendConfigCmpv2(name, id, state, options); + } + } + + public sealed class BackendConfigCmpv2Args : global::Pulumi.ResourceArgs + { + [Input("auditFields")] + private InputList? _auditFields; + + /// + /// Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + /// + /// <a id="nestedatt--authenticators"></a> + /// + public InputList AuditFields + { + get => _auditFields ?? (_auditFields = new InputList()); + set => _auditFields = value; + } + + /// + /// Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + /// + [Input("authenticators")] + public Input? Authenticators { get; set; } + + /// + /// The path to the PKI secret backend to + /// read the CMPv2 configuration from, with no leading or trailing `/`s. + /// + [Input("backend", required: true)] + public Input Backend { get; set; } = null!; + + /// + /// Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + /// + [Input("defaultPathPolicy")] + public Input? DefaultPathPolicy { get; set; } + + /// + /// If set, parse out fields from the provided CSR making them available for Sentinel policies. + /// + [Input("enableSentinelParsing")] + public Input? EnableSentinelParsing { get; set; } + + /// + /// Specifies whether CMPv2 is enabled. + /// + [Input("enabled")] + public Input? Enabled { get; set; } + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + public BackendConfigCmpv2Args() + { + } + public static new BackendConfigCmpv2Args Empty => new BackendConfigCmpv2Args(); + } + + public sealed class BackendConfigCmpv2State : global::Pulumi.ResourceArgs + { + [Input("auditFields")] + private InputList? _auditFields; + + /// + /// Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + /// + /// <a id="nestedatt--authenticators"></a> + /// + public InputList AuditFields + { + get => _auditFields ?? (_auditFields = new InputList()); + set => _auditFields = value; + } + + /// + /// Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + /// + [Input("authenticators")] + public Input? Authenticators { get; set; } + + /// + /// The path to the PKI secret backend to + /// read the CMPv2 configuration from, with no leading or trailing `/`s. + /// + [Input("backend")] + public Input? Backend { get; set; } + + /// + /// Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + /// + [Input("defaultPathPolicy")] + public Input? DefaultPathPolicy { get; set; } + + /// + /// If set, parse out fields from the provided CSR making them available for Sentinel policies. + /// + [Input("enableSentinelParsing")] + public Input? EnableSentinelParsing { get; set; } + + /// + /// Specifies whether CMPv2 is enabled. + /// + [Input("enabled")] + public Input? Enabled { get; set; } + + /// + /// A read-only timestamp representing the last time the configuration was updated. + /// + [Input("lastUpdated")] + public Input? LastUpdated { get; set; } + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + public BackendConfigCmpv2State() + { + } + public static new BackendConfigCmpv2State Empty => new BackendConfigCmpv2State(); + } +} diff --git a/sdk/dotnet/PkiSecret/GetBackendConfigCmpv2.cs b/sdk/dotnet/PkiSecret/GetBackendConfigCmpv2.cs new file mode 100644 index 00000000..233e285e --- /dev/null +++ b/sdk/dotnet/PkiSecret/GetBackendConfigCmpv2.cs @@ -0,0 +1,203 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret +{ + public static class GetBackendConfigCmpv2 + { + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Vault = Pulumi.Vault; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var pki = new Vault.Mount("pki", new() + /// { + /// Path = "pki", + /// Type = "pki", + /// Description = "PKI secret engine mount", + /// }); + /// + /// var cmpv2Config = Vault.PkiSecret.GetBackendConfigCmpv2.Invoke(new() + /// { + /// Backend = pki.Path, + /// }); + /// + /// }); + /// ``` + /// + public static Task InvokeAsync(GetBackendConfigCmpv2Args args, InvokeOptions? options = null) + => global::Pulumi.Deployment.Instance.InvokeAsync("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", args ?? new GetBackendConfigCmpv2Args(), options.WithDefaults()); + + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Vault = Pulumi.Vault; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var pki = new Vault.Mount("pki", new() + /// { + /// Path = "pki", + /// Type = "pki", + /// Description = "PKI secret engine mount", + /// }); + /// + /// var cmpv2Config = Vault.PkiSecret.GetBackendConfigCmpv2.Invoke(new() + /// { + /// Backend = pki.Path, + /// }); + /// + /// }); + /// ``` + /// + public static Output Invoke(GetBackendConfigCmpv2InvokeArgs args, InvokeOptions? options = null) + => global::Pulumi.Deployment.Instance.Invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", args ?? new GetBackendConfigCmpv2InvokeArgs(), options.WithDefaults()); + + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Vault = Pulumi.Vault; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var pki = new Vault.Mount("pki", new() + /// { + /// Path = "pki", + /// Type = "pki", + /// Description = "PKI secret engine mount", + /// }); + /// + /// var cmpv2Config = Vault.PkiSecret.GetBackendConfigCmpv2.Invoke(new() + /// { + /// Backend = pki.Path, + /// }); + /// + /// }); + /// ``` + /// + public static Output Invoke(GetBackendConfigCmpv2InvokeArgs args, InvokeOutputOptions options) + => global::Pulumi.Deployment.Instance.Invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", args ?? new GetBackendConfigCmpv2InvokeArgs(), options.WithDefaults()); + } + + + public sealed class GetBackendConfigCmpv2Args : global::Pulumi.InvokeArgs + { + /// + /// The path to the PKI secret backend to + /// read the CMPv2 configuration from, with no leading or trailing `/`s. + /// + /// # Attributes Reference + /// + [Input("backend", required: true)] + public string Backend { get; set; } = null!; + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public string? Namespace { get; set; } + + public GetBackendConfigCmpv2Args() + { + } + public static new GetBackendConfigCmpv2Args Empty => new GetBackendConfigCmpv2Args(); + } + + public sealed class GetBackendConfigCmpv2InvokeArgs : global::Pulumi.InvokeArgs + { + /// + /// The path to the PKI secret backend to + /// read the CMPv2 configuration from, with no leading or trailing `/`s. + /// + /// # Attributes Reference + /// + [Input("backend", required: true)] + public Input Backend { get; set; } = null!; + + /// + /// The namespace of the target resource. + /// The value should not contain leading or trailing forward slashes. + /// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + /// *Available only for Vault Enterprise*. + /// + [Input("namespace")] + public Input? Namespace { get; set; } + + public GetBackendConfigCmpv2InvokeArgs() + { + } + public static new GetBackendConfigCmpv2InvokeArgs Empty => new GetBackendConfigCmpv2InvokeArgs(); + } + + + [OutputType] + public sealed class GetBackendConfigCmpv2Result + { + public readonly ImmutableArray AuditFields; + public readonly ImmutableArray Authenticators; + public readonly string Backend; + public readonly string DefaultPathPolicy; + public readonly bool EnableSentinelParsing; + public readonly bool Enabled; + /// + /// The provider-assigned unique ID for this managed resource. + /// + public readonly string Id; + public readonly string LastUpdated; + public readonly string? Namespace; + + [OutputConstructor] + private GetBackendConfigCmpv2Result( + ImmutableArray auditFields, + + ImmutableArray authenticators, + + string backend, + + string defaultPathPolicy, + + bool enableSentinelParsing, + + bool enabled, + + string id, + + string lastUpdated, + + string? @namespace) + { + AuditFields = auditFields; + Authenticators = authenticators; + Backend = backend; + DefaultPathPolicy = defaultPathPolicy; + EnableSentinelParsing = enableSentinelParsing; + Enabled = enabled; + Id = id; + LastUpdated = lastUpdated; + Namespace = @namespace; + } + } +} diff --git a/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsArgs.cs b/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsArgs.cs new file mode 100644 index 00000000..7cd71e2a --- /dev/null +++ b/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsArgs.cs @@ -0,0 +1,32 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret.Inputs +{ + + public sealed class BackendConfigCmpv2AuthenticatorsArgs : global::Pulumi.ResourceArgs + { + [Input("cert")] + private InputMap? _cert; + + /// + /// "The accessor (required) and cert_role (optional) properties for cert auth backends". + /// + public InputMap Cert + { + get => _cert ?? (_cert = new InputMap()); + set => _cert = value; + } + + public BackendConfigCmpv2AuthenticatorsArgs() + { + } + public static new BackendConfigCmpv2AuthenticatorsArgs Empty => new BackendConfigCmpv2AuthenticatorsArgs(); + } +} diff --git a/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsGetArgs.cs b/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsGetArgs.cs new file mode 100644 index 00000000..43a77b3c --- /dev/null +++ b/sdk/dotnet/PkiSecret/Inputs/BackendConfigCmpv2AuthenticatorsGetArgs.cs @@ -0,0 +1,32 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret.Inputs +{ + + public sealed class BackendConfigCmpv2AuthenticatorsGetArgs : global::Pulumi.ResourceArgs + { + [Input("cert")] + private InputMap? _cert; + + /// + /// "The accessor (required) and cert_role (optional) properties for cert auth backends". + /// + public InputMap Cert + { + get => _cert ?? (_cert = new InputMap()); + set => _cert = value; + } + + public BackendConfigCmpv2AuthenticatorsGetArgs() + { + } + public static new BackendConfigCmpv2AuthenticatorsGetArgs Empty => new BackendConfigCmpv2AuthenticatorsGetArgs(); + } +} diff --git a/sdk/dotnet/PkiSecret/Outputs/BackendConfigCmpv2Authenticators.cs b/sdk/dotnet/PkiSecret/Outputs/BackendConfigCmpv2Authenticators.cs new file mode 100644 index 00000000..cfe18eaf --- /dev/null +++ b/sdk/dotnet/PkiSecret/Outputs/BackendConfigCmpv2Authenticators.cs @@ -0,0 +1,27 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret.Outputs +{ + + [OutputType] + public sealed class BackendConfigCmpv2Authenticators + { + /// + /// "The accessor (required) and cert_role (optional) properties for cert auth backends". + /// + public readonly ImmutableDictionary? Cert; + + [OutputConstructor] + private BackendConfigCmpv2Authenticators(ImmutableDictionary? cert) + { + Cert = cert; + } + } +} diff --git a/sdk/dotnet/PkiSecret/Outputs/GetBackendConfigCmpv2AuthenticatorResult.cs b/sdk/dotnet/PkiSecret/Outputs/GetBackendConfigCmpv2AuthenticatorResult.cs new file mode 100644 index 00000000..bda358ed --- /dev/null +++ b/sdk/dotnet/PkiSecret/Outputs/GetBackendConfigCmpv2AuthenticatorResult.cs @@ -0,0 +1,27 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Vault.PkiSecret.Outputs +{ + + [OutputType] + public sealed class GetBackendConfigCmpv2AuthenticatorResult + { + /// + /// The accessor and cert_role properties for cert auth backends + /// + public readonly ImmutableDictionary? Cert; + + [OutputConstructor] + private GetBackendConfigCmpv2AuthenticatorResult(ImmutableDictionary? cert) + { + Cert = cert; + } + } +} diff --git a/sdk/dotnet/PkiSecret/SecretBackendRole.cs b/sdk/dotnet/PkiSecret/SecretBackendRole.cs index 1fb74d95..bd117cdd 100644 --- a/sdk/dotnet/PkiSecret/SecretBackendRole.cs +++ b/sdk/dotnet/PkiSecret/SecretBackendRole.cs @@ -162,6 +162,12 @@ public partial class SecretBackendRole : global::Pulumi.CustomResource [Output("clientFlag")] public Output ClientFlag { get; private set; } = null!; + /// + /// Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + /// + [Output("cnValidations")] + public Output> CnValidations { get; private set; } = null!; + /// /// Flag to specify certificates for code signing use /// @@ -523,6 +529,18 @@ public InputList AllowedUserIds [Input("clientFlag")] public Input? ClientFlag { get; set; } + [Input("cnValidations")] + private InputList? _cnValidations; + + /// + /// Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + /// + public InputList CnValidations + { + get => _cnValidations ?? (_cnValidations = new InputList()); + set => _cnValidations = value; + } + /// /// Flag to specify certificates for code signing use /// @@ -918,6 +936,18 @@ public InputList AllowedUserIds [Input("clientFlag")] public Input? ClientFlag { get; set; } + [Input("cnValidations")] + private InputList? _cnValidations; + + /// + /// Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + /// + public InputList CnValidations + { + get => _cnValidations ?? (_cnValidations = new InputList()); + set => _cnValidations = value; + } + /// /// Flag to specify certificates for code signing use /// diff --git a/sdk/dotnet/Ssh/SecretBackendRole.cs b/sdk/dotnet/Ssh/SecretBackendRole.cs index 1f25f4af..0bbd37d8 100644 --- a/sdk/dotnet/Ssh/SecretBackendRole.cs +++ b/sdk/dotnet/Ssh/SecretBackendRole.cs @@ -72,6 +72,11 @@ public partial class SecretBackendRole : global::Pulumi.CustomResource [Output("allowBareDomains")] public Output AllowBareDomains { get; private set; } = null!; + /// + /// Allow signing certificates with no + /// valid principals (e.g. any valid principal). For backwards compatibility + /// only. The default of false is highly recommended. + /// [Output("allowEmptyPrincipals")] public Output AllowEmptyPrincipals { get; private set; } = null!; @@ -283,6 +288,11 @@ public sealed class SecretBackendRoleArgs : global::Pulumi.ResourceArgs [Input("allowBareDomains")] public Input? AllowBareDomains { get; set; } + /// + /// Allow signing certificates with no + /// valid principals (e.g. any valid principal). For backwards compatibility + /// only. The default of false is highly recommended. + /// [Input("allowEmptyPrincipals")] public Input? AllowEmptyPrincipals { get; set; } @@ -474,6 +484,11 @@ public sealed class SecretBackendRoleState : global::Pulumi.ResourceArgs [Input("allowBareDomains")] public Input? AllowBareDomains { get; set; } + /// + /// Allow signing certificates with no + /// valid principals (e.g. any valid principal). For backwards compatibility + /// only. The default of false is highly recommended. + /// [Input("allowEmptyPrincipals")] public Input? AllowEmptyPrincipals { get; set; } diff --git a/sdk/go/vault/aws/authBackendStsRole.go b/sdk/go/vault/aws/authBackendStsRole.go index 56025cbe..60289f6c 100644 --- a/sdk/go/vault/aws/authBackendStsRole.go +++ b/sdk/go/vault/aws/authBackendStsRole.go @@ -62,6 +62,8 @@ type AuthBackendStsRole struct { // The path the AWS auth backend being configured was // mounted at. Defaults to `aws`. Backend pulumi.StringPtrOutput `pulumi:"backend"` + // External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + ExternalId pulumi.StringPtrOutput `pulumi:"externalId"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -113,6 +115,8 @@ type authBackendStsRoleState struct { // The path the AWS auth backend being configured was // mounted at. Defaults to `aws`. Backend *string `pulumi:"backend"` + // External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + ExternalId *string `pulumi:"externalId"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -129,6 +133,8 @@ type AuthBackendStsRoleState struct { // The path the AWS auth backend being configured was // mounted at. Defaults to `aws`. Backend pulumi.StringPtrInput + // External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + ExternalId pulumi.StringPtrInput // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -149,6 +155,8 @@ type authBackendStsRoleArgs struct { // The path the AWS auth backend being configured was // mounted at. Defaults to `aws`. Backend *string `pulumi:"backend"` + // External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + ExternalId *string `pulumi:"externalId"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -166,6 +174,8 @@ type AuthBackendStsRoleArgs struct { // The path the AWS auth backend being configured was // mounted at. Defaults to `aws`. Backend pulumi.StringPtrInput + // External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + ExternalId pulumi.StringPtrInput // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -274,6 +284,11 @@ func (o AuthBackendStsRoleOutput) Backend() pulumi.StringPtrOutput { return o.ApplyT(func(v *AuthBackendStsRole) pulumi.StringPtrOutput { return v.Backend }).(pulumi.StringPtrOutput) } +// External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. +func (o AuthBackendStsRoleOutput) ExternalId() pulumi.StringPtrOutput { + return o.ApplyT(func(v *AuthBackendStsRole) pulumi.StringPtrOutput { return v.ExternalId }).(pulumi.StringPtrOutput) +} + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). diff --git a/sdk/go/vault/aws/secretBackend.go b/sdk/go/vault/aws/secretBackend.go index 0c96048f..cb4f3c01 100644 --- a/sdk/go/vault/aws/secretBackend.go +++ b/sdk/go/vault/aws/secretBackend.go @@ -61,6 +61,12 @@ type SecretBackend struct { SecretKey pulumi.StringPtrOutput `pulumi:"secretKey"` // Specifies a custom HTTP STS endpoint to use. StsEndpoint pulumi.StringPtrOutput `pulumi:"stsEndpoint"` + // Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + StsFallbackEndpoints pulumi.StringArrayOutput `pulumi:"stsFallbackEndpoints"` + // Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + StsFallbackRegions pulumi.StringArrayOutput `pulumi:"stsFallbackRegions"` + // Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + StsRegion pulumi.StringPtrOutput `pulumi:"stsRegion"` // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: UsernameTemplate pulumi.StringOutput `pulumi:"usernameTemplate"` } @@ -146,6 +152,12 @@ type secretBackendState struct { SecretKey *string `pulumi:"secretKey"` // Specifies a custom HTTP STS endpoint to use. StsEndpoint *string `pulumi:"stsEndpoint"` + // Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + StsFallbackEndpoints []string `pulumi:"stsFallbackEndpoints"` + // Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + StsFallbackRegions []string `pulumi:"stsFallbackRegions"` + // Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + StsRegion *string `pulumi:"stsRegion"` // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: UsernameTemplate *string `pulumi:"usernameTemplate"` } @@ -191,6 +203,12 @@ type SecretBackendState struct { SecretKey pulumi.StringPtrInput // Specifies a custom HTTP STS endpoint to use. StsEndpoint pulumi.StringPtrInput + // Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + StsFallbackEndpoints pulumi.StringArrayInput + // Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + StsFallbackRegions pulumi.StringArrayInput + // Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + StsRegion pulumi.StringPtrInput // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: UsernameTemplate pulumi.StringPtrInput } @@ -240,6 +258,12 @@ type secretBackendArgs struct { SecretKey *string `pulumi:"secretKey"` // Specifies a custom HTTP STS endpoint to use. StsEndpoint *string `pulumi:"stsEndpoint"` + // Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + StsFallbackEndpoints []string `pulumi:"stsFallbackEndpoints"` + // Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + StsFallbackRegions []string `pulumi:"stsFallbackRegions"` + // Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + StsRegion *string `pulumi:"stsRegion"` // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: UsernameTemplate *string `pulumi:"usernameTemplate"` } @@ -286,6 +310,12 @@ type SecretBackendArgs struct { SecretKey pulumi.StringPtrInput // Specifies a custom HTTP STS endpoint to use. StsEndpoint pulumi.StringPtrInput + // Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + StsFallbackEndpoints pulumi.StringArrayInput + // Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + StsFallbackRegions pulumi.StringArrayInput + // Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + StsRegion pulumi.StringPtrInput // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: UsernameTemplate pulumi.StringPtrInput } @@ -465,6 +495,21 @@ func (o SecretBackendOutput) StsEndpoint() pulumi.StringPtrOutput { return o.ApplyT(func(v *SecretBackend) pulumi.StringPtrOutput { return v.StsEndpoint }).(pulumi.StringPtrOutput) } +// Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ +func (o SecretBackendOutput) StsFallbackEndpoints() pulumi.StringArrayOutput { + return o.ApplyT(func(v *SecretBackend) pulumi.StringArrayOutput { return v.StsFallbackEndpoints }).(pulumi.StringArrayOutput) +} + +// Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ +func (o SecretBackendOutput) StsFallbackRegions() pulumi.StringArrayOutput { + return o.ApplyT(func(v *SecretBackend) pulumi.StringArrayOutput { return v.StsFallbackRegions }).(pulumi.StringArrayOutput) +} + +// Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ +func (o SecretBackendOutput) StsRegion() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackend) pulumi.StringPtrOutput { return v.StsRegion }).(pulumi.StringPtrOutput) +} + // Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: func (o SecretBackendOutput) UsernameTemplate() pulumi.StringOutput { return o.ApplyT(func(v *SecretBackend) pulumi.StringOutput { return v.UsernameTemplate }).(pulumi.StringOutput) diff --git a/sdk/go/vault/database/pulumiTypes.go b/sdk/go/vault/database/pulumiTypes.go index d5311aa6..c2eebb8e 100644 --- a/sdk/go/vault/database/pulumiTypes.go +++ b/sdk/go/vault/database/pulumiTypes.go @@ -3804,6 +3804,8 @@ type SecretBackendConnectionPostgresql struct { MaxOpenConnections *int `pulumi:"maxOpenConnections"` // The root credential password used in the connection URL Password *string `pulumi:"password"` + // When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + PasswordAuthentication *string `pulumi:"passwordAuthentication"` // The secret key used for the x509 client certificate. Must be PEM encoded. PrivateKey *string `pulumi:"privateKey"` // If set, allows onboarding static roles with a rootless connection configuration. @@ -3846,6 +3848,8 @@ type SecretBackendConnectionPostgresqlArgs struct { MaxOpenConnections pulumi.IntPtrInput `pulumi:"maxOpenConnections"` // The root credential password used in the connection URL Password pulumi.StringPtrInput `pulumi:"password"` + // When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + PasswordAuthentication pulumi.StringPtrInput `pulumi:"passwordAuthentication"` // The secret key used for the x509 client certificate. Must be PEM encoded. PrivateKey pulumi.StringPtrInput `pulumi:"privateKey"` // If set, allows onboarding static roles with a rootless connection configuration. @@ -3974,6 +3978,11 @@ func (o SecretBackendConnectionPostgresqlOutput) Password() pulumi.StringPtrOutp return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.Password }).(pulumi.StringPtrOutput) } +// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. +func (o SecretBackendConnectionPostgresqlOutput) PasswordAuthentication() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.PasswordAuthentication }).(pulumi.StringPtrOutput) +} + // The secret key used for the x509 client certificate. Must be PEM encoded. func (o SecretBackendConnectionPostgresqlOutput) PrivateKey() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretBackendConnectionPostgresql) *string { return v.PrivateKey }).(pulumi.StringPtrOutput) @@ -4103,6 +4112,16 @@ func (o SecretBackendConnectionPostgresqlPtrOutput) Password() pulumi.StringPtrO }).(pulumi.StringPtrOutput) } +// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. +func (o SecretBackendConnectionPostgresqlPtrOutput) PasswordAuthentication() pulumi.StringPtrOutput { + return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { + if v == nil { + return nil + } + return v.PasswordAuthentication + }).(pulumi.StringPtrOutput) +} + // The secret key used for the x509 client certificate. Must be PEM encoded. func (o SecretBackendConnectionPostgresqlPtrOutput) PrivateKey() pulumi.StringPtrOutput { return o.ApplyT(func(v *SecretBackendConnectionPostgresql) *string { @@ -8227,6 +8246,8 @@ type SecretsMountPostgresql struct { Name string `pulumi:"name"` // The root credential password used in the connection URL Password *string `pulumi:"password"` + // When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + PasswordAuthentication *string `pulumi:"passwordAuthentication"` // Specifies the name of the plugin to use. PluginName *string `pulumi:"pluginName"` // The secret key used for the x509 client certificate. Must be PEM encoded. @@ -8285,6 +8306,8 @@ type SecretsMountPostgresqlArgs struct { Name pulumi.StringInput `pulumi:"name"` // The root credential password used in the connection URL Password pulumi.StringPtrInput `pulumi:"password"` + // When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + PasswordAuthentication pulumi.StringPtrInput `pulumi:"passwordAuthentication"` // Specifies the name of the plugin to use. PluginName pulumi.StringPtrInput `pulumi:"pluginName"` // The secret key used for the x509 client certificate. Must be PEM encoded. @@ -8412,6 +8435,11 @@ func (o SecretsMountPostgresqlOutput) Password() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.Password }).(pulumi.StringPtrOutput) } +// When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. +func (o SecretsMountPostgresqlOutput) PasswordAuthentication() pulumi.StringPtrOutput { + return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.PasswordAuthentication }).(pulumi.StringPtrOutput) +} + // Specifies the name of the plugin to use. func (o SecretsMountPostgresqlOutput) PluginName() pulumi.StringPtrOutput { return o.ApplyT(func(v SecretsMountPostgresql) *string { return v.PluginName }).(pulumi.StringPtrOutput) diff --git a/sdk/go/vault/pkisecret/backendAcmeEab.go b/sdk/go/vault/pkisecret/backendAcmeEab.go new file mode 100644 index 00000000..27b01550 --- /dev/null +++ b/sdk/go/vault/pkisecret/backendAcmeEab.go @@ -0,0 +1,430 @@ +// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package pkisecret + +import ( + "context" + "reflect" + + "errors" + "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault" +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// test, err := vault.NewMount(ctx, "test", &vault.MountArgs{ +// Path: pulumi.String("pki"), +// Type: pulumi.String("pki"), +// Description: pulumi.String("PKI secret engine mount"), +// }) +// if err != nil { +// return err +// } +// _, err = pkisecret.NewBackendAcmeEab(ctx, "test", &pkisecret.BackendAcmeEabArgs{ +// Backend: test.Path, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// # As EAB tokens are only available on initial creation there is no possibility to +// +// import or update this resource. +type BackendAcmeEab struct { + pulumi.CustomResourceState + + // The ACME directory to which the key belongs + AcmeDirectory pulumi.StringOutput `pulumi:"acmeDirectory"` + // The path to the PKI secret backend to + // create the EAB token within, with no leading or trailing `/`s. + Backend pulumi.StringOutput `pulumi:"backend"` + // An RFC3339 formatted date time when the EAB token was created + CreatedOn pulumi.StringOutput `pulumi:"createdOn"` + // The identifier of a specific ACME EAB token + EabId pulumi.StringOutput `pulumi:"eabId"` + // Create an EAB token that is specific to an issuer's ACME directory. + Issuer pulumi.StringPtrOutput `pulumi:"issuer"` + // The EAB token + Key pulumi.StringOutput `pulumi:"key"` + // The key type of the EAB key + KeyType pulumi.StringOutput `pulumi:"keyType"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrOutput `pulumi:"namespace"` + // Create an EAB token that is specific to a role's ACME directory. + // + // **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + // + // 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + // 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + // 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + // 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + Role pulumi.StringPtrOutput `pulumi:"role"` +} + +// NewBackendAcmeEab registers a new resource with the given unique name, arguments, and options. +func NewBackendAcmeEab(ctx *pulumi.Context, + name string, args *BackendAcmeEabArgs, opts ...pulumi.ResourceOption) (*BackendAcmeEab, error) { + if args == nil { + return nil, errors.New("missing one or more required arguments") + } + + if args.Backend == nil { + return nil, errors.New("invalid value for required argument 'Backend'") + } + secrets := pulumi.AdditionalSecretOutputs([]string{ + "key", + }) + opts = append(opts, secrets) + opts = internal.PkgResourceDefaultOpts(opts) + var resource BackendAcmeEab + err := ctx.RegisterResource("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, args, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// GetBackendAcmeEab gets an existing BackendAcmeEab resource's state with the given name, ID, and optional +// state properties that are used to uniquely qualify the lookup (nil if not required). +func GetBackendAcmeEab(ctx *pulumi.Context, + name string, id pulumi.IDInput, state *BackendAcmeEabState, opts ...pulumi.ResourceOption) (*BackendAcmeEab, error) { + var resource BackendAcmeEab + err := ctx.ReadResource("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, id, state, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// Input properties used for looking up and filtering BackendAcmeEab resources. +type backendAcmeEabState struct { + // The ACME directory to which the key belongs + AcmeDirectory *string `pulumi:"acmeDirectory"` + // The path to the PKI secret backend to + // create the EAB token within, with no leading or trailing `/`s. + Backend *string `pulumi:"backend"` + // An RFC3339 formatted date time when the EAB token was created + CreatedOn *string `pulumi:"createdOn"` + // The identifier of a specific ACME EAB token + EabId *string `pulumi:"eabId"` + // Create an EAB token that is specific to an issuer's ACME directory. + Issuer *string `pulumi:"issuer"` + // The EAB token + Key *string `pulumi:"key"` + // The key type of the EAB key + KeyType *string `pulumi:"keyType"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` + // Create an EAB token that is specific to a role's ACME directory. + // + // **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + // + // 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + // 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + // 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + // 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + Role *string `pulumi:"role"` +} + +type BackendAcmeEabState struct { + // The ACME directory to which the key belongs + AcmeDirectory pulumi.StringPtrInput + // The path to the PKI secret backend to + // create the EAB token within, with no leading or trailing `/`s. + Backend pulumi.StringPtrInput + // An RFC3339 formatted date time when the EAB token was created + CreatedOn pulumi.StringPtrInput + // The identifier of a specific ACME EAB token + EabId pulumi.StringPtrInput + // Create an EAB token that is specific to an issuer's ACME directory. + Issuer pulumi.StringPtrInput + // The EAB token + Key pulumi.StringPtrInput + // The key type of the EAB key + KeyType pulumi.StringPtrInput + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput + // Create an EAB token that is specific to a role's ACME directory. + // + // **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + // + // 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + // 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + // 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + // 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + Role pulumi.StringPtrInput +} + +func (BackendAcmeEabState) ElementType() reflect.Type { + return reflect.TypeOf((*backendAcmeEabState)(nil)).Elem() +} + +type backendAcmeEabArgs struct { + // The path to the PKI secret backend to + // create the EAB token within, with no leading or trailing `/`s. + Backend string `pulumi:"backend"` + // Create an EAB token that is specific to an issuer's ACME directory. + Issuer *string `pulumi:"issuer"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` + // Create an EAB token that is specific to a role's ACME directory. + // + // **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + // + // 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + // 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + // 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + // 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + Role *string `pulumi:"role"` +} + +// The set of arguments for constructing a BackendAcmeEab resource. +type BackendAcmeEabArgs struct { + // The path to the PKI secret backend to + // create the EAB token within, with no leading or trailing `/`s. + Backend pulumi.StringInput + // Create an EAB token that is specific to an issuer's ACME directory. + Issuer pulumi.StringPtrInput + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput + // Create an EAB token that is specific to a role's ACME directory. + // + // **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + // + // 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + // 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + // 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + // 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + Role pulumi.StringPtrInput +} + +func (BackendAcmeEabArgs) ElementType() reflect.Type { + return reflect.TypeOf((*backendAcmeEabArgs)(nil)).Elem() +} + +type BackendAcmeEabInput interface { + pulumi.Input + + ToBackendAcmeEabOutput() BackendAcmeEabOutput + ToBackendAcmeEabOutputWithContext(ctx context.Context) BackendAcmeEabOutput +} + +func (*BackendAcmeEab) ElementType() reflect.Type { + return reflect.TypeOf((**BackendAcmeEab)(nil)).Elem() +} + +func (i *BackendAcmeEab) ToBackendAcmeEabOutput() BackendAcmeEabOutput { + return i.ToBackendAcmeEabOutputWithContext(context.Background()) +} + +func (i *BackendAcmeEab) ToBackendAcmeEabOutputWithContext(ctx context.Context) BackendAcmeEabOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendAcmeEabOutput) +} + +// BackendAcmeEabArrayInput is an input type that accepts BackendAcmeEabArray and BackendAcmeEabArrayOutput values. +// You can construct a concrete instance of `BackendAcmeEabArrayInput` via: +// +// BackendAcmeEabArray{ BackendAcmeEabArgs{...} } +type BackendAcmeEabArrayInput interface { + pulumi.Input + + ToBackendAcmeEabArrayOutput() BackendAcmeEabArrayOutput + ToBackendAcmeEabArrayOutputWithContext(context.Context) BackendAcmeEabArrayOutput +} + +type BackendAcmeEabArray []BackendAcmeEabInput + +func (BackendAcmeEabArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendAcmeEab)(nil)).Elem() +} + +func (i BackendAcmeEabArray) ToBackendAcmeEabArrayOutput() BackendAcmeEabArrayOutput { + return i.ToBackendAcmeEabArrayOutputWithContext(context.Background()) +} + +func (i BackendAcmeEabArray) ToBackendAcmeEabArrayOutputWithContext(ctx context.Context) BackendAcmeEabArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendAcmeEabArrayOutput) +} + +// BackendAcmeEabMapInput is an input type that accepts BackendAcmeEabMap and BackendAcmeEabMapOutput values. +// You can construct a concrete instance of `BackendAcmeEabMapInput` via: +// +// BackendAcmeEabMap{ "key": BackendAcmeEabArgs{...} } +type BackendAcmeEabMapInput interface { + pulumi.Input + + ToBackendAcmeEabMapOutput() BackendAcmeEabMapOutput + ToBackendAcmeEabMapOutputWithContext(context.Context) BackendAcmeEabMapOutput +} + +type BackendAcmeEabMap map[string]BackendAcmeEabInput + +func (BackendAcmeEabMap) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendAcmeEab)(nil)).Elem() +} + +func (i BackendAcmeEabMap) ToBackendAcmeEabMapOutput() BackendAcmeEabMapOutput { + return i.ToBackendAcmeEabMapOutputWithContext(context.Background()) +} + +func (i BackendAcmeEabMap) ToBackendAcmeEabMapOutputWithContext(ctx context.Context) BackendAcmeEabMapOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendAcmeEabMapOutput) +} + +type BackendAcmeEabOutput struct{ *pulumi.OutputState } + +func (BackendAcmeEabOutput) ElementType() reflect.Type { + return reflect.TypeOf((**BackendAcmeEab)(nil)).Elem() +} + +func (o BackendAcmeEabOutput) ToBackendAcmeEabOutput() BackendAcmeEabOutput { + return o +} + +func (o BackendAcmeEabOutput) ToBackendAcmeEabOutputWithContext(ctx context.Context) BackendAcmeEabOutput { + return o +} + +// The ACME directory to which the key belongs +func (o BackendAcmeEabOutput) AcmeDirectory() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.AcmeDirectory }).(pulumi.StringOutput) +} + +// The path to the PKI secret backend to +// create the EAB token within, with no leading or trailing `/`s. +func (o BackendAcmeEabOutput) Backend() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.Backend }).(pulumi.StringOutput) +} + +// An RFC3339 formatted date time when the EAB token was created +func (o BackendAcmeEabOutput) CreatedOn() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.CreatedOn }).(pulumi.StringOutput) +} + +// The identifier of a specific ACME EAB token +func (o BackendAcmeEabOutput) EabId() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.EabId }).(pulumi.StringOutput) +} + +// Create an EAB token that is specific to an issuer's ACME directory. +func (o BackendAcmeEabOutput) Issuer() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringPtrOutput { return v.Issuer }).(pulumi.StringPtrOutput) +} + +// The EAB token +func (o BackendAcmeEabOutput) Key() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.Key }).(pulumi.StringOutput) +} + +// The key type of the EAB key +func (o BackendAcmeEabOutput) KeyType() pulumi.StringOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringOutput { return v.KeyType }).(pulumi.StringOutput) +} + +// The namespace of the target resource. +// The value should not contain leading or trailing forward slashes. +// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). +// *Available only for Vault Enterprise*. +func (o BackendAcmeEabOutput) Namespace() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringPtrOutput { return v.Namespace }).(pulumi.StringPtrOutput) +} + +// Create an EAB token that is specific to a role's ACME directory. +// +// **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; +// +// 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. +// 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter +// 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter +// 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters +func (o BackendAcmeEabOutput) Role() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendAcmeEab) pulumi.StringPtrOutput { return v.Role }).(pulumi.StringPtrOutput) +} + +type BackendAcmeEabArrayOutput struct{ *pulumi.OutputState } + +func (BackendAcmeEabArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendAcmeEab)(nil)).Elem() +} + +func (o BackendAcmeEabArrayOutput) ToBackendAcmeEabArrayOutput() BackendAcmeEabArrayOutput { + return o +} + +func (o BackendAcmeEabArrayOutput) ToBackendAcmeEabArrayOutputWithContext(ctx context.Context) BackendAcmeEabArrayOutput { + return o +} + +func (o BackendAcmeEabArrayOutput) Index(i pulumi.IntInput) BackendAcmeEabOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) *BackendAcmeEab { + return vs[0].([]*BackendAcmeEab)[vs[1].(int)] + }).(BackendAcmeEabOutput) +} + +type BackendAcmeEabMapOutput struct{ *pulumi.OutputState } + +func (BackendAcmeEabMapOutput) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendAcmeEab)(nil)).Elem() +} + +func (o BackendAcmeEabMapOutput) ToBackendAcmeEabMapOutput() BackendAcmeEabMapOutput { + return o +} + +func (o BackendAcmeEabMapOutput) ToBackendAcmeEabMapOutputWithContext(ctx context.Context) BackendAcmeEabMapOutput { + return o +} + +func (o BackendAcmeEabMapOutput) MapIndex(k pulumi.StringInput) BackendAcmeEabOutput { + return pulumi.All(o, k).ApplyT(func(vs []interface{}) *BackendAcmeEab { + return vs[0].(map[string]*BackendAcmeEab)[vs[1].(string)] + }).(BackendAcmeEabOutput) +} + +func init() { + pulumi.RegisterInputType(reflect.TypeOf((*BackendAcmeEabInput)(nil)).Elem(), &BackendAcmeEab{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendAcmeEabArrayInput)(nil)).Elem(), BackendAcmeEabArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendAcmeEabMapInput)(nil)).Elem(), BackendAcmeEabMap{}) + pulumi.RegisterOutputType(BackendAcmeEabOutput{}) + pulumi.RegisterOutputType(BackendAcmeEabArrayOutput{}) + pulumi.RegisterOutputType(BackendAcmeEabMapOutput{}) +} diff --git a/sdk/go/vault/pkisecret/backendConfigAcme.go b/sdk/go/vault/pkisecret/backendConfigAcme.go new file mode 100644 index 00000000..c7f4fa53 --- /dev/null +++ b/sdk/go/vault/pkisecret/backendConfigAcme.go @@ -0,0 +1,443 @@ +// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package pkisecret + +import ( + "context" + "reflect" + + "errors" + "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// Allows setting the ACME server configuration used by specified mount. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault" +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{ +// Path: pulumi.String("pki"), +// Type: pulumi.String("pki"), +// DefaultLeaseTtlSeconds: pulumi.Int(3600), +// MaxLeaseTtlSeconds: pulumi.Int(86400), +// }) +// if err != nil { +// return err +// } +// _, err = pkisecret.NewBackendConfigCluster(ctx, "pki_config_cluster", &pkisecret.BackendConfigClusterArgs{ +// Backend: pki.Path, +// Path: pulumi.String("http://127.0.0.1:8200/v1/pki"), +// AiaPath: pulumi.String("http://127.0.0.1:8200/v1/pki"), +// }) +// if err != nil { +// return err +// } +// _, err = pkisecret.NewBackendConfigAcme(ctx, "example", &pkisecret.BackendConfigAcmeArgs{ +// Backend: pki.Path, +// Enabled: pulumi.Bool(true), +// AllowedIssuers: pulumi.StringArray{ +// pulumi.String("*"), +// }, +// AllowedRoles: pulumi.StringArray{ +// pulumi.String("*"), +// }, +// AllowRoleExtKeyUsage: pulumi.Bool(false), +// DefaultDirectoryPolicy: pulumi.String("sign-verbatim"), +// DnsResolver: pulumi.String(""), +// EabPolicy: pulumi.String("not-required"), +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// The ACME configuration can be imported using the resource's `id`. +// In the case of the example above the `id` would be `pki/config/acme`, +// where the `pki` component is the resource's `backend`, e.g. +// +// ```sh +// $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme +// ``` +type BackendConfigAcme struct { + pulumi.CustomResourceState + + // Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + AllowRoleExtKeyUsage pulumi.BoolPtrOutput `pulumi:"allowRoleExtKeyUsage"` + // Specifies which issuers are allowed for use with ACME. + AllowedIssuers pulumi.StringArrayOutput `pulumi:"allowedIssuers"` + // Specifies which roles are allowed for use with ACME. + AllowedRoles pulumi.StringArrayOutput `pulumi:"allowedRoles"` + // The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + Backend pulumi.StringOutput `pulumi:"backend"` + // Specifies the policy to be used for non-role-qualified ACME requests. + // Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + DefaultDirectoryPolicy pulumi.StringOutput `pulumi:"defaultDirectoryPolicy"` + // DNS resolver to use for domain resolution on this mount. + // Must be in the format `:`, with both parts mandatory. + DnsResolver pulumi.StringPtrOutput `pulumi:"dnsResolver"` + // Specifies the policy to use for external account binding behaviour. + // Allowed values are `not-required`, `new-account-required` or `always-required`. + EabPolicy pulumi.StringOutput `pulumi:"eabPolicy"` + // Specifies whether ACME is enabled. + Enabled pulumi.BoolOutput `pulumi:"enabled"` + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrOutput `pulumi:"namespace"` +} + +// NewBackendConfigAcme registers a new resource with the given unique name, arguments, and options. +func NewBackendConfigAcme(ctx *pulumi.Context, + name string, args *BackendConfigAcmeArgs, opts ...pulumi.ResourceOption) (*BackendConfigAcme, error) { + if args == nil { + return nil, errors.New("missing one or more required arguments") + } + + if args.Backend == nil { + return nil, errors.New("invalid value for required argument 'Backend'") + } + if args.Enabled == nil { + return nil, errors.New("invalid value for required argument 'Enabled'") + } + opts = internal.PkgResourceDefaultOpts(opts) + var resource BackendConfigAcme + err := ctx.RegisterResource("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, args, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// GetBackendConfigAcme gets an existing BackendConfigAcme resource's state with the given name, ID, and optional +// state properties that are used to uniquely qualify the lookup (nil if not required). +func GetBackendConfigAcme(ctx *pulumi.Context, + name string, id pulumi.IDInput, state *BackendConfigAcmeState, opts ...pulumi.ResourceOption) (*BackendConfigAcme, error) { + var resource BackendConfigAcme + err := ctx.ReadResource("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, id, state, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// Input properties used for looking up and filtering BackendConfigAcme resources. +type backendConfigAcmeState struct { + // Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + AllowRoleExtKeyUsage *bool `pulumi:"allowRoleExtKeyUsage"` + // Specifies which issuers are allowed for use with ACME. + AllowedIssuers []string `pulumi:"allowedIssuers"` + // Specifies which roles are allowed for use with ACME. + AllowedRoles []string `pulumi:"allowedRoles"` + // The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + Backend *string `pulumi:"backend"` + // Specifies the policy to be used for non-role-qualified ACME requests. + // Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + DefaultDirectoryPolicy *string `pulumi:"defaultDirectoryPolicy"` + // DNS resolver to use for domain resolution on this mount. + // Must be in the format `:`, with both parts mandatory. + DnsResolver *string `pulumi:"dnsResolver"` + // Specifies the policy to use for external account binding behaviour. + // Allowed values are `not-required`, `new-account-required` or `always-required`. + EabPolicy *string `pulumi:"eabPolicy"` + // Specifies whether ACME is enabled. + Enabled *bool `pulumi:"enabled"` + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` +} + +type BackendConfigAcmeState struct { + // Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + AllowRoleExtKeyUsage pulumi.BoolPtrInput + // Specifies which issuers are allowed for use with ACME. + AllowedIssuers pulumi.StringArrayInput + // Specifies which roles are allowed for use with ACME. + AllowedRoles pulumi.StringArrayInput + // The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + Backend pulumi.StringPtrInput + // Specifies the policy to be used for non-role-qualified ACME requests. + // Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + DefaultDirectoryPolicy pulumi.StringPtrInput + // DNS resolver to use for domain resolution on this mount. + // Must be in the format `:`, with both parts mandatory. + DnsResolver pulumi.StringPtrInput + // Specifies the policy to use for external account binding behaviour. + // Allowed values are `not-required`, `new-account-required` or `always-required`. + EabPolicy pulumi.StringPtrInput + // Specifies whether ACME is enabled. + Enabled pulumi.BoolPtrInput + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput +} + +func (BackendConfigAcmeState) ElementType() reflect.Type { + return reflect.TypeOf((*backendConfigAcmeState)(nil)).Elem() +} + +type backendConfigAcmeArgs struct { + // Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + AllowRoleExtKeyUsage *bool `pulumi:"allowRoleExtKeyUsage"` + // Specifies which issuers are allowed for use with ACME. + AllowedIssuers []string `pulumi:"allowedIssuers"` + // Specifies which roles are allowed for use with ACME. + AllowedRoles []string `pulumi:"allowedRoles"` + // The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + Backend string `pulumi:"backend"` + // Specifies the policy to be used for non-role-qualified ACME requests. + // Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + DefaultDirectoryPolicy *string `pulumi:"defaultDirectoryPolicy"` + // DNS resolver to use for domain resolution on this mount. + // Must be in the format `:`, with both parts mandatory. + DnsResolver *string `pulumi:"dnsResolver"` + // Specifies the policy to use for external account binding behaviour. + // Allowed values are `not-required`, `new-account-required` or `always-required`. + EabPolicy *string `pulumi:"eabPolicy"` + // Specifies whether ACME is enabled. + Enabled bool `pulumi:"enabled"` + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` +} + +// The set of arguments for constructing a BackendConfigAcme resource. +type BackendConfigAcmeArgs struct { + // Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + AllowRoleExtKeyUsage pulumi.BoolPtrInput + // Specifies which issuers are allowed for use with ACME. + AllowedIssuers pulumi.StringArrayInput + // Specifies which roles are allowed for use with ACME. + AllowedRoles pulumi.StringArrayInput + // The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + Backend pulumi.StringInput + // Specifies the policy to be used for non-role-qualified ACME requests. + // Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + DefaultDirectoryPolicy pulumi.StringPtrInput + // DNS resolver to use for domain resolution on this mount. + // Must be in the format `:`, with both parts mandatory. + DnsResolver pulumi.StringPtrInput + // Specifies the policy to use for external account binding behaviour. + // Allowed values are `not-required`, `new-account-required` or `always-required`. + EabPolicy pulumi.StringPtrInput + // Specifies whether ACME is enabled. + Enabled pulumi.BoolInput + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput +} + +func (BackendConfigAcmeArgs) ElementType() reflect.Type { + return reflect.TypeOf((*backendConfigAcmeArgs)(nil)).Elem() +} + +type BackendConfigAcmeInput interface { + pulumi.Input + + ToBackendConfigAcmeOutput() BackendConfigAcmeOutput + ToBackendConfigAcmeOutputWithContext(ctx context.Context) BackendConfigAcmeOutput +} + +func (*BackendConfigAcme) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigAcme)(nil)).Elem() +} + +func (i *BackendConfigAcme) ToBackendConfigAcmeOutput() BackendConfigAcmeOutput { + return i.ToBackendConfigAcmeOutputWithContext(context.Background()) +} + +func (i *BackendConfigAcme) ToBackendConfigAcmeOutputWithContext(ctx context.Context) BackendConfigAcmeOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigAcmeOutput) +} + +// BackendConfigAcmeArrayInput is an input type that accepts BackendConfigAcmeArray and BackendConfigAcmeArrayOutput values. +// You can construct a concrete instance of `BackendConfigAcmeArrayInput` via: +// +// BackendConfigAcmeArray{ BackendConfigAcmeArgs{...} } +type BackendConfigAcmeArrayInput interface { + pulumi.Input + + ToBackendConfigAcmeArrayOutput() BackendConfigAcmeArrayOutput + ToBackendConfigAcmeArrayOutputWithContext(context.Context) BackendConfigAcmeArrayOutput +} + +type BackendConfigAcmeArray []BackendConfigAcmeInput + +func (BackendConfigAcmeArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendConfigAcme)(nil)).Elem() +} + +func (i BackendConfigAcmeArray) ToBackendConfigAcmeArrayOutput() BackendConfigAcmeArrayOutput { + return i.ToBackendConfigAcmeArrayOutputWithContext(context.Background()) +} + +func (i BackendConfigAcmeArray) ToBackendConfigAcmeArrayOutputWithContext(ctx context.Context) BackendConfigAcmeArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigAcmeArrayOutput) +} + +// BackendConfigAcmeMapInput is an input type that accepts BackendConfigAcmeMap and BackendConfigAcmeMapOutput values. +// You can construct a concrete instance of `BackendConfigAcmeMapInput` via: +// +// BackendConfigAcmeMap{ "key": BackendConfigAcmeArgs{...} } +type BackendConfigAcmeMapInput interface { + pulumi.Input + + ToBackendConfigAcmeMapOutput() BackendConfigAcmeMapOutput + ToBackendConfigAcmeMapOutputWithContext(context.Context) BackendConfigAcmeMapOutput +} + +type BackendConfigAcmeMap map[string]BackendConfigAcmeInput + +func (BackendConfigAcmeMap) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendConfigAcme)(nil)).Elem() +} + +func (i BackendConfigAcmeMap) ToBackendConfigAcmeMapOutput() BackendConfigAcmeMapOutput { + return i.ToBackendConfigAcmeMapOutputWithContext(context.Background()) +} + +func (i BackendConfigAcmeMap) ToBackendConfigAcmeMapOutputWithContext(ctx context.Context) BackendConfigAcmeMapOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigAcmeMapOutput) +} + +type BackendConfigAcmeOutput struct{ *pulumi.OutputState } + +func (BackendConfigAcmeOutput) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigAcme)(nil)).Elem() +} + +func (o BackendConfigAcmeOutput) ToBackendConfigAcmeOutput() BackendConfigAcmeOutput { + return o +} + +func (o BackendConfigAcmeOutput) ToBackendConfigAcmeOutputWithContext(ctx context.Context) BackendConfigAcmeOutput { + return o +} + +// Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** +func (o BackendConfigAcmeOutput) AllowRoleExtKeyUsage() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.BoolPtrOutput { return v.AllowRoleExtKeyUsage }).(pulumi.BoolPtrOutput) +} + +// Specifies which issuers are allowed for use with ACME. +func (o BackendConfigAcmeOutput) AllowedIssuers() pulumi.StringArrayOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringArrayOutput { return v.AllowedIssuers }).(pulumi.StringArrayOutput) +} + +// Specifies which roles are allowed for use with ACME. +func (o BackendConfigAcmeOutput) AllowedRoles() pulumi.StringArrayOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringArrayOutput { return v.AllowedRoles }).(pulumi.StringArrayOutput) +} + +// The path the PKI secret backend is mounted at, with no leading or trailing `/`s. +func (o BackendConfigAcmeOutput) Backend() pulumi.StringOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringOutput { return v.Backend }).(pulumi.StringOutput) +} + +// Specifies the policy to be used for non-role-qualified ACME requests. +// Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. +func (o BackendConfigAcmeOutput) DefaultDirectoryPolicy() pulumi.StringOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringOutput { return v.DefaultDirectoryPolicy }).(pulumi.StringOutput) +} + +// DNS resolver to use for domain resolution on this mount. +// Must be in the format `:`, with both parts mandatory. +func (o BackendConfigAcmeOutput) DnsResolver() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringPtrOutput { return v.DnsResolver }).(pulumi.StringPtrOutput) +} + +// Specifies the policy to use for external account binding behaviour. +// Allowed values are `not-required`, `new-account-required` or `always-required`. +func (o BackendConfigAcmeOutput) EabPolicy() pulumi.StringOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringOutput { return v.EabPolicy }).(pulumi.StringOutput) +} + +// Specifies whether ACME is enabled. +func (o BackendConfigAcmeOutput) Enabled() pulumi.BoolOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.BoolOutput { return v.Enabled }).(pulumi.BoolOutput) +} + +// The namespace to provision the resource in. +// The value should not contain leading or trailing forward slashes. +// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). +// *Available only for Vault Enterprise*. +func (o BackendConfigAcmeOutput) Namespace() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendConfigAcme) pulumi.StringPtrOutput { return v.Namespace }).(pulumi.StringPtrOutput) +} + +type BackendConfigAcmeArrayOutput struct{ *pulumi.OutputState } + +func (BackendConfigAcmeArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendConfigAcme)(nil)).Elem() +} + +func (o BackendConfigAcmeArrayOutput) ToBackendConfigAcmeArrayOutput() BackendConfigAcmeArrayOutput { + return o +} + +func (o BackendConfigAcmeArrayOutput) ToBackendConfigAcmeArrayOutputWithContext(ctx context.Context) BackendConfigAcmeArrayOutput { + return o +} + +func (o BackendConfigAcmeArrayOutput) Index(i pulumi.IntInput) BackendConfigAcmeOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) *BackendConfigAcme { + return vs[0].([]*BackendConfigAcme)[vs[1].(int)] + }).(BackendConfigAcmeOutput) +} + +type BackendConfigAcmeMapOutput struct{ *pulumi.OutputState } + +func (BackendConfigAcmeMapOutput) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendConfigAcme)(nil)).Elem() +} + +func (o BackendConfigAcmeMapOutput) ToBackendConfigAcmeMapOutput() BackendConfigAcmeMapOutput { + return o +} + +func (o BackendConfigAcmeMapOutput) ToBackendConfigAcmeMapOutputWithContext(ctx context.Context) BackendConfigAcmeMapOutput { + return o +} + +func (o BackendConfigAcmeMapOutput) MapIndex(k pulumi.StringInput) BackendConfigAcmeOutput { + return pulumi.All(o, k).ApplyT(func(vs []interface{}) *BackendConfigAcme { + return vs[0].(map[string]*BackendConfigAcme)[vs[1].(string)] + }).(BackendConfigAcmeOutput) +} + +func init() { + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigAcmeInput)(nil)).Elem(), &BackendConfigAcme{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigAcmeArrayInput)(nil)).Elem(), BackendConfigAcmeArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigAcmeMapInput)(nil)).Elem(), BackendConfigAcmeMap{}) + pulumi.RegisterOutputType(BackendConfigAcmeOutput{}) + pulumi.RegisterOutputType(BackendConfigAcmeArrayOutput{}) + pulumi.RegisterOutputType(BackendConfigAcmeMapOutput{}) +} diff --git a/sdk/go/vault/pkisecret/backendConfigCmpv2.go b/sdk/go/vault/pkisecret/backendConfigCmpv2.go new file mode 100644 index 00000000..19be0fe2 --- /dev/null +++ b/sdk/go/vault/pkisecret/backendConfigCmpv2.go @@ -0,0 +1,366 @@ +// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package pkisecret + +import ( + "context" + "reflect" + + "errors" + "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// Allows setting the CMPv2 configuration on a PKI Secret Backend +// +// ## Import +// +// The PKI config cluster can be imported using the resource's `id`. +// In the case of the example above the `id` would be `pki-root/config/cmpv2`, +// where the `pki-root` component is the resource's `backend`, e.g. +// +// ```sh +// $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 +// ``` +type BackendConfigCmpv2 struct { + pulumi.CustomResourceState + + // Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + // + // + AuditFields pulumi.StringArrayOutput `pulumi:"auditFields"` + // Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + Authenticators BackendConfigCmpv2AuthenticatorsOutput `pulumi:"authenticators"` + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + Backend pulumi.StringOutput `pulumi:"backend"` + // Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + DefaultPathPolicy pulumi.StringPtrOutput `pulumi:"defaultPathPolicy"` + // If set, parse out fields from the provided CSR making them available for Sentinel policies. + EnableSentinelParsing pulumi.BoolPtrOutput `pulumi:"enableSentinelParsing"` + // Specifies whether CMPv2 is enabled. + Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` + // A read-only timestamp representing the last time the configuration was updated. + LastUpdated pulumi.StringOutput `pulumi:"lastUpdated"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrOutput `pulumi:"namespace"` +} + +// NewBackendConfigCmpv2 registers a new resource with the given unique name, arguments, and options. +func NewBackendConfigCmpv2(ctx *pulumi.Context, + name string, args *BackendConfigCmpv2Args, opts ...pulumi.ResourceOption) (*BackendConfigCmpv2, error) { + if args == nil { + return nil, errors.New("missing one or more required arguments") + } + + if args.Backend == nil { + return nil, errors.New("invalid value for required argument 'Backend'") + } + opts = internal.PkgResourceDefaultOpts(opts) + var resource BackendConfigCmpv2 + err := ctx.RegisterResource("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, args, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// GetBackendConfigCmpv2 gets an existing BackendConfigCmpv2 resource's state with the given name, ID, and optional +// state properties that are used to uniquely qualify the lookup (nil if not required). +func GetBackendConfigCmpv2(ctx *pulumi.Context, + name string, id pulumi.IDInput, state *BackendConfigCmpv2State, opts ...pulumi.ResourceOption) (*BackendConfigCmpv2, error) { + var resource BackendConfigCmpv2 + err := ctx.ReadResource("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, id, state, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// Input properties used for looking up and filtering BackendConfigCmpv2 resources. +type backendConfigCmpv2State struct { + // Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + // + // + AuditFields []string `pulumi:"auditFields"` + // Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + Authenticators *BackendConfigCmpv2Authenticators `pulumi:"authenticators"` + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + Backend *string `pulumi:"backend"` + // Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + DefaultPathPolicy *string `pulumi:"defaultPathPolicy"` + // If set, parse out fields from the provided CSR making them available for Sentinel policies. + EnableSentinelParsing *bool `pulumi:"enableSentinelParsing"` + // Specifies whether CMPv2 is enabled. + Enabled *bool `pulumi:"enabled"` + // A read-only timestamp representing the last time the configuration was updated. + LastUpdated *string `pulumi:"lastUpdated"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` +} + +type BackendConfigCmpv2State struct { + // Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + // + // + AuditFields pulumi.StringArrayInput + // Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + Authenticators BackendConfigCmpv2AuthenticatorsPtrInput + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + Backend pulumi.StringPtrInput + // Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + DefaultPathPolicy pulumi.StringPtrInput + // If set, parse out fields from the provided CSR making them available for Sentinel policies. + EnableSentinelParsing pulumi.BoolPtrInput + // Specifies whether CMPv2 is enabled. + Enabled pulumi.BoolPtrInput + // A read-only timestamp representing the last time the configuration was updated. + LastUpdated pulumi.StringPtrInput + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput +} + +func (BackendConfigCmpv2State) ElementType() reflect.Type { + return reflect.TypeOf((*backendConfigCmpv2State)(nil)).Elem() +} + +type backendConfigCmpv2Args struct { + // Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + // + // + AuditFields []string `pulumi:"auditFields"` + // Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + Authenticators *BackendConfigCmpv2Authenticators `pulumi:"authenticators"` + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + Backend string `pulumi:"backend"` + // Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + DefaultPathPolicy *string `pulumi:"defaultPathPolicy"` + // If set, parse out fields from the provided CSR making them available for Sentinel policies. + EnableSentinelParsing *bool `pulumi:"enableSentinelParsing"` + // Specifies whether CMPv2 is enabled. + Enabled *bool `pulumi:"enabled"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` +} + +// The set of arguments for constructing a BackendConfigCmpv2 resource. +type BackendConfigCmpv2Args struct { + // Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + // + // + AuditFields pulumi.StringArrayInput + // Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + Authenticators BackendConfigCmpv2AuthenticatorsPtrInput + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + Backend pulumi.StringInput + // Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + DefaultPathPolicy pulumi.StringPtrInput + // If set, parse out fields from the provided CSR making them available for Sentinel policies. + EnableSentinelParsing pulumi.BoolPtrInput + // Specifies whether CMPv2 is enabled. + Enabled pulumi.BoolPtrInput + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput +} + +func (BackendConfigCmpv2Args) ElementType() reflect.Type { + return reflect.TypeOf((*backendConfigCmpv2Args)(nil)).Elem() +} + +type BackendConfigCmpv2Input interface { + pulumi.Input + + ToBackendConfigCmpv2Output() BackendConfigCmpv2Output + ToBackendConfigCmpv2OutputWithContext(ctx context.Context) BackendConfigCmpv2Output +} + +func (*BackendConfigCmpv2) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigCmpv2)(nil)).Elem() +} + +func (i *BackendConfigCmpv2) ToBackendConfigCmpv2Output() BackendConfigCmpv2Output { + return i.ToBackendConfigCmpv2OutputWithContext(context.Background()) +} + +func (i *BackendConfigCmpv2) ToBackendConfigCmpv2OutputWithContext(ctx context.Context) BackendConfigCmpv2Output { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2Output) +} + +// BackendConfigCmpv2ArrayInput is an input type that accepts BackendConfigCmpv2Array and BackendConfigCmpv2ArrayOutput values. +// You can construct a concrete instance of `BackendConfigCmpv2ArrayInput` via: +// +// BackendConfigCmpv2Array{ BackendConfigCmpv2Args{...} } +type BackendConfigCmpv2ArrayInput interface { + pulumi.Input + + ToBackendConfigCmpv2ArrayOutput() BackendConfigCmpv2ArrayOutput + ToBackendConfigCmpv2ArrayOutputWithContext(context.Context) BackendConfigCmpv2ArrayOutput +} + +type BackendConfigCmpv2Array []BackendConfigCmpv2Input + +func (BackendConfigCmpv2Array) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendConfigCmpv2)(nil)).Elem() +} + +func (i BackendConfigCmpv2Array) ToBackendConfigCmpv2ArrayOutput() BackendConfigCmpv2ArrayOutput { + return i.ToBackendConfigCmpv2ArrayOutputWithContext(context.Background()) +} + +func (i BackendConfigCmpv2Array) ToBackendConfigCmpv2ArrayOutputWithContext(ctx context.Context) BackendConfigCmpv2ArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2ArrayOutput) +} + +// BackendConfigCmpv2MapInput is an input type that accepts BackendConfigCmpv2Map and BackendConfigCmpv2MapOutput values. +// You can construct a concrete instance of `BackendConfigCmpv2MapInput` via: +// +// BackendConfigCmpv2Map{ "key": BackendConfigCmpv2Args{...} } +type BackendConfigCmpv2MapInput interface { + pulumi.Input + + ToBackendConfigCmpv2MapOutput() BackendConfigCmpv2MapOutput + ToBackendConfigCmpv2MapOutputWithContext(context.Context) BackendConfigCmpv2MapOutput +} + +type BackendConfigCmpv2Map map[string]BackendConfigCmpv2Input + +func (BackendConfigCmpv2Map) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendConfigCmpv2)(nil)).Elem() +} + +func (i BackendConfigCmpv2Map) ToBackendConfigCmpv2MapOutput() BackendConfigCmpv2MapOutput { + return i.ToBackendConfigCmpv2MapOutputWithContext(context.Background()) +} + +func (i BackendConfigCmpv2Map) ToBackendConfigCmpv2MapOutputWithContext(ctx context.Context) BackendConfigCmpv2MapOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2MapOutput) +} + +type BackendConfigCmpv2Output struct{ *pulumi.OutputState } + +func (BackendConfigCmpv2Output) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigCmpv2)(nil)).Elem() +} + +func (o BackendConfigCmpv2Output) ToBackendConfigCmpv2Output() BackendConfigCmpv2Output { + return o +} + +func (o BackendConfigCmpv2Output) ToBackendConfigCmpv2OutputWithContext(ctx context.Context) BackendConfigCmpv2Output { + return o +} + +// Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. +// +// +func (o BackendConfigCmpv2Output) AuditFields() pulumi.StringArrayOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.StringArrayOutput { return v.AuditFields }).(pulumi.StringArrayOutput) +} + +// Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). +func (o BackendConfigCmpv2Output) Authenticators() BackendConfigCmpv2AuthenticatorsOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) BackendConfigCmpv2AuthenticatorsOutput { return v.Authenticators }).(BackendConfigCmpv2AuthenticatorsOutput) +} + +// The path to the PKI secret backend to +// read the CMPv2 configuration from, with no leading or trailing `/`s. +func (o BackendConfigCmpv2Output) Backend() pulumi.StringOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.StringOutput { return v.Backend }).(pulumi.StringOutput) +} + +// Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. +func (o BackendConfigCmpv2Output) DefaultPathPolicy() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.StringPtrOutput { return v.DefaultPathPolicy }).(pulumi.StringPtrOutput) +} + +// If set, parse out fields from the provided CSR making them available for Sentinel policies. +func (o BackendConfigCmpv2Output) EnableSentinelParsing() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.BoolPtrOutput { return v.EnableSentinelParsing }).(pulumi.BoolPtrOutput) +} + +// Specifies whether CMPv2 is enabled. +func (o BackendConfigCmpv2Output) Enabled() pulumi.BoolPtrOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.BoolPtrOutput { return v.Enabled }).(pulumi.BoolPtrOutput) +} + +// A read-only timestamp representing the last time the configuration was updated. +func (o BackendConfigCmpv2Output) LastUpdated() pulumi.StringOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.StringOutput { return v.LastUpdated }).(pulumi.StringOutput) +} + +// The namespace of the target resource. +// The value should not contain leading or trailing forward slashes. +// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). +// *Available only for Vault Enterprise*. +func (o BackendConfigCmpv2Output) Namespace() pulumi.StringPtrOutput { + return o.ApplyT(func(v *BackendConfigCmpv2) pulumi.StringPtrOutput { return v.Namespace }).(pulumi.StringPtrOutput) +} + +type BackendConfigCmpv2ArrayOutput struct{ *pulumi.OutputState } + +func (BackendConfigCmpv2ArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]*BackendConfigCmpv2)(nil)).Elem() +} + +func (o BackendConfigCmpv2ArrayOutput) ToBackendConfigCmpv2ArrayOutput() BackendConfigCmpv2ArrayOutput { + return o +} + +func (o BackendConfigCmpv2ArrayOutput) ToBackendConfigCmpv2ArrayOutputWithContext(ctx context.Context) BackendConfigCmpv2ArrayOutput { + return o +} + +func (o BackendConfigCmpv2ArrayOutput) Index(i pulumi.IntInput) BackendConfigCmpv2Output { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) *BackendConfigCmpv2 { + return vs[0].([]*BackendConfigCmpv2)[vs[1].(int)] + }).(BackendConfigCmpv2Output) +} + +type BackendConfigCmpv2MapOutput struct{ *pulumi.OutputState } + +func (BackendConfigCmpv2MapOutput) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*BackendConfigCmpv2)(nil)).Elem() +} + +func (o BackendConfigCmpv2MapOutput) ToBackendConfigCmpv2MapOutput() BackendConfigCmpv2MapOutput { + return o +} + +func (o BackendConfigCmpv2MapOutput) ToBackendConfigCmpv2MapOutputWithContext(ctx context.Context) BackendConfigCmpv2MapOutput { + return o +} + +func (o BackendConfigCmpv2MapOutput) MapIndex(k pulumi.StringInput) BackendConfigCmpv2Output { + return pulumi.All(o, k).ApplyT(func(vs []interface{}) *BackendConfigCmpv2 { + return vs[0].(map[string]*BackendConfigCmpv2)[vs[1].(string)] + }).(BackendConfigCmpv2Output) +} + +func init() { + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigCmpv2Input)(nil)).Elem(), &BackendConfigCmpv2{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigCmpv2ArrayInput)(nil)).Elem(), BackendConfigCmpv2Array{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigCmpv2MapInput)(nil)).Elem(), BackendConfigCmpv2Map{}) + pulumi.RegisterOutputType(BackendConfigCmpv2Output{}) + pulumi.RegisterOutputType(BackendConfigCmpv2ArrayOutput{}) + pulumi.RegisterOutputType(BackendConfigCmpv2MapOutput{}) +} diff --git a/sdk/go/vault/pkisecret/getBackendConfigCmpv2.go b/sdk/go/vault/pkisecret/getBackendConfigCmpv2.go new file mode 100644 index 00000000..c0767e66 --- /dev/null +++ b/sdk/go/vault/pkisecret/getBackendConfigCmpv2.go @@ -0,0 +1,164 @@ +// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package pkisecret + +import ( + "context" + "reflect" + + "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault" +// "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{ +// Path: pulumi.String("pki"), +// Type: pulumi.String("pki"), +// Description: pulumi.String("PKI secret engine mount"), +// }) +// if err != nil { +// return err +// } +// _ = pkisecret.GetBackendConfigCmpv2Output(ctx, pkisecret.GetBackendConfigCmpv2OutputArgs{ +// Backend: pki.Path, +// }, nil) +// return nil +// }) +// } +// +// ``` +func LookupBackendConfigCmpv2(ctx *pulumi.Context, args *LookupBackendConfigCmpv2Args, opts ...pulumi.InvokeOption) (*LookupBackendConfigCmpv2Result, error) { + opts = internal.PkgInvokeDefaultOpts(opts) + var rv LookupBackendConfigCmpv2Result + err := ctx.Invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", args, &rv, opts...) + if err != nil { + return nil, err + } + return &rv, nil +} + +// A collection of arguments for invoking getBackendConfigCmpv2. +type LookupBackendConfigCmpv2Args struct { + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + // + // # Attributes Reference + Backend string `pulumi:"backend"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace *string `pulumi:"namespace"` +} + +// A collection of values returned by getBackendConfigCmpv2. +type LookupBackendConfigCmpv2Result struct { + AuditFields []string `pulumi:"auditFields"` + Authenticators []GetBackendConfigCmpv2Authenticator `pulumi:"authenticators"` + Backend string `pulumi:"backend"` + DefaultPathPolicy string `pulumi:"defaultPathPolicy"` + EnableSentinelParsing bool `pulumi:"enableSentinelParsing"` + Enabled bool `pulumi:"enabled"` + // The provider-assigned unique ID for this managed resource. + Id string `pulumi:"id"` + LastUpdated string `pulumi:"lastUpdated"` + Namespace *string `pulumi:"namespace"` +} + +func LookupBackendConfigCmpv2Output(ctx *pulumi.Context, args LookupBackendConfigCmpv2OutputArgs, opts ...pulumi.InvokeOption) LookupBackendConfigCmpv2ResultOutput { + return pulumi.ToOutputWithContext(ctx.Context(), args). + ApplyT(func(v interface{}) (LookupBackendConfigCmpv2ResultOutput, error) { + args := v.(LookupBackendConfigCmpv2Args) + options := pulumi.InvokeOutputOptions{InvokeOptions: internal.PkgInvokeDefaultOpts(opts)} + return ctx.InvokeOutput("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", args, LookupBackendConfigCmpv2ResultOutput{}, options).(LookupBackendConfigCmpv2ResultOutput), nil + }).(LookupBackendConfigCmpv2ResultOutput) +} + +// A collection of arguments for invoking getBackendConfigCmpv2. +type LookupBackendConfigCmpv2OutputArgs struct { + // The path to the PKI secret backend to + // read the CMPv2 configuration from, with no leading or trailing `/`s. + // + // # Attributes Reference + Backend pulumi.StringInput `pulumi:"backend"` + // The namespace of the target resource. + // The value should not contain leading or trailing forward slashes. + // The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + // *Available only for Vault Enterprise*. + Namespace pulumi.StringPtrInput `pulumi:"namespace"` +} + +func (LookupBackendConfigCmpv2OutputArgs) ElementType() reflect.Type { + return reflect.TypeOf((*LookupBackendConfigCmpv2Args)(nil)).Elem() +} + +// A collection of values returned by getBackendConfigCmpv2. +type LookupBackendConfigCmpv2ResultOutput struct{ *pulumi.OutputState } + +func (LookupBackendConfigCmpv2ResultOutput) ElementType() reflect.Type { + return reflect.TypeOf((*LookupBackendConfigCmpv2Result)(nil)).Elem() +} + +func (o LookupBackendConfigCmpv2ResultOutput) ToLookupBackendConfigCmpv2ResultOutput() LookupBackendConfigCmpv2ResultOutput { + return o +} + +func (o LookupBackendConfigCmpv2ResultOutput) ToLookupBackendConfigCmpv2ResultOutputWithContext(ctx context.Context) LookupBackendConfigCmpv2ResultOutput { + return o +} + +func (o LookupBackendConfigCmpv2ResultOutput) AuditFields() pulumi.StringArrayOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) []string { return v.AuditFields }).(pulumi.StringArrayOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) Authenticators() GetBackendConfigCmpv2AuthenticatorArrayOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) []GetBackendConfigCmpv2Authenticator { return v.Authenticators }).(GetBackendConfigCmpv2AuthenticatorArrayOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) Backend() pulumi.StringOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) string { return v.Backend }).(pulumi.StringOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) DefaultPathPolicy() pulumi.StringOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) string { return v.DefaultPathPolicy }).(pulumi.StringOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) EnableSentinelParsing() pulumi.BoolOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) bool { return v.EnableSentinelParsing }).(pulumi.BoolOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) Enabled() pulumi.BoolOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) bool { return v.Enabled }).(pulumi.BoolOutput) +} + +// The provider-assigned unique ID for this managed resource. +func (o LookupBackendConfigCmpv2ResultOutput) Id() pulumi.StringOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) string { return v.Id }).(pulumi.StringOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) LastUpdated() pulumi.StringOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) string { return v.LastUpdated }).(pulumi.StringOutput) +} + +func (o LookupBackendConfigCmpv2ResultOutput) Namespace() pulumi.StringPtrOutput { + return o.ApplyT(func(v LookupBackendConfigCmpv2Result) *string { return v.Namespace }).(pulumi.StringPtrOutput) +} + +func init() { + pulumi.RegisterOutputType(LookupBackendConfigCmpv2ResultOutput{}) +} diff --git a/sdk/go/vault/pkisecret/init.go b/sdk/go/vault/pkisecret/init.go index 85d6a965..0777adb6 100644 --- a/sdk/go/vault/pkisecret/init.go +++ b/sdk/go/vault/pkisecret/init.go @@ -21,8 +21,14 @@ func (m *module) Version() semver.Version { func (m *module) Construct(ctx *pulumi.Context, name, typ, urn string) (r pulumi.Resource, err error) { switch typ { + case "vault:pkiSecret/backendAcmeEab:BackendAcmeEab": + r = &BackendAcmeEab{} + case "vault:pkiSecret/backendConfigAcme:BackendConfigAcme": + r = &BackendConfigAcme{} case "vault:pkiSecret/backendConfigCluster:BackendConfigCluster": r = &BackendConfigCluster{} + case "vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2": + r = &BackendConfigCmpv2{} case "vault:pkiSecret/backendConfigEst:BackendConfigEst": r = &BackendConfigEst{} case "vault:pkiSecret/secretBackendCert:SecretBackendCert": @@ -64,11 +70,26 @@ func init() { if err != nil { version = semver.Version{Major: 1} } + pulumi.RegisterResourceModule( + "vault", + "pkiSecret/backendAcmeEab", + &module{version}, + ) + pulumi.RegisterResourceModule( + "vault", + "pkiSecret/backendConfigAcme", + &module{version}, + ) pulumi.RegisterResourceModule( "vault", "pkiSecret/backendConfigCluster", &module{version}, ) + pulumi.RegisterResourceModule( + "vault", + "pkiSecret/backendConfigCmpv2", + &module{version}, + ) pulumi.RegisterResourceModule( "vault", "pkiSecret/backendConfigEst", diff --git a/sdk/go/vault/pkisecret/pulumiTypes.go b/sdk/go/vault/pkisecret/pulumiTypes.go index 6d519f62..a902c617 100644 --- a/sdk/go/vault/pkisecret/pulumiTypes.go +++ b/sdk/go/vault/pkisecret/pulumiTypes.go @@ -13,6 +13,143 @@ import ( var _ = internal.GetEnvOrDefault +type BackendConfigCmpv2Authenticators struct { + // "The accessor (required) and certRole (optional) properties for cert auth backends". + Cert map[string]string `pulumi:"cert"` +} + +// BackendConfigCmpv2AuthenticatorsInput is an input type that accepts BackendConfigCmpv2AuthenticatorsArgs and BackendConfigCmpv2AuthenticatorsOutput values. +// You can construct a concrete instance of `BackendConfigCmpv2AuthenticatorsInput` via: +// +// BackendConfigCmpv2AuthenticatorsArgs{...} +type BackendConfigCmpv2AuthenticatorsInput interface { + pulumi.Input + + ToBackendConfigCmpv2AuthenticatorsOutput() BackendConfigCmpv2AuthenticatorsOutput + ToBackendConfigCmpv2AuthenticatorsOutputWithContext(context.Context) BackendConfigCmpv2AuthenticatorsOutput +} + +type BackendConfigCmpv2AuthenticatorsArgs struct { + // "The accessor (required) and certRole (optional) properties for cert auth backends". + Cert pulumi.StringMapInput `pulumi:"cert"` +} + +func (BackendConfigCmpv2AuthenticatorsArgs) ElementType() reflect.Type { + return reflect.TypeOf((*BackendConfigCmpv2Authenticators)(nil)).Elem() +} + +func (i BackendConfigCmpv2AuthenticatorsArgs) ToBackendConfigCmpv2AuthenticatorsOutput() BackendConfigCmpv2AuthenticatorsOutput { + return i.ToBackendConfigCmpv2AuthenticatorsOutputWithContext(context.Background()) +} + +func (i BackendConfigCmpv2AuthenticatorsArgs) ToBackendConfigCmpv2AuthenticatorsOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2AuthenticatorsOutput) +} + +func (i BackendConfigCmpv2AuthenticatorsArgs) ToBackendConfigCmpv2AuthenticatorsPtrOutput() BackendConfigCmpv2AuthenticatorsPtrOutput { + return i.ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(context.Background()) +} + +func (i BackendConfigCmpv2AuthenticatorsArgs) ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsPtrOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2AuthenticatorsOutput).ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(ctx) +} + +// BackendConfigCmpv2AuthenticatorsPtrInput is an input type that accepts BackendConfigCmpv2AuthenticatorsArgs, BackendConfigCmpv2AuthenticatorsPtr and BackendConfigCmpv2AuthenticatorsPtrOutput values. +// You can construct a concrete instance of `BackendConfigCmpv2AuthenticatorsPtrInput` via: +// +// BackendConfigCmpv2AuthenticatorsArgs{...} +// +// or: +// +// nil +type BackendConfigCmpv2AuthenticatorsPtrInput interface { + pulumi.Input + + ToBackendConfigCmpv2AuthenticatorsPtrOutput() BackendConfigCmpv2AuthenticatorsPtrOutput + ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(context.Context) BackendConfigCmpv2AuthenticatorsPtrOutput +} + +type backendConfigCmpv2AuthenticatorsPtrType BackendConfigCmpv2AuthenticatorsArgs + +func BackendConfigCmpv2AuthenticatorsPtr(v *BackendConfigCmpv2AuthenticatorsArgs) BackendConfigCmpv2AuthenticatorsPtrInput { + return (*backendConfigCmpv2AuthenticatorsPtrType)(v) +} + +func (*backendConfigCmpv2AuthenticatorsPtrType) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigCmpv2Authenticators)(nil)).Elem() +} + +func (i *backendConfigCmpv2AuthenticatorsPtrType) ToBackendConfigCmpv2AuthenticatorsPtrOutput() BackendConfigCmpv2AuthenticatorsPtrOutput { + return i.ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(context.Background()) +} + +func (i *backendConfigCmpv2AuthenticatorsPtrType) ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsPtrOutput { + return pulumi.ToOutputWithContext(ctx, i).(BackendConfigCmpv2AuthenticatorsPtrOutput) +} + +type BackendConfigCmpv2AuthenticatorsOutput struct{ *pulumi.OutputState } + +func (BackendConfigCmpv2AuthenticatorsOutput) ElementType() reflect.Type { + return reflect.TypeOf((*BackendConfigCmpv2Authenticators)(nil)).Elem() +} + +func (o BackendConfigCmpv2AuthenticatorsOutput) ToBackendConfigCmpv2AuthenticatorsOutput() BackendConfigCmpv2AuthenticatorsOutput { + return o +} + +func (o BackendConfigCmpv2AuthenticatorsOutput) ToBackendConfigCmpv2AuthenticatorsOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsOutput { + return o +} + +func (o BackendConfigCmpv2AuthenticatorsOutput) ToBackendConfigCmpv2AuthenticatorsPtrOutput() BackendConfigCmpv2AuthenticatorsPtrOutput { + return o.ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(context.Background()) +} + +func (o BackendConfigCmpv2AuthenticatorsOutput) ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, v BackendConfigCmpv2Authenticators) *BackendConfigCmpv2Authenticators { + return &v + }).(BackendConfigCmpv2AuthenticatorsPtrOutput) +} + +// "The accessor (required) and certRole (optional) properties for cert auth backends". +func (o BackendConfigCmpv2AuthenticatorsOutput) Cert() pulumi.StringMapOutput { + return o.ApplyT(func(v BackendConfigCmpv2Authenticators) map[string]string { return v.Cert }).(pulumi.StringMapOutput) +} + +type BackendConfigCmpv2AuthenticatorsPtrOutput struct{ *pulumi.OutputState } + +func (BackendConfigCmpv2AuthenticatorsPtrOutput) ElementType() reflect.Type { + return reflect.TypeOf((**BackendConfigCmpv2Authenticators)(nil)).Elem() +} + +func (o BackendConfigCmpv2AuthenticatorsPtrOutput) ToBackendConfigCmpv2AuthenticatorsPtrOutput() BackendConfigCmpv2AuthenticatorsPtrOutput { + return o +} + +func (o BackendConfigCmpv2AuthenticatorsPtrOutput) ToBackendConfigCmpv2AuthenticatorsPtrOutputWithContext(ctx context.Context) BackendConfigCmpv2AuthenticatorsPtrOutput { + return o +} + +func (o BackendConfigCmpv2AuthenticatorsPtrOutput) Elem() BackendConfigCmpv2AuthenticatorsOutput { + return o.ApplyT(func(v *BackendConfigCmpv2Authenticators) BackendConfigCmpv2Authenticators { + if v != nil { + return *v + } + var ret BackendConfigCmpv2Authenticators + return ret + }).(BackendConfigCmpv2AuthenticatorsOutput) +} + +// "The accessor (required) and certRole (optional) properties for cert auth backends". +func (o BackendConfigCmpv2AuthenticatorsPtrOutput) Cert() pulumi.StringMapOutput { + return o.ApplyT(func(v *BackendConfigCmpv2Authenticators) map[string]string { + if v == nil { + return nil + } + return v.Cert + }).(pulumi.StringMapOutput) +} + type BackendConfigEstAuthenticators struct { // "The accessor (required) and certRole (optional) properties for cert auth backends". Cert map[string]string `pulumi:"cert"` @@ -290,6 +427,103 @@ func (o SecretBackendRolePolicyIdentifierArrayOutput) Index(i pulumi.IntInput) S }).(SecretBackendRolePolicyIdentifierOutput) } +type GetBackendConfigCmpv2Authenticator struct { + // The accessor and certRole properties for cert auth backends + Cert map[string]string `pulumi:"cert"` +} + +// GetBackendConfigCmpv2AuthenticatorInput is an input type that accepts GetBackendConfigCmpv2AuthenticatorArgs and GetBackendConfigCmpv2AuthenticatorOutput values. +// You can construct a concrete instance of `GetBackendConfigCmpv2AuthenticatorInput` via: +// +// GetBackendConfigCmpv2AuthenticatorArgs{...} +type GetBackendConfigCmpv2AuthenticatorInput interface { + pulumi.Input + + ToGetBackendConfigCmpv2AuthenticatorOutput() GetBackendConfigCmpv2AuthenticatorOutput + ToGetBackendConfigCmpv2AuthenticatorOutputWithContext(context.Context) GetBackendConfigCmpv2AuthenticatorOutput +} + +type GetBackendConfigCmpv2AuthenticatorArgs struct { + // The accessor and certRole properties for cert auth backends + Cert pulumi.StringMapInput `pulumi:"cert"` +} + +func (GetBackendConfigCmpv2AuthenticatorArgs) ElementType() reflect.Type { + return reflect.TypeOf((*GetBackendConfigCmpv2Authenticator)(nil)).Elem() +} + +func (i GetBackendConfigCmpv2AuthenticatorArgs) ToGetBackendConfigCmpv2AuthenticatorOutput() GetBackendConfigCmpv2AuthenticatorOutput { + return i.ToGetBackendConfigCmpv2AuthenticatorOutputWithContext(context.Background()) +} + +func (i GetBackendConfigCmpv2AuthenticatorArgs) ToGetBackendConfigCmpv2AuthenticatorOutputWithContext(ctx context.Context) GetBackendConfigCmpv2AuthenticatorOutput { + return pulumi.ToOutputWithContext(ctx, i).(GetBackendConfigCmpv2AuthenticatorOutput) +} + +// GetBackendConfigCmpv2AuthenticatorArrayInput is an input type that accepts GetBackendConfigCmpv2AuthenticatorArray and GetBackendConfigCmpv2AuthenticatorArrayOutput values. +// You can construct a concrete instance of `GetBackendConfigCmpv2AuthenticatorArrayInput` via: +// +// GetBackendConfigCmpv2AuthenticatorArray{ GetBackendConfigCmpv2AuthenticatorArgs{...} } +type GetBackendConfigCmpv2AuthenticatorArrayInput interface { + pulumi.Input + + ToGetBackendConfigCmpv2AuthenticatorArrayOutput() GetBackendConfigCmpv2AuthenticatorArrayOutput + ToGetBackendConfigCmpv2AuthenticatorArrayOutputWithContext(context.Context) GetBackendConfigCmpv2AuthenticatorArrayOutput +} + +type GetBackendConfigCmpv2AuthenticatorArray []GetBackendConfigCmpv2AuthenticatorInput + +func (GetBackendConfigCmpv2AuthenticatorArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]GetBackendConfigCmpv2Authenticator)(nil)).Elem() +} + +func (i GetBackendConfigCmpv2AuthenticatorArray) ToGetBackendConfigCmpv2AuthenticatorArrayOutput() GetBackendConfigCmpv2AuthenticatorArrayOutput { + return i.ToGetBackendConfigCmpv2AuthenticatorArrayOutputWithContext(context.Background()) +} + +func (i GetBackendConfigCmpv2AuthenticatorArray) ToGetBackendConfigCmpv2AuthenticatorArrayOutputWithContext(ctx context.Context) GetBackendConfigCmpv2AuthenticatorArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(GetBackendConfigCmpv2AuthenticatorArrayOutput) +} + +type GetBackendConfigCmpv2AuthenticatorOutput struct{ *pulumi.OutputState } + +func (GetBackendConfigCmpv2AuthenticatorOutput) ElementType() reflect.Type { + return reflect.TypeOf((*GetBackendConfigCmpv2Authenticator)(nil)).Elem() +} + +func (o GetBackendConfigCmpv2AuthenticatorOutput) ToGetBackendConfigCmpv2AuthenticatorOutput() GetBackendConfigCmpv2AuthenticatorOutput { + return o +} + +func (o GetBackendConfigCmpv2AuthenticatorOutput) ToGetBackendConfigCmpv2AuthenticatorOutputWithContext(ctx context.Context) GetBackendConfigCmpv2AuthenticatorOutput { + return o +} + +// The accessor and certRole properties for cert auth backends +func (o GetBackendConfigCmpv2AuthenticatorOutput) Cert() pulumi.StringMapOutput { + return o.ApplyT(func(v GetBackendConfigCmpv2Authenticator) map[string]string { return v.Cert }).(pulumi.StringMapOutput) +} + +type GetBackendConfigCmpv2AuthenticatorArrayOutput struct{ *pulumi.OutputState } + +func (GetBackendConfigCmpv2AuthenticatorArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]GetBackendConfigCmpv2Authenticator)(nil)).Elem() +} + +func (o GetBackendConfigCmpv2AuthenticatorArrayOutput) ToGetBackendConfigCmpv2AuthenticatorArrayOutput() GetBackendConfigCmpv2AuthenticatorArrayOutput { + return o +} + +func (o GetBackendConfigCmpv2AuthenticatorArrayOutput) ToGetBackendConfigCmpv2AuthenticatorArrayOutputWithContext(ctx context.Context) GetBackendConfigCmpv2AuthenticatorArrayOutput { + return o +} + +func (o GetBackendConfigCmpv2AuthenticatorArrayOutput) Index(i pulumi.IntInput) GetBackendConfigCmpv2AuthenticatorOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) GetBackendConfigCmpv2Authenticator { + return vs[0].([]GetBackendConfigCmpv2Authenticator)[vs[1].(int)] + }).(GetBackendConfigCmpv2AuthenticatorOutput) +} + type GetBackendConfigEstAuthenticator struct { // "The accessor and certRole properties for cert auth backends". Cert map[string]string `pulumi:"cert"` @@ -397,16 +631,24 @@ func (o GetBackendConfigEstAuthenticatorArrayOutput) Index(i pulumi.IntInput) Ge } func init() { + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigCmpv2AuthenticatorsInput)(nil)).Elem(), BackendConfigCmpv2AuthenticatorsArgs{}) + pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigCmpv2AuthenticatorsPtrInput)(nil)).Elem(), BackendConfigCmpv2AuthenticatorsArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigEstAuthenticatorsInput)(nil)).Elem(), BackendConfigEstAuthenticatorsArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*BackendConfigEstAuthenticatorsPtrInput)(nil)).Elem(), BackendConfigEstAuthenticatorsArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*SecretBackendRolePolicyIdentifierInput)(nil)).Elem(), SecretBackendRolePolicyIdentifierArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*SecretBackendRolePolicyIdentifierArrayInput)(nil)).Elem(), SecretBackendRolePolicyIdentifierArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*GetBackendConfigCmpv2AuthenticatorInput)(nil)).Elem(), GetBackendConfigCmpv2AuthenticatorArgs{}) + pulumi.RegisterInputType(reflect.TypeOf((*GetBackendConfigCmpv2AuthenticatorArrayInput)(nil)).Elem(), GetBackendConfigCmpv2AuthenticatorArray{}) pulumi.RegisterInputType(reflect.TypeOf((*GetBackendConfigEstAuthenticatorInput)(nil)).Elem(), GetBackendConfigEstAuthenticatorArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*GetBackendConfigEstAuthenticatorArrayInput)(nil)).Elem(), GetBackendConfigEstAuthenticatorArray{}) + pulumi.RegisterOutputType(BackendConfigCmpv2AuthenticatorsOutput{}) + pulumi.RegisterOutputType(BackendConfigCmpv2AuthenticatorsPtrOutput{}) pulumi.RegisterOutputType(BackendConfigEstAuthenticatorsOutput{}) pulumi.RegisterOutputType(BackendConfigEstAuthenticatorsPtrOutput{}) pulumi.RegisterOutputType(SecretBackendRolePolicyIdentifierOutput{}) pulumi.RegisterOutputType(SecretBackendRolePolicyIdentifierArrayOutput{}) + pulumi.RegisterOutputType(GetBackendConfigCmpv2AuthenticatorOutput{}) + pulumi.RegisterOutputType(GetBackendConfigCmpv2AuthenticatorArrayOutput{}) pulumi.RegisterOutputType(GetBackendConfigEstAuthenticatorOutput{}) pulumi.RegisterOutputType(GetBackendConfigEstAuthenticatorArrayOutput{}) } diff --git a/sdk/go/vault/pkisecret/secretBackendRole.go b/sdk/go/vault/pkisecret/secretBackendRole.go index 6b07eeba..8f2ab55c 100644 --- a/sdk/go/vault/pkisecret/secretBackendRole.go +++ b/sdk/go/vault/pkisecret/secretBackendRole.go @@ -104,6 +104,8 @@ type SecretBackendRole struct { BasicConstraintsValidForNonCa pulumi.BoolPtrOutput `pulumi:"basicConstraintsValidForNonCa"` // Flag to specify certificates for client use ClientFlag pulumi.BoolPtrOutput `pulumi:"clientFlag"` + // Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + CnValidations pulumi.StringArrayOutput `pulumi:"cnValidations"` // Flag to specify certificates for code signing use CodeSigningFlag pulumi.BoolPtrOutput `pulumi:"codeSigningFlag"` // The country of generated certificates @@ -240,6 +242,8 @@ type secretBackendRoleState struct { BasicConstraintsValidForNonCa *bool `pulumi:"basicConstraintsValidForNonCa"` // Flag to specify certificates for client use ClientFlag *bool `pulumi:"clientFlag"` + // Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + CnValidations []string `pulumi:"cnValidations"` // Flag to specify certificates for code signing use CodeSigningFlag *bool `pulumi:"codeSigningFlag"` // The country of generated certificates @@ -344,6 +348,8 @@ type SecretBackendRoleState struct { BasicConstraintsValidForNonCa pulumi.BoolPtrInput // Flag to specify certificates for client use ClientFlag pulumi.BoolPtrInput + // Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + CnValidations pulumi.StringArrayInput // Flag to specify certificates for code signing use CodeSigningFlag pulumi.BoolPtrInput // The country of generated certificates @@ -452,6 +458,8 @@ type secretBackendRoleArgs struct { BasicConstraintsValidForNonCa *bool `pulumi:"basicConstraintsValidForNonCa"` // Flag to specify certificates for client use ClientFlag *bool `pulumi:"clientFlag"` + // Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + CnValidations []string `pulumi:"cnValidations"` // Flag to specify certificates for code signing use CodeSigningFlag *bool `pulumi:"codeSigningFlag"` // The country of generated certificates @@ -557,6 +565,8 @@ type SecretBackendRoleArgs struct { BasicConstraintsValidForNonCa pulumi.BoolPtrInput // Flag to specify certificates for client use ClientFlag pulumi.BoolPtrInput + // Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + CnValidations pulumi.StringArrayInput // Flag to specify certificates for code signing use CodeSigningFlag pulumi.BoolPtrInput // The country of generated certificates @@ -798,6 +808,11 @@ func (o SecretBackendRoleOutput) ClientFlag() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.ClientFlag }).(pulumi.BoolPtrOutput) } +// Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` +func (o SecretBackendRoleOutput) CnValidations() pulumi.StringArrayOutput { + return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.CnValidations }).(pulumi.StringArrayOutput) +} + // Flag to specify certificates for code signing use func (o SecretBackendRoleOutput) CodeSigningFlag() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.CodeSigningFlag }).(pulumi.BoolPtrOutput) diff --git a/sdk/go/vault/ssh/secretBackendRole.go b/sdk/go/vault/ssh/secretBackendRole.go index e6fd29f6..b8f68fa5 100644 --- a/sdk/go/vault/ssh/secretBackendRole.go +++ b/sdk/go/vault/ssh/secretBackendRole.go @@ -75,7 +75,10 @@ type SecretBackendRole struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringOutput `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrOutput `pulumi:"allowBareDomains"` + AllowBareDomains pulumi.BoolPtrOutput `pulumi:"allowBareDomains"` + // Allow signing certificates with no + // valid principals (e.g. any valid principal). For backwards compatibility + // only. The default of false is highly recommended. AllowEmptyPrincipals pulumi.BoolPtrOutput `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrOutput `pulumi:"allowHostCertificates"` @@ -172,7 +175,10 @@ type secretBackendRoleState struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner *string `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowBareDomains *bool `pulumi:"allowBareDomains"` + // Allow signing certificates with no + // valid principals (e.g. any valid principal). For backwards compatibility + // only. The default of false is highly recommended. AllowEmptyPrincipals *bool `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates *bool `pulumi:"allowHostCertificates"` @@ -234,7 +240,10 @@ type SecretBackendRoleState struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringPtrInput // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrInput + AllowBareDomains pulumi.BoolPtrInput + // Allow signing certificates with no + // valid principals (e.g. any valid principal). For backwards compatibility + // only. The default of false is highly recommended. AllowEmptyPrincipals pulumi.BoolPtrInput // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrInput @@ -300,7 +309,10 @@ type secretBackendRoleArgs struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner *string `pulumi:"algorithmSigner"` // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains *bool `pulumi:"allowBareDomains"` + AllowBareDomains *bool `pulumi:"allowBareDomains"` + // Allow signing certificates with no + // valid principals (e.g. any valid principal). For backwards compatibility + // only. The default of false is highly recommended. AllowEmptyPrincipals *bool `pulumi:"allowEmptyPrincipals"` // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates *bool `pulumi:"allowHostCertificates"` @@ -363,7 +375,10 @@ type SecretBackendRoleArgs struct { // When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. AlgorithmSigner pulumi.StringPtrInput // Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. - AllowBareDomains pulumi.BoolPtrInput + AllowBareDomains pulumi.BoolPtrInput + // Allow signing certificates with no + // valid principals (e.g. any valid principal). For backwards compatibility + // only. The default of false is highly recommended. AllowEmptyPrincipals pulumi.BoolPtrInput // Specifies if certificates are allowed to be signed for use as a 'host'. AllowHostCertificates pulumi.BoolPtrInput @@ -518,6 +533,9 @@ func (o SecretBackendRoleOutput) AllowBareDomains() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowBareDomains }).(pulumi.BoolPtrOutput) } +// Allow signing certificates with no +// valid principals (e.g. any valid principal). For backwards compatibility +// only. The default of false is highly recommended. func (o SecretBackendRoleOutput) AllowEmptyPrincipals() pulumi.BoolPtrOutput { return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowEmptyPrincipals }).(pulumi.BoolPtrOutput) } diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRole.java b/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRole.java index 65df81b8..0e626a1f 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRole.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRole.java @@ -99,6 +99,20 @@ public Output accountId() { public Output> backend() { return Codegen.optional(this.backend); } + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + @Export(name="externalId", refs={String.class}, tree="[0]") + private Output externalId; + + /** + * @return External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + public Output> externalId() { + return Codegen.optional(this.externalId); + } /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRoleArgs.java b/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRoleArgs.java index d9d6ab23..4ee1710f 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/AuthBackendStsRoleArgs.java @@ -48,6 +48,21 @@ public Optional> backend() { return Optional.ofNullable(this.backend); } + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + @Import(name="externalId") + private @Nullable Output externalId; + + /** + * @return External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + public Optional> externalId() { + return Optional.ofNullable(this.externalId); + } + /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. @@ -91,6 +106,7 @@ private AuthBackendStsRoleArgs() {} private AuthBackendStsRoleArgs(AuthBackendStsRoleArgs $) { this.accountId = $.accountId; this.backend = $.backend; + this.externalId = $.externalId; this.namespace = $.namespace; this.stsRole = $.stsRole; } @@ -157,6 +173,27 @@ public Builder backend(String backend) { return backend(Output.of(backend)); } + /** + * @param externalId External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + * @return builder + * + */ + public Builder externalId(@Nullable Output externalId) { + $.externalId = externalId; + return this; + } + + /** + * @param externalId External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + * @return builder + * + */ + public Builder externalId(String externalId) { + return externalId(Output.of(externalId)); + } + /** * @param namespace The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackend.java b/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackend.java index bc5c6a41..87bb19f3 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackend.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackend.java @@ -269,6 +269,48 @@ public Output> secretKey() { public Output> stsEndpoint() { return Codegen.optional(this.stsEndpoint); } + /** + * Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + @Export(name="stsFallbackEndpoints", refs={List.class,String.class}, tree="[0,1]") + private Output> stsFallbackEndpoints; + + /** + * @return Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + public Output>> stsFallbackEndpoints() { + return Codegen.optional(this.stsFallbackEndpoints); + } + /** + * Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + @Export(name="stsFallbackRegions", refs={List.class,String.class}, tree="[0,1]") + private Output> stsFallbackRegions; + + /** + * @return Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + public Output>> stsFallbackRegions() { + return Codegen.optional(this.stsFallbackRegions); + } + /** + * Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + @Export(name="stsRegion", refs={String.class}, tree="[0]") + private Output stsRegion; + + /** + * @return Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + public Output> stsRegion() { + return Codegen.optional(this.stsRegion); + } /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: * diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackendArgs.java b/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackendArgs.java index 70d53709..941cdddc 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackendArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/SecretBackendArgs.java @@ -8,6 +8,7 @@ import java.lang.Boolean; import java.lang.Integer; import java.lang.String; +import java.util.List; import java.util.Objects; import java.util.Optional; import javax.annotation.Nullable; @@ -273,6 +274,51 @@ public Optional> stsEndpoint() { return Optional.ofNullable(this.stsEndpoint); } + /** + * Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + @Import(name="stsFallbackEndpoints") + private @Nullable Output> stsFallbackEndpoints; + + /** + * @return Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + public Optional>> stsFallbackEndpoints() { + return Optional.ofNullable(this.stsFallbackEndpoints); + } + + /** + * Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + @Import(name="stsFallbackRegions") + private @Nullable Output> stsFallbackRegions; + + /** + * @return Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + public Optional>> stsFallbackRegions() { + return Optional.ofNullable(this.stsFallbackRegions); + } + + /** + * Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + @Import(name="stsRegion") + private @Nullable Output stsRegion; + + /** + * @return Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + public Optional> stsRegion() { + return Optional.ofNullable(this.stsRegion); + } + /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: * @@ -307,6 +353,9 @@ private SecretBackendArgs(SecretBackendArgs $) { this.roleArn = $.roleArn; this.secretKey = $.secretKey; this.stsEndpoint = $.stsEndpoint; + this.stsFallbackEndpoints = $.stsFallbackEndpoints; + this.stsFallbackRegions = $.stsFallbackRegions; + this.stsRegion = $.stsRegion; this.usernameTemplate = $.usernameTemplate; } @@ -680,6 +729,89 @@ public Builder stsEndpoint(String stsEndpoint) { return stsEndpoint(Output.of(stsEndpoint)); } + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(@Nullable Output> stsFallbackEndpoints) { + $.stsFallbackEndpoints = stsFallbackEndpoints; + return this; + } + + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(List stsFallbackEndpoints) { + return stsFallbackEndpoints(Output.of(stsFallbackEndpoints)); + } + + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(String... stsFallbackEndpoints) { + return stsFallbackEndpoints(List.of(stsFallbackEndpoints)); + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(@Nullable Output> stsFallbackRegions) { + $.stsFallbackRegions = stsFallbackRegions; + return this; + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(List stsFallbackRegions) { + return stsFallbackRegions(Output.of(stsFallbackRegions)); + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(String... stsFallbackRegions) { + return stsFallbackRegions(List.of(stsFallbackRegions)); + } + + /** + * @param stsRegion Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsRegion(@Nullable Output stsRegion) { + $.stsRegion = stsRegion; + return this; + } + + /** + * @param stsRegion Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsRegion(String stsRegion) { + return stsRegion(Output.of(stsRegion)); + } + /** * @param usernameTemplate Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: * diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/AuthBackendStsRoleState.java b/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/AuthBackendStsRoleState.java index a8d7071f..e2c411cc 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/AuthBackendStsRoleState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/AuthBackendStsRoleState.java @@ -47,6 +47,21 @@ public Optional> backend() { return Optional.ofNullable(this.backend); } + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + @Import(name="externalId") + private @Nullable Output externalId; + + /** + * @return External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + */ + public Optional> externalId() { + return Optional.ofNullable(this.externalId); + } + /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. @@ -90,6 +105,7 @@ private AuthBackendStsRoleState() {} private AuthBackendStsRoleState(AuthBackendStsRoleState $) { this.accountId = $.accountId; this.backend = $.backend; + this.externalId = $.externalId; this.namespace = $.namespace; this.stsRole = $.stsRole; } @@ -156,6 +172,27 @@ public Builder backend(String backend) { return backend(Output.of(backend)); } + /** + * @param externalId External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + * @return builder + * + */ + public Builder externalId(@Nullable Output externalId) { + $.externalId = externalId; + return this; + } + + /** + * @param externalId External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + * + * @return builder + * + */ + public Builder externalId(String externalId) { + return externalId(Output.of(externalId)); + } + /** * @param namespace The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. diff --git a/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/SecretBackendState.java b/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/SecretBackendState.java index df15b124..27d805f6 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/SecretBackendState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/aws/inputs/SecretBackendState.java @@ -8,6 +8,7 @@ import java.lang.Boolean; import java.lang.Integer; import java.lang.String; +import java.util.List; import java.util.Objects; import java.util.Optional; import javax.annotation.Nullable; @@ -273,6 +274,51 @@ public Optional> stsEndpoint() { return Optional.ofNullable(this.stsEndpoint); } + /** + * Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + @Import(name="stsFallbackEndpoints") + private @Nullable Output> stsFallbackEndpoints; + + /** + * @return Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + */ + public Optional>> stsFallbackEndpoints() { + return Optional.ofNullable(this.stsFallbackEndpoints); + } + + /** + * Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + @Import(name="stsFallbackRegions") + private @Nullable Output> stsFallbackRegions; + + /** + * @return Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + */ + public Optional>> stsFallbackRegions() { + return Optional.ofNullable(this.stsFallbackRegions); + } + + /** + * Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + @Import(name="stsRegion") + private @Nullable Output stsRegion; + + /** + * @return Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + */ + public Optional> stsRegion() { + return Optional.ofNullable(this.stsRegion); + } + /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: * @@ -307,6 +353,9 @@ private SecretBackendState(SecretBackendState $) { this.roleArn = $.roleArn; this.secretKey = $.secretKey; this.stsEndpoint = $.stsEndpoint; + this.stsFallbackEndpoints = $.stsFallbackEndpoints; + this.stsFallbackRegions = $.stsFallbackRegions; + this.stsRegion = $.stsRegion; this.usernameTemplate = $.usernameTemplate; } @@ -680,6 +729,89 @@ public Builder stsEndpoint(String stsEndpoint) { return stsEndpoint(Output.of(stsEndpoint)); } + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(@Nullable Output> stsFallbackEndpoints) { + $.stsFallbackEndpoints = stsFallbackEndpoints; + return this; + } + + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(List stsFallbackEndpoints) { + return stsFallbackEndpoints(Output.of(stsFallbackEndpoints)); + } + + /** + * @param stsFallbackEndpoints Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackEndpoints(String... stsFallbackEndpoints) { + return stsFallbackEndpoints(List.of(stsFallbackEndpoints)); + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(@Nullable Output> stsFallbackRegions) { + $.stsFallbackRegions = stsFallbackRegions; + return this; + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(List stsFallbackRegions) { + return stsFallbackRegions(Output.of(stsFallbackRegions)); + } + + /** + * @param stsFallbackRegions Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsFallbackRegions(String... stsFallbackRegions) { + return stsFallbackRegions(List.of(stsFallbackRegions)); + } + + /** + * @param stsRegion Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsRegion(@Nullable Output stsRegion) { + $.stsRegion = stsRegion; + return this; + } + + /** + * @param stsRegion Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + * + * @return builder + * + */ + public Builder stsRegion(String stsRegion) { + return stsRegion(Output.of(stsRegion)); + } + /** * @param usernameTemplate Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java index ae4feea5..7f1b12b9 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretBackendConnectionPostgresqlArgs.java @@ -122,6 +122,21 @@ public Optional> password() { return Optional.ofNullable(this.password); } + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + @Import(name="passwordAuthentication") + private @Nullable Output passwordAuthentication; + + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + public Optional> passwordAuthentication() { + return Optional.ofNullable(this.passwordAuthentication); + } + /** * The secret key used for the x509 client certificate. Must be PEM encoded. * @@ -237,6 +252,7 @@ private SecretBackendConnectionPostgresqlArgs(SecretBackendConnectionPostgresqlA this.maxIdleConnections = $.maxIdleConnections; this.maxOpenConnections = $.maxOpenConnections; this.password = $.password; + this.passwordAuthentication = $.passwordAuthentication; this.privateKey = $.privateKey; this.selfManaged = $.selfManaged; this.serviceAccountJson = $.serviceAccountJson; @@ -411,6 +427,27 @@ public Builder password(String password) { return password(Output.of(password)); } + /** + * @param passwordAuthentication When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + * @return builder + * + */ + public Builder passwordAuthentication(@Nullable Output passwordAuthentication) { + $.passwordAuthentication = passwordAuthentication; + return this; + } + + /** + * @param passwordAuthentication When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + * @return builder + * + */ + public Builder passwordAuthentication(String passwordAuthentication) { + return passwordAuthentication(Output.of(passwordAuthentication)); + } + /** * @param privateKey The secret key used for the x509 client certificate. Must be PEM encoded. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java index e28e0811..4bde445e 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/inputs/SecretsMountPostgresqlArgs.java @@ -176,6 +176,21 @@ public Optional> password() { return Optional.ofNullable(this.password); } + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + @Import(name="passwordAuthentication") + private @Nullable Output passwordAuthentication; + + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + public Optional> passwordAuthentication() { + return Optional.ofNullable(this.passwordAuthentication); + } + /** * Specifies the name of the plugin to use. * @@ -341,6 +356,7 @@ private SecretsMountPostgresqlArgs(SecretsMountPostgresqlArgs $) { this.maxOpenConnections = $.maxOpenConnections; this.name = $.name; this.password = $.password; + this.passwordAuthentication = $.passwordAuthentication; this.pluginName = $.pluginName; this.privateKey = $.privateKey; this.rootRotationStatements = $.rootRotationStatements; @@ -598,6 +614,27 @@ public Builder password(String password) { return password(Output.of(password)); } + /** + * @param passwordAuthentication When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + * @return builder + * + */ + public Builder passwordAuthentication(@Nullable Output passwordAuthentication) { + $.passwordAuthentication = passwordAuthentication; + return this; + } + + /** + * @param passwordAuthentication When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + * @return builder + * + */ + public Builder passwordAuthentication(String passwordAuthentication) { + return passwordAuthentication(Output.of(passwordAuthentication)); + } + /** * @param pluginName Specifies the name of the plugin to use. * diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java index f5aa7c4d..962f477a 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretBackendConnectionPostgresql.java @@ -48,6 +48,11 @@ public final class SecretBackendConnectionPostgresql { * */ private @Nullable String password; + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + private @Nullable String passwordAuthentication; /** * @return The secret key used for the x509 client certificate. Must be PEM encoded. * @@ -134,6 +139,13 @@ public Optional maxOpenConnections() { public Optional password() { return Optional.ofNullable(this.password); } + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + public Optional passwordAuthentication() { + return Optional.ofNullable(this.passwordAuthentication); + } /** * @return The secret key used for the x509 client certificate. Must be PEM encoded. * @@ -200,6 +212,7 @@ public static final class Builder { private @Nullable Integer maxIdleConnections; private @Nullable Integer maxOpenConnections; private @Nullable String password; + private @Nullable String passwordAuthentication; private @Nullable String privateKey; private @Nullable Boolean selfManaged; private @Nullable String serviceAccountJson; @@ -217,6 +230,7 @@ public Builder(SecretBackendConnectionPostgresql defaults) { this.maxIdleConnections = defaults.maxIdleConnections; this.maxOpenConnections = defaults.maxOpenConnections; this.password = defaults.password; + this.passwordAuthentication = defaults.passwordAuthentication; this.privateKey = defaults.privateKey; this.selfManaged = defaults.selfManaged; this.serviceAccountJson = defaults.serviceAccountJson; @@ -269,6 +283,12 @@ public Builder password(@Nullable String password) { return this; } @CustomType.Setter + public Builder passwordAuthentication(@Nullable String passwordAuthentication) { + + this.passwordAuthentication = passwordAuthentication; + return this; + } + @CustomType.Setter public Builder privateKey(@Nullable String privateKey) { this.privateKey = privateKey; @@ -319,6 +339,7 @@ public SecretBackendConnectionPostgresql build() { _resultValue.maxIdleConnections = maxIdleConnections; _resultValue.maxOpenConnections = maxOpenConnections; _resultValue.password = password; + _resultValue.passwordAuthentication = passwordAuthentication; _resultValue.privateKey = privateKey; _resultValue.selfManaged = selfManaged; _resultValue.serviceAccountJson = serviceAccountJson; diff --git a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java index cfa60c1d..b14a6f31 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java +++ b/sdk/java/src/main/java/com/pulumi/vault/database/outputs/SecretsMountPostgresql.java @@ -69,6 +69,11 @@ public final class SecretsMountPostgresql { * */ private @Nullable String password; + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + private @Nullable String passwordAuthentication; /** * @return Specifies the name of the plugin to use. * @@ -195,6 +200,13 @@ public String name() { public Optional password() { return Optional.ofNullable(this.password); } + /** + * @return When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + * + */ + public Optional passwordAuthentication() { + return Optional.ofNullable(this.passwordAuthentication); + } /** * @return Specifies the name of the plugin to use. * @@ -286,6 +298,7 @@ public static final class Builder { private @Nullable Integer maxOpenConnections; private String name; private @Nullable String password; + private @Nullable String passwordAuthentication; private @Nullable String pluginName; private @Nullable String privateKey; private @Nullable List rootRotationStatements; @@ -309,6 +322,7 @@ public Builder(SecretsMountPostgresql defaults) { this.maxOpenConnections = defaults.maxOpenConnections; this.name = defaults.name; this.password = defaults.password; + this.passwordAuthentication = defaults.passwordAuthentication; this.pluginName = defaults.pluginName; this.privateKey = defaults.privateKey; this.rootRotationStatements = defaults.rootRotationStatements; @@ -387,6 +401,12 @@ public Builder password(@Nullable String password) { return this; } @CustomType.Setter + public Builder passwordAuthentication(@Nullable String passwordAuthentication) { + + this.passwordAuthentication = passwordAuthentication; + return this; + } + @CustomType.Setter public Builder pluginName(@Nullable String pluginName) { this.pluginName = pluginName; @@ -461,6 +481,7 @@ public SecretsMountPostgresql build() { _resultValue.maxOpenConnections = maxOpenConnections; _resultValue.name = name; _resultValue.password = password; + _resultValue.passwordAuthentication = passwordAuthentication; _resultValue.pluginName = pluginName; _resultValue.privateKey = privateKey; _resultValue.rootRotationStatements = rootRotationStatements; diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEab.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEab.java new file mode 100644 index 00000000..02db68f0 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEab.java @@ -0,0 +1,280 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Export; +import com.pulumi.core.annotations.ResourceType; +import com.pulumi.core.internal.Codegen; +import com.pulumi.vault.Utilities; +import com.pulumi.vault.pkiSecret.BackendAcmeEabArgs; +import com.pulumi.vault.pkiSecret.inputs.BackendAcmeEabState; +import java.lang.String; +import java.util.List; +import java.util.Optional; +import javax.annotation.Nullable; + +/** + * Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. + * + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.vault.Mount;
+ * import com.pulumi.vault.MountArgs;
+ * import com.pulumi.vault.pkiSecret.BackendAcmeEab;
+ * import com.pulumi.vault.pkiSecret.BackendAcmeEabArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var test = new Mount("test", MountArgs.builder()
+ *             .path("pki")
+ *             .type("pki")
+ *             .description("PKI secret engine mount")
+ *             .build());
+ * 
+ *         var testBackendAcmeEab = new BackendAcmeEab("testBackendAcmeEab", BackendAcmeEabArgs.builder()
+ *             .backend(test.path())
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser --> + * + * ## Import + * + * As EAB tokens are only available on initial creation there is no possibility to + * + * import or update this resource. + * + */ +@ResourceType(type="vault:pkiSecret/backendAcmeEab:BackendAcmeEab") +public class BackendAcmeEab extends com.pulumi.resources.CustomResource { + /** + * The ACME directory to which the key belongs + * + */ + @Export(name="acmeDirectory", refs={String.class}, tree="[0]") + private Output acmeDirectory; + + /** + * @return The ACME directory to which the key belongs + * + */ + public Output acmeDirectory() { + return this.acmeDirectory; + } + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + @Export(name="backend", refs={String.class}, tree="[0]") + private Output backend; + + /** + * @return The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + /** + * An RFC3339 formatted date time when the EAB token was created + * + */ + @Export(name="createdOn", refs={String.class}, tree="[0]") + private Output createdOn; + + /** + * @return An RFC3339 formatted date time when the EAB token was created + * + */ + public Output createdOn() { + return this.createdOn; + } + /** + * The identifier of a specific ACME EAB token + * + */ + @Export(name="eabId", refs={String.class}, tree="[0]") + private Output eabId; + + /** + * @return The identifier of a specific ACME EAB token + * + */ + public Output eabId() { + return this.eabId; + } + /** + * Create an EAB token that is specific to an issuer's ACME directory. + * + */ + @Export(name="issuer", refs={String.class}, tree="[0]") + private Output issuer; + + /** + * @return Create an EAB token that is specific to an issuer's ACME directory. + * + */ + public Output> issuer() { + return Codegen.optional(this.issuer); + } + /** + * The EAB token + * + */ + @Export(name="key", refs={String.class}, tree="[0]") + private Output key; + + /** + * @return The EAB token + * + */ + public Output key() { + return this.key; + } + /** + * The key type of the EAB key + * + */ + @Export(name="keyType", refs={String.class}, tree="[0]") + private Output keyType; + + /** + * @return The key type of the EAB key + * + */ + public Output keyType() { + return this.keyType; + } + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Export(name="namespace", refs={String.class}, tree="[0]") + private Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Output> namespace() { + return Codegen.optional(this.namespace); + } + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + @Export(name="role", refs={String.class}, tree="[0]") + private Output role; + + /** + * @return Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + public Output> role() { + return Codegen.optional(this.role); + } + + /** + * + * @param name The _unique_ name of the resulting resource. + */ + public BackendAcmeEab(java.lang.String name) { + this(name, BackendAcmeEabArgs.Empty); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + */ + public BackendAcmeEab(java.lang.String name, BackendAcmeEabArgs args) { + this(name, args, null); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + * @param options A bag of options that control this resource's behavior. + */ + public BackendAcmeEab(java.lang.String name, BackendAcmeEabArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, makeArgs(args, options), makeResourceOptions(options, Codegen.empty()), false); + } + + private BackendAcmeEab(java.lang.String name, Output id, @Nullable BackendAcmeEabState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendAcmeEab:BackendAcmeEab", name, state, makeResourceOptions(options, id), false); + } + + private static BackendAcmeEabArgs makeArgs(BackendAcmeEabArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + if (options != null && options.getUrn().isPresent()) { + return null; + } + return args == null ? BackendAcmeEabArgs.Empty : args; + } + + private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) { + var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder() + .version(Utilities.getVersion()) + .additionalSecretOutputs(List.of( + "key" + )) + .build(); + return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id); + } + + /** + * Get an existing Host resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state + * @param options Optional settings to control the behavior of the CustomResource. + */ + public static BackendAcmeEab get(java.lang.String name, Output id, @Nullable BackendAcmeEabState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + return new BackendAcmeEab(name, id, state, options); + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEabArgs.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEabArgs.java new file mode 100644 index 00000000..5ed30f95 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendAcmeEabArgs.java @@ -0,0 +1,242 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendAcmeEabArgs extends com.pulumi.resources.ResourceArgs { + + public static final BackendAcmeEabArgs Empty = new BackendAcmeEabArgs(); + + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + @Import(name="backend", required=true) + private Output backend; + + /** + * @return The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + + /** + * Create an EAB token that is specific to an issuer's ACME directory. + * + */ + @Import(name="issuer") + private @Nullable Output issuer; + + /** + * @return Create an EAB token that is specific to an issuer's ACME directory. + * + */ + public Optional> issuer() { + return Optional.ofNullable(this.issuer); + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + @Import(name="role") + private @Nullable Output role; + + /** + * @return Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + public Optional> role() { + return Optional.ofNullable(this.role); + } + + private BackendAcmeEabArgs() {} + + private BackendAcmeEabArgs(BackendAcmeEabArgs $) { + this.backend = $.backend; + this.issuer = $.issuer; + this.namespace = $.namespace; + this.role = $.role; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendAcmeEabArgs defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendAcmeEabArgs $; + + public Builder() { + $ = new BackendAcmeEabArgs(); + } + + public Builder(BackendAcmeEabArgs defaults) { + $ = new BackendAcmeEabArgs(Objects.requireNonNull(defaults)); + } + + /** + * @param backend The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param issuer Create an EAB token that is specific to an issuer's ACME directory. + * + * @return builder + * + */ + public Builder issuer(@Nullable Output issuer) { + $.issuer = issuer; + return this; + } + + /** + * @param issuer Create an EAB token that is specific to an issuer's ACME directory. + * + * @return builder + * + */ + public Builder issuer(String issuer) { + return issuer(Output.of(issuer)); + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + /** + * @param role Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + * @return builder + * + */ + public Builder role(@Nullable Output role) { + $.role = role; + return this; + } + + /** + * @param role Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + * @return builder + * + */ + public Builder role(String role) { + return role(Output.of(role)); + } + + public BackendAcmeEabArgs build() { + if ($.backend == null) { + throw new MissingRequiredPropertyException("BackendAcmeEabArgs", "backend"); + } + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcme.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcme.java new file mode 100644 index 00000000..c621f72b --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcme.java @@ -0,0 +1,288 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Export; +import com.pulumi.core.annotations.ResourceType; +import com.pulumi.core.internal.Codegen; +import com.pulumi.vault.Utilities; +import com.pulumi.vault.pkiSecret.BackendConfigAcmeArgs; +import com.pulumi.vault.pkiSecret.inputs.BackendConfigAcmeState; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Optional; +import javax.annotation.Nullable; + +/** + * Allows setting the ACME server configuration used by specified mount. + * + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.vault.Mount;
+ * import com.pulumi.vault.MountArgs;
+ * import com.pulumi.vault.pkiSecret.BackendConfigCluster;
+ * import com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;
+ * import com.pulumi.vault.pkiSecret.BackendConfigAcme;
+ * import com.pulumi.vault.pkiSecret.BackendConfigAcmeArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var pki = new Mount("pki", MountArgs.builder()
+ *             .path("pki")
+ *             .type("pki")
+ *             .defaultLeaseTtlSeconds(3600)
+ *             .maxLeaseTtlSeconds(86400)
+ *             .build());
+ * 
+ *         var pkiConfigCluster = new BackendConfigCluster("pkiConfigCluster", BackendConfigClusterArgs.builder()
+ *             .backend(pki.path())
+ *             .path("http://127.0.0.1:8200/v1/pki")
+ *             .aiaPath("http://127.0.0.1:8200/v1/pki")
+ *             .build());
+ * 
+ *         var example = new BackendConfigAcme("example", BackendConfigAcmeArgs.builder()
+ *             .backend(pki.path())
+ *             .enabled(true)
+ *             .allowedIssuers("*")
+ *             .allowedRoles("*")
+ *             .allowRoleExtKeyUsage(false)
+ *             .defaultDirectoryPolicy("sign-verbatim")
+ *             .dnsResolver("")
+ *             .eabPolicy("not-required")
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser --> + * + * ## Import + * + * The ACME configuration can be imported using the resource's `id`. + * In the case of the example above the `id` would be `pki/config/acme`, + * where the `pki` component is the resource's `backend`, e.g. + * + * ```sh + * $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme + * ``` + * + */ +@ResourceType(type="vault:pkiSecret/backendConfigAcme:BackendConfigAcme") +public class BackendConfigAcme extends com.pulumi.resources.CustomResource { + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + @Export(name="allowRoleExtKeyUsage", refs={Boolean.class}, tree="[0]") + private Output allowRoleExtKeyUsage; + + /** + * @return Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + public Output> allowRoleExtKeyUsage() { + return Codegen.optional(this.allowRoleExtKeyUsage); + } + /** + * Specifies which issuers are allowed for use with ACME. + * + */ + @Export(name="allowedIssuers", refs={List.class,String.class}, tree="[0,1]") + private Output> allowedIssuers; + + /** + * @return Specifies which issuers are allowed for use with ACME. + * + */ + public Output> allowedIssuers() { + return this.allowedIssuers; + } + /** + * Specifies which roles are allowed for use with ACME. + * + */ + @Export(name="allowedRoles", refs={List.class,String.class}, tree="[0,1]") + private Output> allowedRoles; + + /** + * @return Specifies which roles are allowed for use with ACME. + * + */ + public Output> allowedRoles() { + return this.allowedRoles; + } + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + @Export(name="backend", refs={String.class}, tree="[0]") + private Output backend; + + /** + * @return The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + @Export(name="defaultDirectoryPolicy", refs={String.class}, tree="[0]") + private Output defaultDirectoryPolicy; + + /** + * @return Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + public Output defaultDirectoryPolicy() { + return this.defaultDirectoryPolicy; + } + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + @Export(name="dnsResolver", refs={String.class}, tree="[0]") + private Output dnsResolver; + + /** + * @return DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + public Output> dnsResolver() { + return Codegen.optional(this.dnsResolver); + } + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + @Export(name="eabPolicy", refs={String.class}, tree="[0]") + private Output eabPolicy; + + /** + * @return Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + public Output eabPolicy() { + return this.eabPolicy; + } + /** + * Specifies whether ACME is enabled. + * + */ + @Export(name="enabled", refs={Boolean.class}, tree="[0]") + private Output enabled; + + /** + * @return Specifies whether ACME is enabled. + * + */ + public Output enabled() { + return this.enabled; + } + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Export(name="namespace", refs={String.class}, tree="[0]") + private Output namespace; + + /** + * @return The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Output> namespace() { + return Codegen.optional(this.namespace); + } + + /** + * + * @param name The _unique_ name of the resulting resource. + */ + public BackendConfigAcme(java.lang.String name) { + this(name, BackendConfigAcmeArgs.Empty); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + */ + public BackendConfigAcme(java.lang.String name, BackendConfigAcmeArgs args) { + this(name, args, null); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + * @param options A bag of options that control this resource's behavior. + */ + public BackendConfigAcme(java.lang.String name, BackendConfigAcmeArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, makeArgs(args, options), makeResourceOptions(options, Codegen.empty()), false); + } + + private BackendConfigAcme(java.lang.String name, Output id, @Nullable BackendConfigAcmeState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendConfigAcme:BackendConfigAcme", name, state, makeResourceOptions(options, id), false); + } + + private static BackendConfigAcmeArgs makeArgs(BackendConfigAcmeArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + if (options != null && options.getUrn().isPresent()) { + return null; + } + return args == null ? BackendConfigAcmeArgs.Empty : args; + } + + private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) { + var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder() + .version(Utilities.getVersion()) + .build(); + return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id); + } + + /** + * Get an existing Host resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state + * @param options Optional settings to control the behavior of the CustomResource. + */ + public static BackendConfigAcme get(java.lang.String name, Output id, @Nullable BackendConfigAcmeState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + return new BackendConfigAcme(name, id, state, options); + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcmeArgs.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcmeArgs.java new file mode 100644 index 00000000..610d20eb --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigAcmeArgs.java @@ -0,0 +1,432 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendConfigAcmeArgs extends com.pulumi.resources.ResourceArgs { + + public static final BackendConfigAcmeArgs Empty = new BackendConfigAcmeArgs(); + + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + @Import(name="allowRoleExtKeyUsage") + private @Nullable Output allowRoleExtKeyUsage; + + /** + * @return Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + public Optional> allowRoleExtKeyUsage() { + return Optional.ofNullable(this.allowRoleExtKeyUsage); + } + + /** + * Specifies which issuers are allowed for use with ACME. + * + */ + @Import(name="allowedIssuers") + private @Nullable Output> allowedIssuers; + + /** + * @return Specifies which issuers are allowed for use with ACME. + * + */ + public Optional>> allowedIssuers() { + return Optional.ofNullable(this.allowedIssuers); + } + + /** + * Specifies which roles are allowed for use with ACME. + * + */ + @Import(name="allowedRoles") + private @Nullable Output> allowedRoles; + + /** + * @return Specifies which roles are allowed for use with ACME. + * + */ + public Optional>> allowedRoles() { + return Optional.ofNullable(this.allowedRoles); + } + + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + @Import(name="backend", required=true) + private Output backend; + + /** + * @return The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + @Import(name="defaultDirectoryPolicy") + private @Nullable Output defaultDirectoryPolicy; + + /** + * @return Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + public Optional> defaultDirectoryPolicy() { + return Optional.ofNullable(this.defaultDirectoryPolicy); + } + + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + @Import(name="dnsResolver") + private @Nullable Output dnsResolver; + + /** + * @return DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + public Optional> dnsResolver() { + return Optional.ofNullable(this.dnsResolver); + } + + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + @Import(name="eabPolicy") + private @Nullable Output eabPolicy; + + /** + * @return Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + public Optional> eabPolicy() { + return Optional.ofNullable(this.eabPolicy); + } + + /** + * Specifies whether ACME is enabled. + * + */ + @Import(name="enabled", required=true) + private Output enabled; + + /** + * @return Specifies whether ACME is enabled. + * + */ + public Output enabled() { + return this.enabled; + } + + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + private BackendConfigAcmeArgs() {} + + private BackendConfigAcmeArgs(BackendConfigAcmeArgs $) { + this.allowRoleExtKeyUsage = $.allowRoleExtKeyUsage; + this.allowedIssuers = $.allowedIssuers; + this.allowedRoles = $.allowedRoles; + this.backend = $.backend; + this.defaultDirectoryPolicy = $.defaultDirectoryPolicy; + this.dnsResolver = $.dnsResolver; + this.eabPolicy = $.eabPolicy; + this.enabled = $.enabled; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendConfigAcmeArgs defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendConfigAcmeArgs $; + + public Builder() { + $ = new BackendConfigAcmeArgs(); + } + + public Builder(BackendConfigAcmeArgs defaults) { + $ = new BackendConfigAcmeArgs(Objects.requireNonNull(defaults)); + } + + /** + * @param allowRoleExtKeyUsage Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + * @return builder + * + */ + public Builder allowRoleExtKeyUsage(@Nullable Output allowRoleExtKeyUsage) { + $.allowRoleExtKeyUsage = allowRoleExtKeyUsage; + return this; + } + + /** + * @param allowRoleExtKeyUsage Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + * @return builder + * + */ + public Builder allowRoleExtKeyUsage(Boolean allowRoleExtKeyUsage) { + return allowRoleExtKeyUsage(Output.of(allowRoleExtKeyUsage)); + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(@Nullable Output> allowedIssuers) { + $.allowedIssuers = allowedIssuers; + return this; + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(List allowedIssuers) { + return allowedIssuers(Output.of(allowedIssuers)); + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(String... allowedIssuers) { + return allowedIssuers(List.of(allowedIssuers)); + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(@Nullable Output> allowedRoles) { + $.allowedRoles = allowedRoles; + return this; + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(List allowedRoles) { + return allowedRoles(Output.of(allowedRoles)); + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(String... allowedRoles) { + return allowedRoles(List.of(allowedRoles)); + } + + /** + * @param backend The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param defaultDirectoryPolicy Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + * @return builder + * + */ + public Builder defaultDirectoryPolicy(@Nullable Output defaultDirectoryPolicy) { + $.defaultDirectoryPolicy = defaultDirectoryPolicy; + return this; + } + + /** + * @param defaultDirectoryPolicy Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + * @return builder + * + */ + public Builder defaultDirectoryPolicy(String defaultDirectoryPolicy) { + return defaultDirectoryPolicy(Output.of(defaultDirectoryPolicy)); + } + + /** + * @param dnsResolver DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + * @return builder + * + */ + public Builder dnsResolver(@Nullable Output dnsResolver) { + $.dnsResolver = dnsResolver; + return this; + } + + /** + * @param dnsResolver DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + * @return builder + * + */ + public Builder dnsResolver(String dnsResolver) { + return dnsResolver(Output.of(dnsResolver)); + } + + /** + * @param eabPolicy Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + * @return builder + * + */ + public Builder eabPolicy(@Nullable Output eabPolicy) { + $.eabPolicy = eabPolicy; + return this; + } + + /** + * @param eabPolicy Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + * @return builder + * + */ + public Builder eabPolicy(String eabPolicy) { + return eabPolicy(Output.of(eabPolicy)); + } + + /** + * @param enabled Specifies whether ACME is enabled. + * + * @return builder + * + */ + public Builder enabled(Output enabled) { + $.enabled = enabled; + return this; + } + + /** + * @param enabled Specifies whether ACME is enabled. + * + * @return builder + * + */ + public Builder enabled(Boolean enabled) { + return enabled(Output.of(enabled)); + } + + /** + * @param namespace The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + public BackendConfigAcmeArgs build() { + if ($.backend == null) { + throw new MissingRequiredPropertyException("BackendConfigAcmeArgs", "backend"); + } + if ($.enabled == null) { + throw new MissingRequiredPropertyException("BackendConfigAcmeArgs", "enabled"); + } + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2.java new file mode 100644 index 00000000..09654c69 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2.java @@ -0,0 +1,216 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Export; +import com.pulumi.core.annotations.ResourceType; +import com.pulumi.core.internal.Codegen; +import com.pulumi.vault.Utilities; +import com.pulumi.vault.pkiSecret.BackendConfigCmpv2Args; +import com.pulumi.vault.pkiSecret.inputs.BackendConfigCmpv2State; +import com.pulumi.vault.pkiSecret.outputs.BackendConfigCmpv2Authenticators; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Optional; +import javax.annotation.Nullable; + +/** + * Allows setting the CMPv2 configuration on a PKI Secret Backend + * + * ## Import + * + * The PKI config cluster can be imported using the resource's `id`. + * In the case of the example above the `id` would be `pki-root/config/cmpv2`, + * where the `pki-root` component is the resource's `backend`, e.g. + * + * ```sh + * $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 + * ``` + * + */ +@ResourceType(type="vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2") +public class BackendConfigCmpv2 extends com.pulumi.resources.CustomResource { + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + @Export(name="auditFields", refs={List.class,String.class}, tree="[0,1]") + private Output> auditFields; + + /** + * @return Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + public Output> auditFields() { + return this.auditFields; + } + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + @Export(name="authenticators", refs={BackendConfigCmpv2Authenticators.class}, tree="[0]") + private Output authenticators; + + /** + * @return Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + public Output authenticators() { + return this.authenticators; + } + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + @Export(name="backend", refs={String.class}, tree="[0]") + private Output backend; + + /** + * @return The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + @Export(name="defaultPathPolicy", refs={String.class}, tree="[0]") + private Output defaultPathPolicy; + + /** + * @return Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + public Output> defaultPathPolicy() { + return Codegen.optional(this.defaultPathPolicy); + } + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + @Export(name="enableSentinelParsing", refs={Boolean.class}, tree="[0]") + private Output enableSentinelParsing; + + /** + * @return If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + public Output> enableSentinelParsing() { + return Codegen.optional(this.enableSentinelParsing); + } + /** + * Specifies whether CMPv2 is enabled. + * + */ + @Export(name="enabled", refs={Boolean.class}, tree="[0]") + private Output enabled; + + /** + * @return Specifies whether CMPv2 is enabled. + * + */ + public Output> enabled() { + return Codegen.optional(this.enabled); + } + /** + * A read-only timestamp representing the last time the configuration was updated. + * + */ + @Export(name="lastUpdated", refs={String.class}, tree="[0]") + private Output lastUpdated; + + /** + * @return A read-only timestamp representing the last time the configuration was updated. + * + */ + public Output lastUpdated() { + return this.lastUpdated; + } + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Export(name="namespace", refs={String.class}, tree="[0]") + private Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Output> namespace() { + return Codegen.optional(this.namespace); + } + + /** + * + * @param name The _unique_ name of the resulting resource. + */ + public BackendConfigCmpv2(java.lang.String name) { + this(name, BackendConfigCmpv2Args.Empty); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + */ + public BackendConfigCmpv2(java.lang.String name, BackendConfigCmpv2Args args) { + this(name, args, null); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + * @param options A bag of options that control this resource's behavior. + */ + public BackendConfigCmpv2(java.lang.String name, BackendConfigCmpv2Args args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, makeArgs(args, options), makeResourceOptions(options, Codegen.empty()), false); + } + + private BackendConfigCmpv2(java.lang.String name, Output id, @Nullable BackendConfigCmpv2State state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2", name, state, makeResourceOptions(options, id), false); + } + + private static BackendConfigCmpv2Args makeArgs(BackendConfigCmpv2Args args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + if (options != null && options.getUrn().isPresent()) { + return null; + } + return args == null ? BackendConfigCmpv2Args.Empty : args; + } + + private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) { + var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder() + .version(Utilities.getVersion()) + .build(); + return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id); + } + + /** + * Get an existing Host resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state + * @param options Optional settings to control the behavior of the CustomResource. + */ + public static BackendConfigCmpv2 get(java.lang.String name, Output id, @Nullable BackendConfigCmpv2State state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + return new BackendConfigCmpv2(name, id, state, options); + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2Args.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2Args.java new file mode 100644 index 00000000..43fa493f --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/BackendConfigCmpv2Args.java @@ -0,0 +1,348 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import com.pulumi.vault.pkiSecret.inputs.BackendConfigCmpv2AuthenticatorsArgs; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendConfigCmpv2Args extends com.pulumi.resources.ResourceArgs { + + public static final BackendConfigCmpv2Args Empty = new BackendConfigCmpv2Args(); + + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + @Import(name="auditFields") + private @Nullable Output> auditFields; + + /** + * @return Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + public Optional>> auditFields() { + return Optional.ofNullable(this.auditFields); + } + + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + @Import(name="authenticators") + private @Nullable Output authenticators; + + /** + * @return Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + public Optional> authenticators() { + return Optional.ofNullable(this.authenticators); + } + + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + @Import(name="backend", required=true) + private Output backend; + + /** + * @return The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + public Output backend() { + return this.backend; + } + + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + @Import(name="defaultPathPolicy") + private @Nullable Output defaultPathPolicy; + + /** + * @return Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + public Optional> defaultPathPolicy() { + return Optional.ofNullable(this.defaultPathPolicy); + } + + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + @Import(name="enableSentinelParsing") + private @Nullable Output enableSentinelParsing; + + /** + * @return If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + public Optional> enableSentinelParsing() { + return Optional.ofNullable(this.enableSentinelParsing); + } + + /** + * Specifies whether CMPv2 is enabled. + * + */ + @Import(name="enabled") + private @Nullable Output enabled; + + /** + * @return Specifies whether CMPv2 is enabled. + * + */ + public Optional> enabled() { + return Optional.ofNullable(this.enabled); + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + private BackendConfigCmpv2Args() {} + + private BackendConfigCmpv2Args(BackendConfigCmpv2Args $) { + this.auditFields = $.auditFields; + this.authenticators = $.authenticators; + this.backend = $.backend; + this.defaultPathPolicy = $.defaultPathPolicy; + this.enableSentinelParsing = $.enableSentinelParsing; + this.enabled = $.enabled; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendConfigCmpv2Args defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendConfigCmpv2Args $; + + public Builder() { + $ = new BackendConfigCmpv2Args(); + } + + public Builder(BackendConfigCmpv2Args defaults) { + $ = new BackendConfigCmpv2Args(Objects.requireNonNull(defaults)); + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(@Nullable Output> auditFields) { + $.auditFields = auditFields; + return this; + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(List auditFields) { + return auditFields(Output.of(auditFields)); + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(String... auditFields) { + return auditFields(List.of(auditFields)); + } + + /** + * @param authenticators Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + * @return builder + * + */ + public Builder authenticators(@Nullable Output authenticators) { + $.authenticators = authenticators; + return this; + } + + /** + * @param authenticators Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + * @return builder + * + */ + public Builder authenticators(BackendConfigCmpv2AuthenticatorsArgs authenticators) { + return authenticators(Output.of(authenticators)); + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param defaultPathPolicy Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + * @return builder + * + */ + public Builder defaultPathPolicy(@Nullable Output defaultPathPolicy) { + $.defaultPathPolicy = defaultPathPolicy; + return this; + } + + /** + * @param defaultPathPolicy Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + * @return builder + * + */ + public Builder defaultPathPolicy(String defaultPathPolicy) { + return defaultPathPolicy(Output.of(defaultPathPolicy)); + } + + /** + * @param enableSentinelParsing If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + * @return builder + * + */ + public Builder enableSentinelParsing(@Nullable Output enableSentinelParsing) { + $.enableSentinelParsing = enableSentinelParsing; + return this; + } + + /** + * @param enableSentinelParsing If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + * @return builder + * + */ + public Builder enableSentinelParsing(Boolean enableSentinelParsing) { + return enableSentinelParsing(Output.of(enableSentinelParsing)); + } + + /** + * @param enabled Specifies whether CMPv2 is enabled. + * + * @return builder + * + */ + public Builder enabled(@Nullable Output enabled) { + $.enabled = enabled; + return this; + } + + /** + * @param enabled Specifies whether CMPv2 is enabled. + * + * @return builder + * + */ + public Builder enabled(Boolean enabled) { + return enabled(Output.of(enabled)); + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + public BackendConfigCmpv2Args build() { + if ($.backend == null) { + throw new MissingRequiredPropertyException("BackendConfigCmpv2Args", "backend"); + } + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/PkiSecretFunctions.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/PkiSecretFunctions.java index 9bf2c726..76c5cee6 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/PkiSecretFunctions.java +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/PkiSecretFunctions.java @@ -9,6 +9,8 @@ import com.pulumi.deployment.InvokeOptions; import com.pulumi.deployment.InvokeOutputOptions; import com.pulumi.vault.Utilities; +import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args; +import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2PlainArgs; import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigEstArgs; import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigEstPlainArgs; import com.pulumi.vault.pkiSecret.inputs.GetBackendIssuerArgs; @@ -19,6 +21,7 @@ import com.pulumi.vault.pkiSecret.inputs.GetBackendKeyPlainArgs; import com.pulumi.vault.pkiSecret.inputs.GetBackendKeysArgs; import com.pulumi.vault.pkiSecret.inputs.GetBackendKeysPlainArgs; +import com.pulumi.vault.pkiSecret.outputs.GetBackendConfigCmpv2Result; import com.pulumi.vault.pkiSecret.outputs.GetBackendConfigEstResult; import com.pulumi.vault.pkiSecret.outputs.GetBackendIssuerResult; import com.pulumi.vault.pkiSecret.outputs.GetBackendIssuersResult; @@ -27,6 +30,246 @@ import java.util.concurrent.CompletableFuture; public final class PkiSecretFunctions { + /** + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.vault.Mount;
+     * import com.pulumi.vault.MountArgs;
+     * import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
+     * import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
+     * 
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var pki = new Mount("pki", MountArgs.builder()
+     *             .path("pki")
+     *             .type("pki")
+     *             .description("PKI secret engine mount")
+     *             .build());
+     * 
+     *         final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()
+     *             .backend(pki.path())
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     *
+ * <!--End PulumiCodeChooser --> + * + */ + public static Output getBackendConfigCmpv2(GetBackendConfigCmpv2Args args) { + return getBackendConfigCmpv2(args, InvokeOptions.Empty); + } + /** + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.vault.Mount;
+     * import com.pulumi.vault.MountArgs;
+     * import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
+     * import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
+     * 
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var pki = new Mount("pki", MountArgs.builder()
+     *             .path("pki")
+     *             .type("pki")
+     *             .description("PKI secret engine mount")
+     *             .build());
+     * 
+     *         final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()
+     *             .backend(pki.path())
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     *
+ * <!--End PulumiCodeChooser --> + * + */ + public static CompletableFuture getBackendConfigCmpv2Plain(GetBackendConfigCmpv2PlainArgs args) { + return getBackendConfigCmpv2Plain(args, InvokeOptions.Empty); + } + /** + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.vault.Mount;
+     * import com.pulumi.vault.MountArgs;
+     * import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
+     * import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
+     * 
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var pki = new Mount("pki", MountArgs.builder()
+     *             .path("pki")
+     *             .type("pki")
+     *             .description("PKI secret engine mount")
+     *             .build());
+     * 
+     *         final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()
+     *             .backend(pki.path())
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     *
+ * <!--End PulumiCodeChooser --> + * + */ + public static Output getBackendConfigCmpv2(GetBackendConfigCmpv2Args args, InvokeOptions options) { + return Deployment.getInstance().invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", TypeShape.of(GetBackendConfigCmpv2Result.class), args, Utilities.withVersion(options)); + } + /** + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.vault.Mount;
+     * import com.pulumi.vault.MountArgs;
+     * import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
+     * import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
+     * 
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var pki = new Mount("pki", MountArgs.builder()
+     *             .path("pki")
+     *             .type("pki")
+     *             .description("PKI secret engine mount")
+     *             .build());
+     * 
+     *         final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()
+     *             .backend(pki.path())
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     *
+ * <!--End PulumiCodeChooser --> + * + */ + public static Output getBackendConfigCmpv2(GetBackendConfigCmpv2Args args, InvokeOutputOptions options) { + return Deployment.getInstance().invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", TypeShape.of(GetBackendConfigCmpv2Result.class), args, Utilities.withVersion(options)); + } + /** + * ## Example Usage + * + * <!--Start PulumiCodeChooser --> + * 
+     * {@code
+     * package generated_program;
+     * 
+     * import com.pulumi.Context;
+     * import com.pulumi.Pulumi;
+     * import com.pulumi.core.Output;
+     * import com.pulumi.vault.Mount;
+     * import com.pulumi.vault.MountArgs;
+     * import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
+     * import com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;
+     * import java.util.List;
+     * import java.util.ArrayList;
+     * import java.util.Map;
+     * import java.io.File;
+     * import java.nio.file.Files;
+     * import java.nio.file.Paths;
+     * 
+     * public class App {
+     *     public static void main(String[] args) {
+     *         Pulumi.run(App::stack);
+     *     }
+     * 
+     *     public static void stack(Context ctx) {
+     *         var pki = new Mount("pki", MountArgs.builder()
+     *             .path("pki")
+     *             .type("pki")
+     *             .description("PKI secret engine mount")
+     *             .build());
+     * 
+     *         final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()
+     *             .backend(pki.path())
+     *             .build());
+     * 
+     *     }
+     * }
+     * }
+     *
+ * <!--End PulumiCodeChooser --> + * + */ + public static CompletableFuture getBackendConfigCmpv2Plain(GetBackendConfigCmpv2PlainArgs args, InvokeOptions options) { + return Deployment.getInstance().invokeAsync("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", TypeShape.of(GetBackendConfigCmpv2Result.class), args, Utilities.withVersion(options)); + } /** * ## Example Usage * diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRole.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRole.java index 3c4eca1a..ad1c6f1d 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRole.java +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRole.java @@ -323,6 +323,20 @@ public Output> basicConstraintsValidForNonCa() { public Output> clientFlag() { return Codegen.optional(this.clientFlag); } + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + @Export(name="cnValidations", refs={List.class,String.class}, tree="[0,1]") + private Output> cnValidations; + + /** + * @return Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + public Output> cnValidations() { + return this.cnValidations; + } /** * Flag to specify certificates for code signing use * diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRoleArgs.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRoleArgs.java index 6c1eff43..e371d935 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/SecretBackendRoleArgs.java @@ -275,6 +275,21 @@ public Optional> clientFlag() { return Optional.ofNullable(this.clientFlag); } + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + @Import(name="cnValidations") + private @Nullable Output> cnValidations; + + /** + * @return Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + public Optional>> cnValidations() { + return Optional.ofNullable(this.cnValidations); + } + /** * Flag to specify certificates for code signing use * @@ -748,6 +763,7 @@ private SecretBackendRoleArgs(SecretBackendRoleArgs $) { this.backend = $.backend; this.basicConstraintsValidForNonCa = $.basicConstraintsValidForNonCa; this.clientFlag = $.clientFlag; + this.cnValidations = $.cnValidations; this.codeSigningFlag = $.codeSigningFlag; this.countries = $.countries; this.emailProtectionFlag = $.emailProtectionFlag; @@ -1204,6 +1220,37 @@ public Builder clientFlag(Boolean clientFlag) { return clientFlag(Output.of(clientFlag)); } + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(@Nullable Output> cnValidations) { + $.cnValidations = cnValidations; + return this; + } + + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(List cnValidations) { + return cnValidations(Output.of(cnValidations)); + } + + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(String... cnValidations) { + return cnValidations(List.of(cnValidations)); + } + /** * @param codeSigningFlag Flag to specify certificates for code signing use * diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendAcmeEabState.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendAcmeEabState.java new file mode 100644 index 00000000..bcf6fb87 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendAcmeEabState.java @@ -0,0 +1,423 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendAcmeEabState extends com.pulumi.resources.ResourceArgs { + + public static final BackendAcmeEabState Empty = new BackendAcmeEabState(); + + /** + * The ACME directory to which the key belongs + * + */ + @Import(name="acmeDirectory") + private @Nullable Output acmeDirectory; + + /** + * @return The ACME directory to which the key belongs + * + */ + public Optional> acmeDirectory() { + return Optional.ofNullable(this.acmeDirectory); + } + + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + @Import(name="backend") + private @Nullable Output backend; + + /** + * @return The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + */ + public Optional> backend() { + return Optional.ofNullable(this.backend); + } + + /** + * An RFC3339 formatted date time when the EAB token was created + * + */ + @Import(name="createdOn") + private @Nullable Output createdOn; + + /** + * @return An RFC3339 formatted date time when the EAB token was created + * + */ + public Optional> createdOn() { + return Optional.ofNullable(this.createdOn); + } + + /** + * The identifier of a specific ACME EAB token + * + */ + @Import(name="eabId") + private @Nullable Output eabId; + + /** + * @return The identifier of a specific ACME EAB token + * + */ + public Optional> eabId() { + return Optional.ofNullable(this.eabId); + } + + /** + * Create an EAB token that is specific to an issuer's ACME directory. + * + */ + @Import(name="issuer") + private @Nullable Output issuer; + + /** + * @return Create an EAB token that is specific to an issuer's ACME directory. + * + */ + public Optional> issuer() { + return Optional.ofNullable(this.issuer); + } + + /** + * The EAB token + * + */ + @Import(name="key") + private @Nullable Output key; + + /** + * @return The EAB token + * + */ + public Optional> key() { + return Optional.ofNullable(this.key); + } + + /** + * The key type of the EAB key + * + */ + @Import(name="keyType") + private @Nullable Output keyType; + + /** + * @return The key type of the EAB key + * + */ + public Optional> keyType() { + return Optional.ofNullable(this.keyType); + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + @Import(name="role") + private @Nullable Output role; + + /** + * @return Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + */ + public Optional> role() { + return Optional.ofNullable(this.role); + } + + private BackendAcmeEabState() {} + + private BackendAcmeEabState(BackendAcmeEabState $) { + this.acmeDirectory = $.acmeDirectory; + this.backend = $.backend; + this.createdOn = $.createdOn; + this.eabId = $.eabId; + this.issuer = $.issuer; + this.key = $.key; + this.keyType = $.keyType; + this.namespace = $.namespace; + this.role = $.role; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendAcmeEabState defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendAcmeEabState $; + + public Builder() { + $ = new BackendAcmeEabState(); + } + + public Builder(BackendAcmeEabState defaults) { + $ = new BackendAcmeEabState(Objects.requireNonNull(defaults)); + } + + /** + * @param acmeDirectory The ACME directory to which the key belongs + * + * @return builder + * + */ + public Builder acmeDirectory(@Nullable Output acmeDirectory) { + $.acmeDirectory = acmeDirectory; + return this; + } + + /** + * @param acmeDirectory The ACME directory to which the key belongs + * + * @return builder + * + */ + public Builder acmeDirectory(String acmeDirectory) { + return acmeDirectory(Output.of(acmeDirectory)); + } + + /** + * @param backend The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(@Nullable Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param createdOn An RFC3339 formatted date time when the EAB token was created + * + * @return builder + * + */ + public Builder createdOn(@Nullable Output createdOn) { + $.createdOn = createdOn; + return this; + } + + /** + * @param createdOn An RFC3339 formatted date time when the EAB token was created + * + * @return builder + * + */ + public Builder createdOn(String createdOn) { + return createdOn(Output.of(createdOn)); + } + + /** + * @param eabId The identifier of a specific ACME EAB token + * + * @return builder + * + */ + public Builder eabId(@Nullable Output eabId) { + $.eabId = eabId; + return this; + } + + /** + * @param eabId The identifier of a specific ACME EAB token + * + * @return builder + * + */ + public Builder eabId(String eabId) { + return eabId(Output.of(eabId)); + } + + /** + * @param issuer Create an EAB token that is specific to an issuer's ACME directory. + * + * @return builder + * + */ + public Builder issuer(@Nullable Output issuer) { + $.issuer = issuer; + return this; + } + + /** + * @param issuer Create an EAB token that is specific to an issuer's ACME directory. + * + * @return builder + * + */ + public Builder issuer(String issuer) { + return issuer(Output.of(issuer)); + } + + /** + * @param key The EAB token + * + * @return builder + * + */ + public Builder key(@Nullable Output key) { + $.key = key; + return this; + } + + /** + * @param key The EAB token + * + * @return builder + * + */ + public Builder key(String key) { + return key(Output.of(key)); + } + + /** + * @param keyType The key type of the EAB key + * + * @return builder + * + */ + public Builder keyType(@Nullable Output keyType) { + $.keyType = keyType; + return this; + } + + /** + * @param keyType The key type of the EAB key + * + * @return builder + * + */ + public Builder keyType(String keyType) { + return keyType(Output.of(keyType)); + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + /** + * @param role Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + * @return builder + * + */ + public Builder role(@Nullable Output role) { + $.role = role; + return this; + } + + /** + * @param role Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + * + * @return builder + * + */ + public Builder role(String role) { + return role(Output.of(role)); + } + + public BackendAcmeEabState build() { + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigAcmeState.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigAcmeState.java new file mode 100644 index 00000000..fd301c18 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigAcmeState.java @@ -0,0 +1,425 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendConfigAcmeState extends com.pulumi.resources.ResourceArgs { + + public static final BackendConfigAcmeState Empty = new BackendConfigAcmeState(); + + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + @Import(name="allowRoleExtKeyUsage") + private @Nullable Output allowRoleExtKeyUsage; + + /** + * @return Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + */ + public Optional> allowRoleExtKeyUsage() { + return Optional.ofNullable(this.allowRoleExtKeyUsage); + } + + /** + * Specifies which issuers are allowed for use with ACME. + * + */ + @Import(name="allowedIssuers") + private @Nullable Output> allowedIssuers; + + /** + * @return Specifies which issuers are allowed for use with ACME. + * + */ + public Optional>> allowedIssuers() { + return Optional.ofNullable(this.allowedIssuers); + } + + /** + * Specifies which roles are allowed for use with ACME. + * + */ + @Import(name="allowedRoles") + private @Nullable Output> allowedRoles; + + /** + * @return Specifies which roles are allowed for use with ACME. + * + */ + public Optional>> allowedRoles() { + return Optional.ofNullable(this.allowedRoles); + } + + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + @Import(name="backend") + private @Nullable Output backend; + + /** + * @return The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + */ + public Optional> backend() { + return Optional.ofNullable(this.backend); + } + + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + @Import(name="defaultDirectoryPolicy") + private @Nullable Output defaultDirectoryPolicy; + + /** + * @return Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + */ + public Optional> defaultDirectoryPolicy() { + return Optional.ofNullable(this.defaultDirectoryPolicy); + } + + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + @Import(name="dnsResolver") + private @Nullable Output dnsResolver; + + /** + * @return DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + */ + public Optional> dnsResolver() { + return Optional.ofNullable(this.dnsResolver); + } + + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + @Import(name="eabPolicy") + private @Nullable Output eabPolicy; + + /** + * @return Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + */ + public Optional> eabPolicy() { + return Optional.ofNullable(this.eabPolicy); + } + + /** + * Specifies whether ACME is enabled. + * + */ + @Import(name="enabled") + private @Nullable Output enabled; + + /** + * @return Specifies whether ACME is enabled. + * + */ + public Optional> enabled() { + return Optional.ofNullable(this.enabled); + } + + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + private BackendConfigAcmeState() {} + + private BackendConfigAcmeState(BackendConfigAcmeState $) { + this.allowRoleExtKeyUsage = $.allowRoleExtKeyUsage; + this.allowedIssuers = $.allowedIssuers; + this.allowedRoles = $.allowedRoles; + this.backend = $.backend; + this.defaultDirectoryPolicy = $.defaultDirectoryPolicy; + this.dnsResolver = $.dnsResolver; + this.eabPolicy = $.eabPolicy; + this.enabled = $.enabled; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendConfigAcmeState defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendConfigAcmeState $; + + public Builder() { + $ = new BackendConfigAcmeState(); + } + + public Builder(BackendConfigAcmeState defaults) { + $ = new BackendConfigAcmeState(Objects.requireNonNull(defaults)); + } + + /** + * @param allowRoleExtKeyUsage Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + * @return builder + * + */ + public Builder allowRoleExtKeyUsage(@Nullable Output allowRoleExtKeyUsage) { + $.allowRoleExtKeyUsage = allowRoleExtKeyUsage; + return this; + } + + /** + * @param allowRoleExtKeyUsage Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + * + * @return builder + * + */ + public Builder allowRoleExtKeyUsage(Boolean allowRoleExtKeyUsage) { + return allowRoleExtKeyUsage(Output.of(allowRoleExtKeyUsage)); + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(@Nullable Output> allowedIssuers) { + $.allowedIssuers = allowedIssuers; + return this; + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(List allowedIssuers) { + return allowedIssuers(Output.of(allowedIssuers)); + } + + /** + * @param allowedIssuers Specifies which issuers are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedIssuers(String... allowedIssuers) { + return allowedIssuers(List.of(allowedIssuers)); + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(@Nullable Output> allowedRoles) { + $.allowedRoles = allowedRoles; + return this; + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(List allowedRoles) { + return allowedRoles(Output.of(allowedRoles)); + } + + /** + * @param allowedRoles Specifies which roles are allowed for use with ACME. + * + * @return builder + * + */ + public Builder allowedRoles(String... allowedRoles) { + return allowedRoles(List.of(allowedRoles)); + } + + /** + * @param backend The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(@Nullable Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param defaultDirectoryPolicy Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + * @return builder + * + */ + public Builder defaultDirectoryPolicy(@Nullable Output defaultDirectoryPolicy) { + $.defaultDirectoryPolicy = defaultDirectoryPolicy; + return this; + } + + /** + * @param defaultDirectoryPolicy Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:<role_name>`, `external-policy` or `external-policy:<policy>`. + * + * @return builder + * + */ + public Builder defaultDirectoryPolicy(String defaultDirectoryPolicy) { + return defaultDirectoryPolicy(Output.of(defaultDirectoryPolicy)); + } + + /** + * @param dnsResolver DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + * @return builder + * + */ + public Builder dnsResolver(@Nullable Output dnsResolver) { + $.dnsResolver = dnsResolver; + return this; + } + + /** + * @param dnsResolver DNS resolver to use for domain resolution on this mount. + * Must be in the format `<host>:<port>`, with both parts mandatory. + * + * @return builder + * + */ + public Builder dnsResolver(String dnsResolver) { + return dnsResolver(Output.of(dnsResolver)); + } + + /** + * @param eabPolicy Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + * @return builder + * + */ + public Builder eabPolicy(@Nullable Output eabPolicy) { + $.eabPolicy = eabPolicy; + return this; + } + + /** + * @param eabPolicy Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + * + * @return builder + * + */ + public Builder eabPolicy(String eabPolicy) { + return eabPolicy(Output.of(eabPolicy)); + } + + /** + * @param enabled Specifies whether ACME is enabled. + * + * @return builder + * + */ + public Builder enabled(@Nullable Output enabled) { + $.enabled = enabled; + return this; + } + + /** + * @param enabled Specifies whether ACME is enabled. + * + * @return builder + * + */ + public Builder enabled(Boolean enabled) { + return enabled(Output.of(enabled)); + } + + /** + * @param namespace The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + public BackendConfigAcmeState build() { + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2AuthenticatorsArgs.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2AuthenticatorsArgs.java new file mode 100644 index 00000000..fe6a713b --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2AuthenticatorsArgs.java @@ -0,0 +1,84 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import java.lang.String; +import java.util.Map; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendConfigCmpv2AuthenticatorsArgs extends com.pulumi.resources.ResourceArgs { + + public static final BackendConfigCmpv2AuthenticatorsArgs Empty = new BackendConfigCmpv2AuthenticatorsArgs(); + + /** + * "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + */ + @Import(name="cert") + private @Nullable Output> cert; + + /** + * @return "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + */ + public Optional>> cert() { + return Optional.ofNullable(this.cert); + } + + private BackendConfigCmpv2AuthenticatorsArgs() {} + + private BackendConfigCmpv2AuthenticatorsArgs(BackendConfigCmpv2AuthenticatorsArgs $) { + this.cert = $.cert; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendConfigCmpv2AuthenticatorsArgs defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendConfigCmpv2AuthenticatorsArgs $; + + public Builder() { + $ = new BackendConfigCmpv2AuthenticatorsArgs(); + } + + public Builder(BackendConfigCmpv2AuthenticatorsArgs defaults) { + $ = new BackendConfigCmpv2AuthenticatorsArgs(Objects.requireNonNull(defaults)); + } + + /** + * @param cert "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + * @return builder + * + */ + public Builder cert(@Nullable Output> cert) { + $.cert = cert; + return this; + } + + /** + * @param cert "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + * @return builder + * + */ + public Builder cert(Map cert) { + return cert(Output.of(cert)); + } + + public BackendConfigCmpv2AuthenticatorsArgs build() { + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2State.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2State.java new file mode 100644 index 00000000..7ee7aedd --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/BackendConfigCmpv2State.java @@ -0,0 +1,381 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import com.pulumi.vault.pkiSecret.inputs.BackendConfigCmpv2AuthenticatorsArgs; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class BackendConfigCmpv2State extends com.pulumi.resources.ResourceArgs { + + public static final BackendConfigCmpv2State Empty = new BackendConfigCmpv2State(); + + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + @Import(name="auditFields") + private @Nullable Output> auditFields; + + /** + * @return Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + */ + public Optional>> auditFields() { + return Optional.ofNullable(this.auditFields); + } + + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + @Import(name="authenticators") + private @Nullable Output authenticators; + + /** + * @return Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + */ + public Optional> authenticators() { + return Optional.ofNullable(this.authenticators); + } + + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + @Import(name="backend") + private @Nullable Output backend; + + /** + * @return The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + */ + public Optional> backend() { + return Optional.ofNullable(this.backend); + } + + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + @Import(name="defaultPathPolicy") + private @Nullable Output defaultPathPolicy; + + /** + * @return Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + */ + public Optional> defaultPathPolicy() { + return Optional.ofNullable(this.defaultPathPolicy); + } + + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + @Import(name="enableSentinelParsing") + private @Nullable Output enableSentinelParsing; + + /** + * @return If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + */ + public Optional> enableSentinelParsing() { + return Optional.ofNullable(this.enableSentinelParsing); + } + + /** + * Specifies whether CMPv2 is enabled. + * + */ + @Import(name="enabled") + private @Nullable Output enabled; + + /** + * @return Specifies whether CMPv2 is enabled. + * + */ + public Optional> enabled() { + return Optional.ofNullable(this.enabled); + } + + /** + * A read-only timestamp representing the last time the configuration was updated. + * + */ + @Import(name="lastUpdated") + private @Nullable Output lastUpdated; + + /** + * @return A read-only timestamp representing the last time the configuration was updated. + * + */ + public Optional> lastUpdated() { + return Optional.ofNullable(this.lastUpdated); + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + private BackendConfigCmpv2State() {} + + private BackendConfigCmpv2State(BackendConfigCmpv2State $) { + this.auditFields = $.auditFields; + this.authenticators = $.authenticators; + this.backend = $.backend; + this.defaultPathPolicy = $.defaultPathPolicy; + this.enableSentinelParsing = $.enableSentinelParsing; + this.enabled = $.enabled; + this.lastUpdated = $.lastUpdated; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(BackendConfigCmpv2State defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private BackendConfigCmpv2State $; + + public Builder() { + $ = new BackendConfigCmpv2State(); + } + + public Builder(BackendConfigCmpv2State defaults) { + $ = new BackendConfigCmpv2State(Objects.requireNonNull(defaults)); + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(@Nullable Output> auditFields) { + $.auditFields = auditFields; + return this; + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(List auditFields) { + return auditFields(Output.of(auditFields)); + } + + /** + * @param auditFields Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * <a id="nestedatt--authenticators"></a> + * + * @return builder + * + */ + public Builder auditFields(String... auditFields) { + return auditFields(List.of(auditFields)); + } + + /** + * @param authenticators Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + * @return builder + * + */ + public Builder authenticators(@Nullable Output authenticators) { + $.authenticators = authenticators; + return this; + } + + /** + * @param authenticators Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + * + * @return builder + * + */ + public Builder authenticators(BackendConfigCmpv2AuthenticatorsArgs authenticators) { + return authenticators(Output.of(authenticators)); + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(@Nullable Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param defaultPathPolicy Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + * @return builder + * + */ + public Builder defaultPathPolicy(@Nullable Output defaultPathPolicy) { + $.defaultPathPolicy = defaultPathPolicy; + return this; + } + + /** + * @param defaultPathPolicy Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:<role_name>. + * + * @return builder + * + */ + public Builder defaultPathPolicy(String defaultPathPolicy) { + return defaultPathPolicy(Output.of(defaultPathPolicy)); + } + + /** + * @param enableSentinelParsing If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + * @return builder + * + */ + public Builder enableSentinelParsing(@Nullable Output enableSentinelParsing) { + $.enableSentinelParsing = enableSentinelParsing; + return this; + } + + /** + * @param enableSentinelParsing If set, parse out fields from the provided CSR making them available for Sentinel policies. + * + * @return builder + * + */ + public Builder enableSentinelParsing(Boolean enableSentinelParsing) { + return enableSentinelParsing(Output.of(enableSentinelParsing)); + } + + /** + * @param enabled Specifies whether CMPv2 is enabled. + * + * @return builder + * + */ + public Builder enabled(@Nullable Output enabled) { + $.enabled = enabled; + return this; + } + + /** + * @param enabled Specifies whether CMPv2 is enabled. + * + * @return builder + * + */ + public Builder enabled(Boolean enabled) { + return enabled(Output.of(enabled)); + } + + /** + * @param lastUpdated A read-only timestamp representing the last time the configuration was updated. + * + * @return builder + * + */ + public Builder lastUpdated(@Nullable Output lastUpdated) { + $.lastUpdated = lastUpdated; + return this; + } + + /** + * @param lastUpdated A read-only timestamp representing the last time the configuration was updated. + * + * @return builder + * + */ + public Builder lastUpdated(String lastUpdated) { + return lastUpdated(Output.of(lastUpdated)); + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + public BackendConfigCmpv2State build() { + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2Args.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2Args.java new file mode 100644 index 00000000..ac2a9598 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2Args.java @@ -0,0 +1,148 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class GetBackendConfigCmpv2Args extends com.pulumi.resources.InvokeArgs { + + public static final GetBackendConfigCmpv2Args Empty = new GetBackendConfigCmpv2Args(); + + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + */ + @Import(name="backend", required=true) + private Output backend; + + /** + * @return The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + */ + public Output backend() { + return this.backend; + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable Output namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional> namespace() { + return Optional.ofNullable(this.namespace); + } + + private GetBackendConfigCmpv2Args() {} + + private GetBackendConfigCmpv2Args(GetBackendConfigCmpv2Args $) { + this.backend = $.backend; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(GetBackendConfigCmpv2Args defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private GetBackendConfigCmpv2Args $; + + public Builder() { + $ = new GetBackendConfigCmpv2Args(); + } + + public Builder(GetBackendConfigCmpv2Args defaults) { + $ = new GetBackendConfigCmpv2Args(Objects.requireNonNull(defaults)); + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + * @return builder + * + */ + public Builder backend(Output backend) { + $.backend = backend; + return this; + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + * @return builder + * + */ + public Builder backend(String backend) { + return backend(Output.of(backend)); + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable Output namespace) { + $.namespace = namespace; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(String namespace) { + return namespace(Output.of(namespace)); + } + + public GetBackendConfigCmpv2Args build() { + if ($.backend == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Args", "backend"); + } + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2PlainArgs.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2PlainArgs.java new file mode 100644 index 00000000..dc538fc4 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/GetBackendConfigCmpv2PlainArgs.java @@ -0,0 +1,121 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.inputs; + +import com.pulumi.core.annotations.Import; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class GetBackendConfigCmpv2PlainArgs extends com.pulumi.resources.InvokeArgs { + + public static final GetBackendConfigCmpv2PlainArgs Empty = new GetBackendConfigCmpv2PlainArgs(); + + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + */ + @Import(name="backend", required=true) + private String backend; + + /** + * @return The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + */ + public String backend() { + return this.backend; + } + + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + @Import(name="namespace") + private @Nullable String namespace; + + /** + * @return The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + */ + public Optional namespace() { + return Optional.ofNullable(this.namespace); + } + + private GetBackendConfigCmpv2PlainArgs() {} + + private GetBackendConfigCmpv2PlainArgs(GetBackendConfigCmpv2PlainArgs $) { + this.backend = $.backend; + this.namespace = $.namespace; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(GetBackendConfigCmpv2PlainArgs defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private GetBackendConfigCmpv2PlainArgs $; + + public Builder() { + $ = new GetBackendConfigCmpv2PlainArgs(); + } + + public Builder(GetBackendConfigCmpv2PlainArgs defaults) { + $ = new GetBackendConfigCmpv2PlainArgs(Objects.requireNonNull(defaults)); + } + + /** + * @param backend The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + * + * @return builder + * + */ + public Builder backend(String backend) { + $.backend = backend; + return this; + } + + /** + * @param namespace The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + * + * @return builder + * + */ + public Builder namespace(@Nullable String namespace) { + $.namespace = namespace; + return this; + } + + public GetBackendConfigCmpv2PlainArgs build() { + if ($.backend == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2PlainArgs", "backend"); + } + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/SecretBackendRoleState.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/SecretBackendRoleState.java index 35693025..37942ec9 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/SecretBackendRoleState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/inputs/SecretBackendRoleState.java @@ -274,6 +274,21 @@ public Optional> clientFlag() { return Optional.ofNullable(this.clientFlag); } + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + @Import(name="cnValidations") + private @Nullable Output> cnValidations; + + /** + * @return Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + */ + public Optional>> cnValidations() { + return Optional.ofNullable(this.cnValidations); + } + /** * Flag to specify certificates for code signing use * @@ -747,6 +762,7 @@ private SecretBackendRoleState(SecretBackendRoleState $) { this.backend = $.backend; this.basicConstraintsValidForNonCa = $.basicConstraintsValidForNonCa; this.clientFlag = $.clientFlag; + this.cnValidations = $.cnValidations; this.codeSigningFlag = $.codeSigningFlag; this.countries = $.countries; this.emailProtectionFlag = $.emailProtectionFlag; @@ -1203,6 +1219,37 @@ public Builder clientFlag(Boolean clientFlag) { return clientFlag(Output.of(clientFlag)); } + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(@Nullable Output> cnValidations) { + $.cnValidations = cnValidations; + return this; + } + + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(List cnValidations) { + return cnValidations(Output.of(cnValidations)); + } + + /** + * @param cnValidations Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + * + * @return builder + * + */ + public Builder cnValidations(String... cnValidations) { + return cnValidations(List.of(cnValidations)); + } + /** * @param codeSigningFlag Flag to specify certificates for code signing use * diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/BackendConfigCmpv2Authenticators.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/BackendConfigCmpv2Authenticators.java new file mode 100644 index 00000000..0f9c7b75 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/BackendConfigCmpv2Authenticators.java @@ -0,0 +1,57 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.outputs; + +import com.pulumi.core.annotations.CustomType; +import java.lang.String; +import java.util.Map; +import java.util.Objects; +import javax.annotation.Nullable; + +@CustomType +public final class BackendConfigCmpv2Authenticators { + /** + * @return "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + */ + private @Nullable Map cert; + + private BackendConfigCmpv2Authenticators() {} + /** + * @return "The accessor (required) and cert_role (optional) properties for cert auth backends". + * + */ + public Map cert() { + return this.cert == null ? Map.of() : this.cert; + } + + public static Builder builder() { + return new Builder(); + } + + public static Builder builder(BackendConfigCmpv2Authenticators defaults) { + return new Builder(defaults); + } + @CustomType.Builder + public static final class Builder { + private @Nullable Map cert; + public Builder() {} + public Builder(BackendConfigCmpv2Authenticators defaults) { + Objects.requireNonNull(defaults); + this.cert = defaults.cert; + } + + @CustomType.Setter + public Builder cert(@Nullable Map cert) { + + this.cert = cert; + return this; + } + public BackendConfigCmpv2Authenticators build() { + final var _resultValue = new BackendConfigCmpv2Authenticators(); + _resultValue.cert = cert; + return _resultValue; + } + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Authenticator.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Authenticator.java new file mode 100644 index 00000000..0a86bb83 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Authenticator.java @@ -0,0 +1,57 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.outputs; + +import com.pulumi.core.annotations.CustomType; +import java.lang.String; +import java.util.Map; +import java.util.Objects; +import javax.annotation.Nullable; + +@CustomType +public final class GetBackendConfigCmpv2Authenticator { + /** + * @return The accessor and cert_role properties for cert auth backends + * + */ + private @Nullable Map cert; + + private GetBackendConfigCmpv2Authenticator() {} + /** + * @return The accessor and cert_role properties for cert auth backends + * + */ + public Map cert() { + return this.cert == null ? Map.of() : this.cert; + } + + public static Builder builder() { + return new Builder(); + } + + public static Builder builder(GetBackendConfigCmpv2Authenticator defaults) { + return new Builder(defaults); + } + @CustomType.Builder + public static final class Builder { + private @Nullable Map cert; + public Builder() {} + public Builder(GetBackendConfigCmpv2Authenticator defaults) { + Objects.requireNonNull(defaults); + this.cert = defaults.cert; + } + + @CustomType.Setter + public Builder cert(@Nullable Map cert) { + + this.cert = cert; + return this; + } + public GetBackendConfigCmpv2Authenticator build() { + final var _resultValue = new GetBackendConfigCmpv2Authenticator(); + _resultValue.cert = cert; + return _resultValue; + } + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Result.java b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Result.java new file mode 100644 index 00000000..1a753590 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/vault/pkiSecret/outputs/GetBackendConfigCmpv2Result.java @@ -0,0 +1,187 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.vault.pkiSecret.outputs; + +import com.pulumi.core.annotations.CustomType; +import com.pulumi.exceptions.MissingRequiredPropertyException; +import com.pulumi.vault.pkiSecret.outputs.GetBackendConfigCmpv2Authenticator; +import java.lang.Boolean; +import java.lang.String; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + +@CustomType +public final class GetBackendConfigCmpv2Result { + private List auditFields; + private List authenticators; + private String backend; + private String defaultPathPolicy; + private Boolean enableSentinelParsing; + private Boolean enabled; + /** + * @return The provider-assigned unique ID for this managed resource. + * + */ + private String id; + private String lastUpdated; + private @Nullable String namespace; + + private GetBackendConfigCmpv2Result() {} + public List auditFields() { + return this.auditFields; + } + public List authenticators() { + return this.authenticators; + } + public String backend() { + return this.backend; + } + public String defaultPathPolicy() { + return this.defaultPathPolicy; + } + public Boolean enableSentinelParsing() { + return this.enableSentinelParsing; + } + public Boolean enabled() { + return this.enabled; + } + /** + * @return The provider-assigned unique ID for this managed resource. + * + */ + public String id() { + return this.id; + } + public String lastUpdated() { + return this.lastUpdated; + } + public Optional namespace() { + return Optional.ofNullable(this.namespace); + } + + public static Builder builder() { + return new Builder(); + } + + public static Builder builder(GetBackendConfigCmpv2Result defaults) { + return new Builder(defaults); + } + @CustomType.Builder + public static final class Builder { + private List auditFields; + private List authenticators; + private String backend; + private String defaultPathPolicy; + private Boolean enableSentinelParsing; + private Boolean enabled; + private String id; + private String lastUpdated; + private @Nullable String namespace; + public Builder() {} + public Builder(GetBackendConfigCmpv2Result defaults) { + Objects.requireNonNull(defaults); + this.auditFields = defaults.auditFields; + this.authenticators = defaults.authenticators; + this.backend = defaults.backend; + this.defaultPathPolicy = defaults.defaultPathPolicy; + this.enableSentinelParsing = defaults.enableSentinelParsing; + this.enabled = defaults.enabled; + this.id = defaults.id; + this.lastUpdated = defaults.lastUpdated; + this.namespace = defaults.namespace; + } + + @CustomType.Setter + public Builder auditFields(List auditFields) { + if (auditFields == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "auditFields"); + } + this.auditFields = auditFields; + return this; + } + public Builder auditFields(String... auditFields) { + return auditFields(List.of(auditFields)); + } + @CustomType.Setter + public Builder authenticators(List authenticators) { + if (authenticators == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "authenticators"); + } + this.authenticators = authenticators; + return this; + } + public Builder authenticators(GetBackendConfigCmpv2Authenticator... authenticators) { + return authenticators(List.of(authenticators)); + } + @CustomType.Setter + public Builder backend(String backend) { + if (backend == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "backend"); + } + this.backend = backend; + return this; + } + @CustomType.Setter + public Builder defaultPathPolicy(String defaultPathPolicy) { + if (defaultPathPolicy == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "defaultPathPolicy"); + } + this.defaultPathPolicy = defaultPathPolicy; + return this; + } + @CustomType.Setter + public Builder enableSentinelParsing(Boolean enableSentinelParsing) { + if (enableSentinelParsing == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "enableSentinelParsing"); + } + this.enableSentinelParsing = enableSentinelParsing; + return this; + } + @CustomType.Setter + public Builder enabled(Boolean enabled) { + if (enabled == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "enabled"); + } + this.enabled = enabled; + return this; + } + @CustomType.Setter + public Builder id(String id) { + if (id == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "id"); + } + this.id = id; + return this; + } + @CustomType.Setter + public Builder lastUpdated(String lastUpdated) { + if (lastUpdated == null) { + throw new MissingRequiredPropertyException("GetBackendConfigCmpv2Result", "lastUpdated"); + } + this.lastUpdated = lastUpdated; + return this; + } + @CustomType.Setter + public Builder namespace(@Nullable String namespace) { + + this.namespace = namespace; + return this; + } + public GetBackendConfigCmpv2Result build() { + final var _resultValue = new GetBackendConfigCmpv2Result(); + _resultValue.auditFields = auditFields; + _resultValue.authenticators = authenticators; + _resultValue.backend = backend; + _resultValue.defaultPathPolicy = defaultPathPolicy; + _resultValue.enableSentinelParsing = enableSentinelParsing; + _resultValue.enabled = enabled; + _resultValue.id = id; + _resultValue.lastUpdated = lastUpdated; + _resultValue.namespace = namespace; + return _resultValue; + } + } +} diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java index 430ecc78..e2d1aee0 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRole.java @@ -114,9 +114,21 @@ public Output algorithmSigner() { public Output> allowBareDomains() { return Codegen.optional(this.allowBareDomains); } + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ @Export(name="allowEmptyPrincipals", refs={Boolean.class}, tree="[0]") private Output allowEmptyPrincipals; + /** + * @return Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ public Output> allowEmptyPrincipals() { return Codegen.optional(this.allowEmptyPrincipals); } diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java index fd61d44c..5e4ec036 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/SecretBackendRoleArgs.java @@ -50,9 +50,21 @@ public Optional> allowBareDomains() { return Optional.ofNullable(this.allowBareDomains); } + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ @Import(name="allowEmptyPrincipals") private @Nullable Output allowEmptyPrincipals; + /** + * @return Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ public Optional> allowEmptyPrincipals() { return Optional.ofNullable(this.allowEmptyPrincipals); } @@ -521,11 +533,27 @@ public Builder allowBareDomains(Boolean allowBareDomains) { return allowBareDomains(Output.of(allowBareDomains)); } + /** + * @param allowEmptyPrincipals Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + * @return builder + * + */ public Builder allowEmptyPrincipals(@Nullable Output allowEmptyPrincipals) { $.allowEmptyPrincipals = allowEmptyPrincipals; return this; } + /** + * @param allowEmptyPrincipals Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + * @return builder + * + */ public Builder allowEmptyPrincipals(Boolean allowEmptyPrincipals) { return allowEmptyPrincipals(Output.of(allowEmptyPrincipals)); } diff --git a/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java b/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java index 9b1852c0..4cb8c925 100644 --- a/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java +++ b/sdk/java/src/main/java/com/pulumi/vault/ssh/inputs/SecretBackendRoleState.java @@ -49,9 +49,21 @@ public Optional> allowBareDomains() { return Optional.ofNullable(this.allowBareDomains); } + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ @Import(name="allowEmptyPrincipals") private @Nullable Output allowEmptyPrincipals; + /** + * @return Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + */ public Optional> allowEmptyPrincipals() { return Optional.ofNullable(this.allowEmptyPrincipals); } @@ -520,11 +532,27 @@ public Builder allowBareDomains(Boolean allowBareDomains) { return allowBareDomains(Output.of(allowBareDomains)); } + /** + * @param allowEmptyPrincipals Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + * @return builder + * + */ public Builder allowEmptyPrincipals(@Nullable Output allowEmptyPrincipals) { $.allowEmptyPrincipals = allowEmptyPrincipals; return this; } + /** + * @param allowEmptyPrincipals Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + * + * @return builder + * + */ public Builder allowEmptyPrincipals(Boolean allowEmptyPrincipals) { return allowEmptyPrincipals(Output.of(allowEmptyPrincipals)); } diff --git a/sdk/nodejs/aws/authBackendStsRole.ts b/sdk/nodejs/aws/authBackendStsRole.ts index f51edbef..8ab3cce1 100644 --- a/sdk/nodejs/aws/authBackendStsRole.ts +++ b/sdk/nodejs/aws/authBackendStsRole.ts @@ -64,6 +64,10 @@ export class AuthBackendStsRole extends pulumi.CustomResource { * mounted at. Defaults to `aws`. */ public readonly backend!: pulumi.Output; + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + */ + public readonly externalId!: pulumi.Output; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. @@ -92,6 +96,7 @@ export class AuthBackendStsRole extends pulumi.CustomResource { const state = argsOrState as AuthBackendStsRoleState | undefined; resourceInputs["accountId"] = state ? state.accountId : undefined; resourceInputs["backend"] = state ? state.backend : undefined; + resourceInputs["externalId"] = state ? state.externalId : undefined; resourceInputs["namespace"] = state ? state.namespace : undefined; resourceInputs["stsRole"] = state ? state.stsRole : undefined; } else { @@ -104,6 +109,7 @@ export class AuthBackendStsRole extends pulumi.CustomResource { } resourceInputs["accountId"] = args ? args.accountId : undefined; resourceInputs["backend"] = args ? args.backend : undefined; + resourceInputs["externalId"] = args ? args.externalId : undefined; resourceInputs["namespace"] = args ? args.namespace : undefined; resourceInputs["stsRole"] = args ? args.stsRole : undefined; } @@ -125,6 +131,10 @@ export interface AuthBackendStsRoleState { * mounted at. Defaults to `aws`. */ backend?: pulumi.Input; + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + */ + externalId?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. @@ -152,6 +162,10 @@ export interface AuthBackendStsRoleArgs { * mounted at. Defaults to `aws`. */ backend?: pulumi.Input; + /** + * External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + */ + externalId?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. diff --git a/sdk/nodejs/aws/secretBackend.ts b/sdk/nodejs/aws/secretBackend.ts index d1a2b98e..45a177f6 100644 --- a/sdk/nodejs/aws/secretBackend.ts +++ b/sdk/nodejs/aws/secretBackend.ts @@ -122,6 +122,18 @@ export class SecretBackend extends pulumi.CustomResource { * Specifies a custom HTTP STS endpoint to use. */ public readonly stsEndpoint!: pulumi.Output; + /** + * Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + */ + public readonly stsFallbackEndpoints!: pulumi.Output; + /** + * Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + */ + public readonly stsFallbackRegions!: pulumi.Output; + /** + * Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + */ + public readonly stsRegion!: pulumi.Output; /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: */ @@ -156,6 +168,9 @@ export class SecretBackend extends pulumi.CustomResource { resourceInputs["roleArn"] = state ? state.roleArn : undefined; resourceInputs["secretKey"] = state ? state.secretKey : undefined; resourceInputs["stsEndpoint"] = state ? state.stsEndpoint : undefined; + resourceInputs["stsFallbackEndpoints"] = state ? state.stsFallbackEndpoints : undefined; + resourceInputs["stsFallbackRegions"] = state ? state.stsFallbackRegions : undefined; + resourceInputs["stsRegion"] = state ? state.stsRegion : undefined; resourceInputs["usernameTemplate"] = state ? state.usernameTemplate : undefined; } else { const args = argsOrState as SecretBackendArgs | undefined; @@ -175,6 +190,9 @@ export class SecretBackend extends pulumi.CustomResource { resourceInputs["roleArn"] = args ? args.roleArn : undefined; resourceInputs["secretKey"] = args?.secretKey ? pulumi.secret(args.secretKey) : undefined; resourceInputs["stsEndpoint"] = args ? args.stsEndpoint : undefined; + resourceInputs["stsFallbackEndpoints"] = args ? args.stsFallbackEndpoints : undefined; + resourceInputs["stsFallbackRegions"] = args ? args.stsFallbackRegions : undefined; + resourceInputs["stsRegion"] = args ? args.stsRegion : undefined; resourceInputs["usernameTemplate"] = args ? args.usernameTemplate : undefined; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); @@ -269,6 +287,18 @@ export interface SecretBackendState { * Specifies a custom HTTP STS endpoint to use. */ stsEndpoint?: pulumi.Input; + /** + * Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + */ + stsFallbackEndpoints?: pulumi.Input[]>; + /** + * Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + */ + stsFallbackRegions?: pulumi.Input[]>; + /** + * Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + */ + stsRegion?: pulumi.Input; /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: */ @@ -360,6 +390,18 @@ export interface SecretBackendArgs { * Specifies a custom HTTP STS endpoint to use. */ stsEndpoint?: pulumi.Input; + /** + * Ordered list of `stsEndpoint`s to try if the defined one fails. Requires Vault 1.19+ + */ + stsFallbackEndpoints?: pulumi.Input[]>; + /** + * Ordered list of `stsRegion`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + */ + stsFallbackRegions?: pulumi.Input[]>; + /** + * Specifies the region of the STS endpoint. Should be included if `stsEndpoint` is supplied. Requires Vault 1.19+ + */ + stsRegion?: pulumi.Input; /** * Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: */ diff --git a/sdk/nodejs/pkisecret/backendAcmeEab.ts b/sdk/nodejs/pkisecret/backendAcmeEab.ts new file mode 100644 index 00000000..61cf6a8c --- /dev/null +++ b/sdk/nodejs/pkisecret/backendAcmeEab.ts @@ -0,0 +1,234 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as utilities from "../utilities"; + +/** + * Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as vault from "@pulumi/vault"; + * + * const test = new vault.Mount("test", { + * path: "pki", + * type: "pki", + * description: "PKI secret engine mount", + * }); + * const testBackendAcmeEab = new vault.pkisecret.BackendAcmeEab("test", {backend: test.path}); + * ``` + * + * ## Import + * + * As EAB tokens are only available on initial creation there is no possibility to + * + * import or update this resource. + */ +export class BackendAcmeEab extends pulumi.CustomResource { + /** + * Get an existing BackendAcmeEab resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state Any extra arguments used during the lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + public static get(name: string, id: pulumi.Input, state?: BackendAcmeEabState, opts?: pulumi.CustomResourceOptions): BackendAcmeEab { + return new BackendAcmeEab(name, state, { ...opts, id: id }); + } + + /** @internal */ + public static readonly __pulumiType = 'vault:pkiSecret/backendAcmeEab:BackendAcmeEab'; + + /** + * Returns true if the given object is an instance of BackendAcmeEab. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + public static isInstance(obj: any): obj is BackendAcmeEab { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === BackendAcmeEab.__pulumiType; + } + + /** + * The ACME directory to which the key belongs + */ + public /*out*/ readonly acmeDirectory!: pulumi.Output; + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + */ + public readonly backend!: pulumi.Output; + /** + * An RFC3339 formatted date time when the EAB token was created + */ + public /*out*/ readonly createdOn!: pulumi.Output; + /** + * The identifier of a specific ACME EAB token + */ + public /*out*/ readonly eabId!: pulumi.Output; + /** + * Create an EAB token that is specific to an issuer's ACME directory. + */ + public readonly issuer!: pulumi.Output; + /** + * The EAB token + */ + public /*out*/ readonly key!: pulumi.Output; + /** + * The key type of the EAB key + */ + public /*out*/ readonly keyType!: pulumi.Output; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + public readonly namespace!: pulumi.Output; + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + */ + public readonly role!: pulumi.Output; + + /** + * Create a BackendAcmeEab resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args: BackendAcmeEabArgs, opts?: pulumi.CustomResourceOptions) + constructor(name: string, argsOrState?: BackendAcmeEabArgs | BackendAcmeEabState, opts?: pulumi.CustomResourceOptions) { + let resourceInputs: pulumi.Inputs = {}; + opts = opts || {}; + if (opts.id) { + const state = argsOrState as BackendAcmeEabState | undefined; + resourceInputs["acmeDirectory"] = state ? state.acmeDirectory : undefined; + resourceInputs["backend"] = state ? state.backend : undefined; + resourceInputs["createdOn"] = state ? state.createdOn : undefined; + resourceInputs["eabId"] = state ? state.eabId : undefined; + resourceInputs["issuer"] = state ? state.issuer : undefined; + resourceInputs["key"] = state ? state.key : undefined; + resourceInputs["keyType"] = state ? state.keyType : undefined; + resourceInputs["namespace"] = state ? state.namespace : undefined; + resourceInputs["role"] = state ? state.role : undefined; + } else { + const args = argsOrState as BackendAcmeEabArgs | undefined; + if ((!args || args.backend === undefined) && !opts.urn) { + throw new Error("Missing required property 'backend'"); + } + resourceInputs["backend"] = args ? args.backend : undefined; + resourceInputs["issuer"] = args ? args.issuer : undefined; + resourceInputs["namespace"] = args ? args.namespace : undefined; + resourceInputs["role"] = args ? args.role : undefined; + resourceInputs["acmeDirectory"] = undefined /*out*/; + resourceInputs["createdOn"] = undefined /*out*/; + resourceInputs["eabId"] = undefined /*out*/; + resourceInputs["key"] = undefined /*out*/; + resourceInputs["keyType"] = undefined /*out*/; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const secretOpts = { additionalSecretOutputs: ["key"] }; + opts = pulumi.mergeOptions(opts, secretOpts); + super(BackendAcmeEab.__pulumiType, name, resourceInputs, opts); + } +} + +/** + * Input properties used for looking up and filtering BackendAcmeEab resources. + */ +export interface BackendAcmeEabState { + /** + * The ACME directory to which the key belongs + */ + acmeDirectory?: pulumi.Input; + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + */ + backend?: pulumi.Input; + /** + * An RFC3339 formatted date time when the EAB token was created + */ + createdOn?: pulumi.Input; + /** + * The identifier of a specific ACME EAB token + */ + eabId?: pulumi.Input; + /** + * Create an EAB token that is specific to an issuer's ACME directory. + */ + issuer?: pulumi.Input; + /** + * The EAB token + */ + key?: pulumi.Input; + /** + * The key type of the EAB key + */ + keyType?: pulumi.Input; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + */ + role?: pulumi.Input; +} + +/** + * The set of arguments for constructing a BackendAcmeEab resource. + */ +export interface BackendAcmeEabArgs { + /** + * The path to the PKI secret backend to + * create the EAB token within, with no leading or trailing `/`s. + */ + backend: pulumi.Input; + /** + * Create an EAB token that is specific to an issuer's ACME directory. + */ + issuer?: pulumi.Input; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; + /** + * Create an EAB token that is specific to a role's ACME directory. + * + * **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + * + * 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + * 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + * 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + * 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + */ + role?: pulumi.Input; +} diff --git a/sdk/nodejs/pkisecret/backendConfigAcme.ts b/sdk/nodejs/pkisecret/backendConfigAcme.ts new file mode 100644 index 00000000..35bd20df --- /dev/null +++ b/sdk/nodejs/pkisecret/backendConfigAcme.ts @@ -0,0 +1,259 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as utilities from "../utilities"; + +/** + * Allows setting the ACME server configuration used by specified mount. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as vault from "@pulumi/vault"; + * + * const pki = new vault.Mount("pki", { + * path: "pki", + * type: "pki", + * defaultLeaseTtlSeconds: 3600, + * maxLeaseTtlSeconds: 86400, + * }); + * const pkiConfigCluster = new vault.pkisecret.BackendConfigCluster("pki_config_cluster", { + * backend: pki.path, + * path: "http://127.0.0.1:8200/v1/pki", + * aiaPath: "http://127.0.0.1:8200/v1/pki", + * }); + * const example = new vault.pkisecret.BackendConfigAcme("example", { + * backend: pki.path, + * enabled: true, + * allowedIssuers: ["*"], + * allowedRoles: ["*"], + * allowRoleExtKeyUsage: false, + * defaultDirectoryPolicy: "sign-verbatim", + * dnsResolver: "", + * eabPolicy: "not-required", + * }); + * ``` + * + * ## Import + * + * The ACME configuration can be imported using the resource's `id`. + * In the case of the example above the `id` would be `pki/config/acme`, + * where the `pki` component is the resource's `backend`, e.g. + * + * ```sh + * $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme + * ``` + */ +export class BackendConfigAcme extends pulumi.CustomResource { + /** + * Get an existing BackendConfigAcme resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state Any extra arguments used during the lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + public static get(name: string, id: pulumi.Input, state?: BackendConfigAcmeState, opts?: pulumi.CustomResourceOptions): BackendConfigAcme { + return new BackendConfigAcme(name, state, { ...opts, id: id }); + } + + /** @internal */ + public static readonly __pulumiType = 'vault:pkiSecret/backendConfigAcme:BackendConfigAcme'; + + /** + * Returns true if the given object is an instance of BackendConfigAcme. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + public static isInstance(obj: any): obj is BackendConfigAcme { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === BackendConfigAcme.__pulumiType; + } + + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + */ + public readonly allowRoleExtKeyUsage!: pulumi.Output; + /** + * Specifies which issuers are allowed for use with ACME. + */ + public readonly allowedIssuers!: pulumi.Output; + /** + * Specifies which roles are allowed for use with ACME. + */ + public readonly allowedRoles!: pulumi.Output; + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + */ + public readonly backend!: pulumi.Output; + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + */ + public readonly defaultDirectoryPolicy!: pulumi.Output; + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `:`, with both parts mandatory. + */ + public readonly dnsResolver!: pulumi.Output; + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + */ + public readonly eabPolicy!: pulumi.Output; + /** + * Specifies whether ACME is enabled. + */ + public readonly enabled!: pulumi.Output; + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + */ + public readonly namespace!: pulumi.Output; + + /** + * Create a BackendConfigAcme resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args: BackendConfigAcmeArgs, opts?: pulumi.CustomResourceOptions) + constructor(name: string, argsOrState?: BackendConfigAcmeArgs | BackendConfigAcmeState, opts?: pulumi.CustomResourceOptions) { + let resourceInputs: pulumi.Inputs = {}; + opts = opts || {}; + if (opts.id) { + const state = argsOrState as BackendConfigAcmeState | undefined; + resourceInputs["allowRoleExtKeyUsage"] = state ? state.allowRoleExtKeyUsage : undefined; + resourceInputs["allowedIssuers"] = state ? state.allowedIssuers : undefined; + resourceInputs["allowedRoles"] = state ? state.allowedRoles : undefined; + resourceInputs["backend"] = state ? state.backend : undefined; + resourceInputs["defaultDirectoryPolicy"] = state ? state.defaultDirectoryPolicy : undefined; + resourceInputs["dnsResolver"] = state ? state.dnsResolver : undefined; + resourceInputs["eabPolicy"] = state ? state.eabPolicy : undefined; + resourceInputs["enabled"] = state ? state.enabled : undefined; + resourceInputs["namespace"] = state ? state.namespace : undefined; + } else { + const args = argsOrState as BackendConfigAcmeArgs | undefined; + if ((!args || args.backend === undefined) && !opts.urn) { + throw new Error("Missing required property 'backend'"); + } + if ((!args || args.enabled === undefined) && !opts.urn) { + throw new Error("Missing required property 'enabled'"); + } + resourceInputs["allowRoleExtKeyUsage"] = args ? args.allowRoleExtKeyUsage : undefined; + resourceInputs["allowedIssuers"] = args ? args.allowedIssuers : undefined; + resourceInputs["allowedRoles"] = args ? args.allowedRoles : undefined; + resourceInputs["backend"] = args ? args.backend : undefined; + resourceInputs["defaultDirectoryPolicy"] = args ? args.defaultDirectoryPolicy : undefined; + resourceInputs["dnsResolver"] = args ? args.dnsResolver : undefined; + resourceInputs["eabPolicy"] = args ? args.eabPolicy : undefined; + resourceInputs["enabled"] = args ? args.enabled : undefined; + resourceInputs["namespace"] = args ? args.namespace : undefined; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + super(BackendConfigAcme.__pulumiType, name, resourceInputs, opts); + } +} + +/** + * Input properties used for looking up and filtering BackendConfigAcme resources. + */ +export interface BackendConfigAcmeState { + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + */ + allowRoleExtKeyUsage?: pulumi.Input; + /** + * Specifies which issuers are allowed for use with ACME. + */ + allowedIssuers?: pulumi.Input[]>; + /** + * Specifies which roles are allowed for use with ACME. + */ + allowedRoles?: pulumi.Input[]>; + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + */ + backend?: pulumi.Input; + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + */ + defaultDirectoryPolicy?: pulumi.Input; + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `:`, with both parts mandatory. + */ + dnsResolver?: pulumi.Input; + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + */ + eabPolicy?: pulumi.Input; + /** + * Specifies whether ACME is enabled. + */ + enabled?: pulumi.Input; + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; +} + +/** + * The set of arguments for constructing a BackendConfigAcme resource. + */ +export interface BackendConfigAcmeArgs { + /** + * Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + */ + allowRoleExtKeyUsage?: pulumi.Input; + /** + * Specifies which issuers are allowed for use with ACME. + */ + allowedIssuers?: pulumi.Input[]>; + /** + * Specifies which roles are allowed for use with ACME. + */ + allowedRoles?: pulumi.Input[]>; + /** + * The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + */ + backend: pulumi.Input; + /** + * Specifies the policy to be used for non-role-qualified ACME requests. + * Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + */ + defaultDirectoryPolicy?: pulumi.Input; + /** + * DNS resolver to use for domain resolution on this mount. + * Must be in the format `:`, with both parts mandatory. + */ + dnsResolver?: pulumi.Input; + /** + * Specifies the policy to use for external account binding behaviour. + * Allowed values are `not-required`, `new-account-required` or `always-required`. + */ + eabPolicy?: pulumi.Input; + /** + * Specifies whether ACME is enabled. + */ + enabled: pulumi.Input; + /** + * The namespace to provision the resource in. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; +} diff --git a/sdk/nodejs/pkisecret/backendConfigCmpv2.ts b/sdk/nodejs/pkisecret/backendConfigCmpv2.ts new file mode 100644 index 00000000..18487034 --- /dev/null +++ b/sdk/nodejs/pkisecret/backendConfigCmpv2.ts @@ -0,0 +1,211 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as inputs from "../types/input"; +import * as outputs from "../types/output"; +import * as utilities from "../utilities"; + +/** + * Allows setting the CMPv2 configuration on a PKI Secret Backend + * + * ## Import + * + * The PKI config cluster can be imported using the resource's `id`. + * In the case of the example above the `id` would be `pki-root/config/cmpv2`, + * where the `pki-root` component is the resource's `backend`, e.g. + * + * ```sh + * $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 + * ``` + */ +export class BackendConfigCmpv2 extends pulumi.CustomResource { + /** + * Get an existing BackendConfigCmpv2 resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state Any extra arguments used during the lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + public static get(name: string, id: pulumi.Input, state?: BackendConfigCmpv2State, opts?: pulumi.CustomResourceOptions): BackendConfigCmpv2 { + return new BackendConfigCmpv2(name, state, { ...opts, id: id }); + } + + /** @internal */ + public static readonly __pulumiType = 'vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2'; + + /** + * Returns true if the given object is an instance of BackendConfigCmpv2. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + public static isInstance(obj: any): obj is BackendConfigCmpv2 { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === BackendConfigCmpv2.__pulumiType; + } + + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * + */ + public readonly auditFields!: pulumi.Output; + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + */ + public readonly authenticators!: pulumi.Output; + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + */ + public readonly backend!: pulumi.Output; + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + */ + public readonly defaultPathPolicy!: pulumi.Output; + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + */ + public readonly enableSentinelParsing!: pulumi.Output; + /** + * Specifies whether CMPv2 is enabled. + */ + public readonly enabled!: pulumi.Output; + /** + * A read-only timestamp representing the last time the configuration was updated. + */ + public /*out*/ readonly lastUpdated!: pulumi.Output; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + public readonly namespace!: pulumi.Output; + + /** + * Create a BackendConfigCmpv2 resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args: BackendConfigCmpv2Args, opts?: pulumi.CustomResourceOptions) + constructor(name: string, argsOrState?: BackendConfigCmpv2Args | BackendConfigCmpv2State, opts?: pulumi.CustomResourceOptions) { + let resourceInputs: pulumi.Inputs = {}; + opts = opts || {}; + if (opts.id) { + const state = argsOrState as BackendConfigCmpv2State | undefined; + resourceInputs["auditFields"] = state ? state.auditFields : undefined; + resourceInputs["authenticators"] = state ? state.authenticators : undefined; + resourceInputs["backend"] = state ? state.backend : undefined; + resourceInputs["defaultPathPolicy"] = state ? state.defaultPathPolicy : undefined; + resourceInputs["enableSentinelParsing"] = state ? state.enableSentinelParsing : undefined; + resourceInputs["enabled"] = state ? state.enabled : undefined; + resourceInputs["lastUpdated"] = state ? state.lastUpdated : undefined; + resourceInputs["namespace"] = state ? state.namespace : undefined; + } else { + const args = argsOrState as BackendConfigCmpv2Args | undefined; + if ((!args || args.backend === undefined) && !opts.urn) { + throw new Error("Missing required property 'backend'"); + } + resourceInputs["auditFields"] = args ? args.auditFields : undefined; + resourceInputs["authenticators"] = args ? args.authenticators : undefined; + resourceInputs["backend"] = args ? args.backend : undefined; + resourceInputs["defaultPathPolicy"] = args ? args.defaultPathPolicy : undefined; + resourceInputs["enableSentinelParsing"] = args ? args.enableSentinelParsing : undefined; + resourceInputs["enabled"] = args ? args.enabled : undefined; + resourceInputs["namespace"] = args ? args.namespace : undefined; + resourceInputs["lastUpdated"] = undefined /*out*/; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + super(BackendConfigCmpv2.__pulumiType, name, resourceInputs, opts); + } +} + +/** + * Input properties used for looking up and filtering BackendConfigCmpv2 resources. + */ +export interface BackendConfigCmpv2State { + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * + */ + auditFields?: pulumi.Input[]>; + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + */ + authenticators?: pulumi.Input; + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + */ + backend?: pulumi.Input; + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + */ + defaultPathPolicy?: pulumi.Input; + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + */ + enableSentinelParsing?: pulumi.Input; + /** + * Specifies whether CMPv2 is enabled. + */ + enabled?: pulumi.Input; + /** + * A read-only timestamp representing the last time the configuration was updated. + */ + lastUpdated?: pulumi.Input; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; +} + +/** + * The set of arguments for constructing a BackendConfigCmpv2 resource. + */ +export interface BackendConfigCmpv2Args { + /** + * Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + * + * + */ + auditFields?: pulumi.Input[]>; + /** + * Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + */ + authenticators?: pulumi.Input; + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + */ + backend: pulumi.Input; + /** + * Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + */ + defaultPathPolicy?: pulumi.Input; + /** + * If set, parse out fields from the provided CSR making them available for Sentinel policies. + */ + enableSentinelParsing?: pulumi.Input; + /** + * Specifies whether CMPv2 is enabled. + */ + enabled?: pulumi.Input; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; +} diff --git a/sdk/nodejs/pkisecret/getBackendConfigCmpv2.ts b/sdk/nodejs/pkisecret/getBackendConfigCmpv2.ts new file mode 100644 index 00000000..7c46593e --- /dev/null +++ b/sdk/nodejs/pkisecret/getBackendConfigCmpv2.ts @@ -0,0 +1,114 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as inputs from "../types/input"; +import * as outputs from "../types/output"; +import * as utilities from "../utilities"; + +/** + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as vault from "@pulumi/vault"; + * + * const pki = new vault.Mount("pki", { + * path: "pki", + * type: "pki", + * description: "PKI secret engine mount", + * }); + * const cmpv2Config = vault.pkiSecret.getBackendConfigCmpv2Output({ + * backend: pki.path, + * }); + * ``` + */ +export function getBackendConfigCmpv2(args: GetBackendConfigCmpv2Args, opts?: pulumi.InvokeOptions): Promise { + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); + return pulumi.runtime.invoke("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", { + "backend": args.backend, + "namespace": args.namespace, + }, opts); +} + +/** + * A collection of arguments for invoking getBackendConfigCmpv2. + */ +export interface GetBackendConfigCmpv2Args { + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + */ + backend: string; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: string; +} + +/** + * A collection of values returned by getBackendConfigCmpv2. + */ +export interface GetBackendConfigCmpv2Result { + readonly auditFields: string[]; + readonly authenticators: outputs.pkiSecret.GetBackendConfigCmpv2Authenticator[]; + readonly backend: string; + readonly defaultPathPolicy: string; + readonly enableSentinelParsing: boolean; + readonly enabled: boolean; + /** + * The provider-assigned unique ID for this managed resource. + */ + readonly id: string; + readonly lastUpdated: string; + readonly namespace?: string; +} +/** + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as vault from "@pulumi/vault"; + * + * const pki = new vault.Mount("pki", { + * path: "pki", + * type: "pki", + * description: "PKI secret engine mount", + * }); + * const cmpv2Config = vault.pkiSecret.getBackendConfigCmpv2Output({ + * backend: pki.path, + * }); + * ``` + */ +export function getBackendConfigCmpv2Output(args: GetBackendConfigCmpv2OutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output { + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); + return pulumi.runtime.invokeOutput("vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2", { + "backend": args.backend, + "namespace": args.namespace, + }, opts); +} + +/** + * A collection of arguments for invoking getBackendConfigCmpv2. + */ +export interface GetBackendConfigCmpv2OutputArgs { + /** + * The path to the PKI secret backend to + * read the CMPv2 configuration from, with no leading or trailing `/`s. + * + * # Attributes Reference + */ + backend: pulumi.Input; + /** + * The namespace of the target resource. + * The value should not contain leading or trailing forward slashes. + * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + * *Available only for Vault Enterprise*. + */ + namespace?: pulumi.Input; +} diff --git a/sdk/nodejs/pkisecret/index.ts b/sdk/nodejs/pkisecret/index.ts index 7a60598e..35ad629e 100644 --- a/sdk/nodejs/pkisecret/index.ts +++ b/sdk/nodejs/pkisecret/index.ts @@ -5,16 +5,36 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; // Export members: +export { BackendAcmeEabArgs, BackendAcmeEabState } from "./backendAcmeEab"; +export type BackendAcmeEab = import("./backendAcmeEab").BackendAcmeEab; +export const BackendAcmeEab: typeof import("./backendAcmeEab").BackendAcmeEab = null as any; +utilities.lazyLoad(exports, ["BackendAcmeEab"], () => require("./backendAcmeEab")); + +export { BackendConfigAcmeArgs, BackendConfigAcmeState } from "./backendConfigAcme"; +export type BackendConfigAcme = import("./backendConfigAcme").BackendConfigAcme; +export const BackendConfigAcme: typeof import("./backendConfigAcme").BackendConfigAcme = null as any; +utilities.lazyLoad(exports, ["BackendConfigAcme"], () => require("./backendConfigAcme")); + export { BackendConfigClusterArgs, BackendConfigClusterState } from "./backendConfigCluster"; export type BackendConfigCluster = import("./backendConfigCluster").BackendConfigCluster; export const BackendConfigCluster: typeof import("./backendConfigCluster").BackendConfigCluster = null as any; utilities.lazyLoad(exports, ["BackendConfigCluster"], () => require("./backendConfigCluster")); +export { BackendConfigCmpv2Args, BackendConfigCmpv2State } from "./backendConfigCmpv2"; +export type BackendConfigCmpv2 = import("./backendConfigCmpv2").BackendConfigCmpv2; +export const BackendConfigCmpv2: typeof import("./backendConfigCmpv2").BackendConfigCmpv2 = null as any; +utilities.lazyLoad(exports, ["BackendConfigCmpv2"], () => require("./backendConfigCmpv2")); + export { BackendConfigEstArgs, BackendConfigEstState } from "./backendConfigEst"; export type BackendConfigEst = import("./backendConfigEst").BackendConfigEst; export const BackendConfigEst: typeof import("./backendConfigEst").BackendConfigEst = null as any; utilities.lazyLoad(exports, ["BackendConfigEst"], () => require("./backendConfigEst")); +export { GetBackendConfigCmpv2Args, GetBackendConfigCmpv2Result, GetBackendConfigCmpv2OutputArgs } from "./getBackendConfigCmpv2"; +export const getBackendConfigCmpv2: typeof import("./getBackendConfigCmpv2").getBackendConfigCmpv2 = null as any; +export const getBackendConfigCmpv2Output: typeof import("./getBackendConfigCmpv2").getBackendConfigCmpv2Output = null as any; +utilities.lazyLoad(exports, ["getBackendConfigCmpv2","getBackendConfigCmpv2Output"], () => require("./getBackendConfigCmpv2")); + export { GetBackendConfigEstArgs, GetBackendConfigEstResult, GetBackendConfigEstOutputArgs } from "./getBackendConfigEst"; export const getBackendConfigEst: typeof import("./getBackendConfigEst").getBackendConfigEst = null as any; export const getBackendConfigEstOutput: typeof import("./getBackendConfigEst").getBackendConfigEstOutput = null as any; @@ -110,8 +130,14 @@ const _module = { version: utilities.getVersion(), construct: (name: string, type: string, urn: string): pulumi.Resource => { switch (type) { + case "vault:pkiSecret/backendAcmeEab:BackendAcmeEab": + return new BackendAcmeEab(name, undefined, { urn }) + case "vault:pkiSecret/backendConfigAcme:BackendConfigAcme": + return new BackendConfigAcme(name, undefined, { urn }) case "vault:pkiSecret/backendConfigCluster:BackendConfigCluster": return new BackendConfigCluster(name, undefined, { urn }) + case "vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2": + return new BackendConfigCmpv2(name, undefined, { urn }) case "vault:pkiSecret/backendConfigEst:BackendConfigEst": return new BackendConfigEst(name, undefined, { urn }) case "vault:pkiSecret/secretBackendCert:SecretBackendCert": @@ -145,7 +171,10 @@ const _module = { } }, }; +pulumi.runtime.registerResourceModule("vault", "pkiSecret/backendAcmeEab", _module) +pulumi.runtime.registerResourceModule("vault", "pkiSecret/backendConfigAcme", _module) pulumi.runtime.registerResourceModule("vault", "pkiSecret/backendConfigCluster", _module) +pulumi.runtime.registerResourceModule("vault", "pkiSecret/backendConfigCmpv2", _module) pulumi.runtime.registerResourceModule("vault", "pkiSecret/backendConfigEst", _module) pulumi.runtime.registerResourceModule("vault", "pkiSecret/secretBackendCert", _module) pulumi.runtime.registerResourceModule("vault", "pkiSecret/secretBackendConfigCa", _module) diff --git a/sdk/nodejs/pkisecret/secretBackendRole.ts b/sdk/nodejs/pkisecret/secretBackendRole.ts index dae17e3d..dc505ec6 100644 --- a/sdk/nodejs/pkisecret/secretBackendRole.ts +++ b/sdk/nodejs/pkisecret/secretBackendRole.ts @@ -140,6 +140,10 @@ export class SecretBackendRole extends pulumi.CustomResource { * Flag to specify certificates for client use */ public readonly clientFlag!: pulumi.Output; + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + */ + public readonly cnValidations!: pulumi.Output; /** * Flag to specify certificates for code signing use */ @@ -296,6 +300,7 @@ export class SecretBackendRole extends pulumi.CustomResource { resourceInputs["backend"] = state ? state.backend : undefined; resourceInputs["basicConstraintsValidForNonCa"] = state ? state.basicConstraintsValidForNonCa : undefined; resourceInputs["clientFlag"] = state ? state.clientFlag : undefined; + resourceInputs["cnValidations"] = state ? state.cnValidations : undefined; resourceInputs["codeSigningFlag"] = state ? state.codeSigningFlag : undefined; resourceInputs["countries"] = state ? state.countries : undefined; resourceInputs["emailProtectionFlag"] = state ? state.emailProtectionFlag : undefined; @@ -347,6 +352,7 @@ export class SecretBackendRole extends pulumi.CustomResource { resourceInputs["backend"] = args ? args.backend : undefined; resourceInputs["basicConstraintsValidForNonCa"] = args ? args.basicConstraintsValidForNonCa : undefined; resourceInputs["clientFlag"] = args ? args.clientFlag : undefined; + resourceInputs["cnValidations"] = args ? args.cnValidations : undefined; resourceInputs["codeSigningFlag"] = args ? args.codeSigningFlag : undefined; resourceInputs["countries"] = args ? args.countries : undefined; resourceInputs["emailProtectionFlag"] = args ? args.emailProtectionFlag : undefined; @@ -454,6 +460,10 @@ export interface SecretBackendRoleState { * Flag to specify certificates for client use */ clientFlag?: pulumi.Input; + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + */ + cnValidations?: pulumi.Input[]>; /** * Flag to specify certificates for code signing use */ @@ -653,6 +663,10 @@ export interface SecretBackendRoleArgs { * Flag to specify certificates for client use */ clientFlag?: pulumi.Input; + /** + * Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + */ + cnValidations?: pulumi.Input[]>; /** * Flag to specify certificates for code signing use */ diff --git a/sdk/nodejs/ssh/secretBackendRole.ts b/sdk/nodejs/ssh/secretBackendRole.ts index 44f073a7..daa1e1c5 100644 --- a/sdk/nodejs/ssh/secretBackendRole.ts +++ b/sdk/nodejs/ssh/secretBackendRole.ts @@ -77,6 +77,11 @@ export class SecretBackendRole extends pulumi.CustomResource { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ public readonly allowBareDomains!: pulumi.Output; + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + */ public readonly allowEmptyPrincipals!: pulumi.Output; /** * Specifies if certificates are allowed to be signed for use as a 'host'. @@ -274,6 +279,11 @@ export interface SecretBackendRoleState { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ allowBareDomains?: pulumi.Input; + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + */ allowEmptyPrincipals?: pulumi.Input; /** * Specifies if certificates are allowed to be signed for use as a 'host'. @@ -391,6 +401,11 @@ export interface SecretBackendRoleArgs { * Specifies if host certificates that are requested are allowed to use the base domains listed in `allowedDomains`. */ allowBareDomains?: pulumi.Input; + /** + * Allow signing certificates with no + * valid principals (e.g. any valid principal). For backwards compatibility + * only. The default of false is highly recommended. + */ allowEmptyPrincipals?: pulumi.Input; /** * Specifies if certificates are allowed to be signed for use as a 'host'. diff --git a/sdk/nodejs/tsconfig.json b/sdk/nodejs/tsconfig.json index a02600b7..e5007bc4 100644 --- a/sdk/nodejs/tsconfig.json +++ b/sdk/nodejs/tsconfig.json @@ -165,8 +165,12 @@ "okta/authBackendUser.ts", "okta/index.ts", "passwordPolicy.ts", + "pkisecret/backendAcmeEab.ts", + "pkisecret/backendConfigAcme.ts", "pkisecret/backendConfigCluster.ts", + "pkisecret/backendConfigCmpv2.ts", "pkisecret/backendConfigEst.ts", + "pkisecret/getBackendConfigCmpv2.ts", "pkisecret/getBackendConfigEst.ts", "pkisecret/getBackendIssuer.ts", "pkisecret/getBackendIssuers.ts", diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts index a137cc0e..5cb615a3 100644 --- a/sdk/nodejs/types/input.ts +++ b/sdk/nodejs/types/input.ts @@ -1127,6 +1127,10 @@ export namespace database { * The root credential password used in the connection URL */ password?: pulumi.Input; + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + */ + passwordAuthentication?: pulumi.Input; /** * The secret key used for the x509 client certificate. Must be PEM encoded. */ @@ -2192,6 +2196,10 @@ export namespace database { * The root credential password used in the connection URL */ password?: pulumi.Input; + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + */ + passwordAuthentication?: pulumi.Input; /** * Specifies the name of the plugin to use. */ @@ -2899,6 +2907,13 @@ export namespace okta { } export namespace pkiSecret { + export interface BackendConfigCmpv2Authenticators { + /** + * "The accessor (required) and certRole (optional) properties for cert auth backends". + */ + cert?: pulumi.Input<{[key: string]: pulumi.Input}>; + } + export interface BackendConfigEstAuthenticators { /** * "The accessor (required) and certRole (optional) properties for cert auth backends". diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts index 7c960b2b..71bfd114 100644 --- a/sdk/nodejs/types/output.ts +++ b/sdk/nodejs/types/output.ts @@ -1073,6 +1073,10 @@ export namespace database { * The root credential password used in the connection URL */ password?: string; + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + */ + passwordAuthentication?: string; /** * The secret key used for the x509 client certificate. Must be PEM encoded. */ @@ -2138,6 +2142,10 @@ export namespace database { * The root credential password used in the connection URL */ password?: string; + /** + * When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + */ + passwordAuthentication?: string; /** * Specifies the name of the plugin to use. */ @@ -2895,6 +2903,13 @@ export namespace okta { } export namespace pkiSecret { + export interface BackendConfigCmpv2Authenticators { + /** + * "The accessor (required) and certRole (optional) properties for cert auth backends". + */ + cert?: {[key: string]: string}; + } + export interface BackendConfigEstAuthenticators { /** * "The accessor (required) and certRole (optional) properties for cert auth backends". @@ -2906,6 +2921,13 @@ export namespace pkiSecret { userpass?: {[key: string]: string}; } + export interface GetBackendConfigCmpv2Authenticator { + /** + * The accessor and certRole properties for cert auth backends + */ + cert?: {[key: string]: string}; + } + export interface GetBackendConfigEstAuthenticator { /** * "The accessor and certRole properties for cert auth backends". diff --git a/sdk/python/pulumi_vault/__init__.py b/sdk/python/pulumi_vault/__init__.py index dea765bb..96f8197f 100644 --- a/sdk/python/pulumi_vault/__init__.py +++ b/sdk/python/pulumi_vault/__init__.py @@ -1013,6 +1013,22 @@ "vault:okta/authBackendUser:AuthBackendUser": "AuthBackendUser" } }, + { + "pkg": "vault", + "mod": "pkiSecret/backendAcmeEab", + "fqn": "pulumi_vault.pkisecret", + "classes": { + "vault:pkiSecret/backendAcmeEab:BackendAcmeEab": "BackendAcmeEab" + } + }, + { + "pkg": "vault", + "mod": "pkiSecret/backendConfigAcme", + "fqn": "pulumi_vault.pkisecret", + "classes": { + "vault:pkiSecret/backendConfigAcme:BackendConfigAcme": "BackendConfigAcme" + } + }, { "pkg": "vault", "mod": "pkiSecret/backendConfigCluster", @@ -1021,6 +1037,14 @@ "vault:pkiSecret/backendConfigCluster:BackendConfigCluster": "BackendConfigCluster" } }, + { + "pkg": "vault", + "mod": "pkiSecret/backendConfigCmpv2", + "fqn": "pulumi_vault.pkisecret", + "classes": { + "vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2": "BackendConfigCmpv2" + } + }, { "pkg": "vault", "mod": "pkiSecret/backendConfigEst", diff --git a/sdk/python/pulumi_vault/aws/auth_backend_sts_role.py b/sdk/python/pulumi_vault/aws/auth_backend_sts_role.py index c0afae83..eb147bd3 100644 --- a/sdk/python/pulumi_vault/aws/auth_backend_sts_role.py +++ b/sdk/python/pulumi_vault/aws/auth_backend_sts_role.py @@ -22,6 +22,7 @@ def __init__(__self__, *, account_id: pulumi.Input[str], sts_role: pulumi.Input[str], backend: Optional[pulumi.Input[str]] = None, + external_id: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a AuthBackendStsRole resource. @@ -30,6 +31,7 @@ def __init__(__self__, *, by EC2 instances in the account specified by `account_id`. :param pulumi.Input[str] backend: The path the AWS auth backend being configured was mounted at. Defaults to `aws`. + :param pulumi.Input[str] external_id: External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. :param pulumi.Input[str] namespace: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -39,6 +41,8 @@ def __init__(__self__, *, pulumi.set(__self__, "sts_role", sts_role) if backend is not None: pulumi.set(__self__, "backend", backend) + if external_id is not None: + pulumi.set(__self__, "external_id", external_id) if namespace is not None: pulumi.set(__self__, "namespace", namespace) @@ -80,6 +84,18 @@ def backend(self) -> Optional[pulumi.Input[str]]: def backend(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "backend", value) + @property + @pulumi.getter(name="externalId") + def external_id(self) -> Optional[pulumi.Input[str]]: + """ + External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + """ + return pulumi.get(self, "external_id") + + @external_id.setter + def external_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "external_id", value) + @property @pulumi.getter def namespace(self) -> Optional[pulumi.Input[str]]: @@ -101,6 +117,7 @@ class _AuthBackendStsRoleState: def __init__(__self__, *, account_id: Optional[pulumi.Input[str]] = None, backend: Optional[pulumi.Input[str]] = None, + external_id: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, sts_role: Optional[pulumi.Input[str]] = None): """ @@ -108,6 +125,7 @@ def __init__(__self__, *, :param pulumi.Input[str] account_id: The AWS account ID to configure the STS role for. :param pulumi.Input[str] backend: The path the AWS auth backend being configured was mounted at. Defaults to `aws`. + :param pulumi.Input[str] external_id: External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. :param pulumi.Input[str] namespace: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -119,6 +137,8 @@ def __init__(__self__, *, pulumi.set(__self__, "account_id", account_id) if backend is not None: pulumi.set(__self__, "backend", backend) + if external_id is not None: + pulumi.set(__self__, "external_id", external_id) if namespace is not None: pulumi.set(__self__, "namespace", namespace) if sts_role is not None: @@ -149,6 +169,18 @@ def backend(self) -> Optional[pulumi.Input[str]]: def backend(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "backend", value) + @property + @pulumi.getter(name="externalId") + def external_id(self) -> Optional[pulumi.Input[str]]: + """ + External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + """ + return pulumi.get(self, "external_id") + + @external_id.setter + def external_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "external_id", value) + @property @pulumi.getter def namespace(self) -> Optional[pulumi.Input[str]]: @@ -185,6 +217,7 @@ def __init__(__self__, opts: Optional[pulumi.ResourceOptions] = None, account_id: Optional[pulumi.Input[str]] = None, backend: Optional[pulumi.Input[str]] = None, + external_id: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, sts_role: Optional[pulumi.Input[str]] = None, __props__=None): @@ -215,6 +248,7 @@ def __init__(__self__, :param pulumi.Input[str] account_id: The AWS account ID to configure the STS role for. :param pulumi.Input[str] backend: The path the AWS auth backend being configured was mounted at. Defaults to `aws`. + :param pulumi.Input[str] external_id: External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. :param pulumi.Input[str] namespace: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -267,6 +301,7 @@ def _internal_init(__self__, opts: Optional[pulumi.ResourceOptions] = None, account_id: Optional[pulumi.Input[str]] = None, backend: Optional[pulumi.Input[str]] = None, + external_id: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, sts_role: Optional[pulumi.Input[str]] = None, __props__=None): @@ -282,6 +317,7 @@ def _internal_init(__self__, raise TypeError("Missing required property 'account_id'") __props__.__dict__["account_id"] = account_id __props__.__dict__["backend"] = backend + __props__.__dict__["external_id"] = external_id __props__.__dict__["namespace"] = namespace if sts_role is None and not opts.urn: raise TypeError("Missing required property 'sts_role'") @@ -298,6 +334,7 @@ def get(resource_name: str, opts: Optional[pulumi.ResourceOptions] = None, account_id: Optional[pulumi.Input[str]] = None, backend: Optional[pulumi.Input[str]] = None, + external_id: Optional[pulumi.Input[str]] = None, namespace: Optional[pulumi.Input[str]] = None, sts_role: Optional[pulumi.Input[str]] = None) -> 'AuthBackendStsRole': """ @@ -310,6 +347,7 @@ def get(resource_name: str, :param pulumi.Input[str] account_id: The AWS account ID to configure the STS role for. :param pulumi.Input[str] backend: The path the AWS auth backend being configured was mounted at. Defaults to `aws`. + :param pulumi.Input[str] external_id: External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. :param pulumi.Input[str] namespace: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). @@ -323,6 +361,7 @@ def get(resource_name: str, __props__.__dict__["account_id"] = account_id __props__.__dict__["backend"] = backend + __props__.__dict__["external_id"] = external_id __props__.__dict__["namespace"] = namespace __props__.__dict__["sts_role"] = sts_role return AuthBackendStsRole(resource_name, opts=opts, __props__=__props__) @@ -344,6 +383,14 @@ def backend(self) -> pulumi.Output[Optional[str]]: """ return pulumi.get(self, "backend") + @property + @pulumi.getter(name="externalId") + def external_id(self) -> pulumi.Output[Optional[str]]: + """ + External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. + """ + return pulumi.get(self, "external_id") + @property @pulumi.getter def namespace(self) -> pulumi.Output[Optional[str]]: diff --git a/sdk/python/pulumi_vault/aws/secret_backend.py b/sdk/python/pulumi_vault/aws/secret_backend.py index bc0423a3..c5319060 100644 --- a/sdk/python/pulumi_vault/aws/secret_backend.py +++ b/sdk/python/pulumi_vault/aws/secret_backend.py @@ -35,6 +35,9 @@ def __init__(__self__, *, role_arn: Optional[pulumi.Input[str]] = None, secret_key: Optional[pulumi.Input[str]] = None, sts_endpoint: Optional[pulumi.Input[str]] = None, + sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_region: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a SecretBackend resource. @@ -71,6 +74,9 @@ def __init__(__self__, *, ``` :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials. :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use. + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: """ if access_key is not None: @@ -105,6 +111,12 @@ def __init__(__self__, *, pulumi.set(__self__, "secret_key", secret_key) if sts_endpoint is not None: pulumi.set(__self__, "sts_endpoint", sts_endpoint) + if sts_fallback_endpoints is not None: + pulumi.set(__self__, "sts_fallback_endpoints", sts_fallback_endpoints) + if sts_fallback_regions is not None: + pulumi.set(__self__, "sts_fallback_regions", sts_fallback_regions) + if sts_region is not None: + pulumi.set(__self__, "sts_region", sts_region) if username_template is not None: pulumi.set(__self__, "username_template", username_template) @@ -317,6 +329,42 @@ def sts_endpoint(self) -> Optional[pulumi.Input[str]]: def sts_endpoint(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "sts_endpoint", value) + @property + @pulumi.getter(name="stsFallbackEndpoints") + def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_endpoints") + + @sts_fallback_endpoints.setter + def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "sts_fallback_endpoints", value) + + @property + @pulumi.getter(name="stsFallbackRegions") + def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_regions") + + @sts_fallback_regions.setter + def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "sts_fallback_regions", value) + + @property + @pulumi.getter(name="stsRegion") + def sts_region(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_region") + + @sts_region.setter + def sts_region(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "sts_region", value) + @property @pulumi.getter(name="usernameTemplate") def username_template(self) -> Optional[pulumi.Input[str]]: @@ -349,6 +397,9 @@ def __init__(__self__, *, role_arn: Optional[pulumi.Input[str]] = None, secret_key: Optional[pulumi.Input[str]] = None, sts_endpoint: Optional[pulumi.Input[str]] = None, + sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_region: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering SecretBackend resources. @@ -385,6 +436,9 @@ def __init__(__self__, *, ``` :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials. :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use. + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: """ if access_key is not None: @@ -419,6 +473,12 @@ def __init__(__self__, *, pulumi.set(__self__, "secret_key", secret_key) if sts_endpoint is not None: pulumi.set(__self__, "sts_endpoint", sts_endpoint) + if sts_fallback_endpoints is not None: + pulumi.set(__self__, "sts_fallback_endpoints", sts_fallback_endpoints) + if sts_fallback_regions is not None: + pulumi.set(__self__, "sts_fallback_regions", sts_fallback_regions) + if sts_region is not None: + pulumi.set(__self__, "sts_region", sts_region) if username_template is not None: pulumi.set(__self__, "username_template", username_template) @@ -631,6 +691,42 @@ def sts_endpoint(self) -> Optional[pulumi.Input[str]]: def sts_endpoint(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "sts_endpoint", value) + @property + @pulumi.getter(name="stsFallbackEndpoints") + def sts_fallback_endpoints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_endpoints") + + @sts_fallback_endpoints.setter + def sts_fallback_endpoints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "sts_fallback_endpoints", value) + + @property + @pulumi.getter(name="stsFallbackRegions") + def sts_fallback_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_regions") + + @sts_fallback_regions.setter + def sts_fallback_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "sts_fallback_regions", value) + + @property + @pulumi.getter(name="stsRegion") + def sts_region(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_region") + + @sts_region.setter + def sts_region(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "sts_region", value) + @property @pulumi.getter(name="usernameTemplate") def username_template(self) -> Optional[pulumi.Input[str]]: @@ -665,6 +761,9 @@ def __init__(__self__, role_arn: Optional[pulumi.Input[str]] = None, secret_key: Optional[pulumi.Input[str]] = None, sts_endpoint: Optional[pulumi.Input[str]] = None, + sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_region: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None, __props__=None): """ @@ -711,6 +810,9 @@ def __init__(__self__, ``` :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials. :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use. + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: """ ... @@ -759,6 +861,9 @@ def _internal_init(__self__, role_arn: Optional[pulumi.Input[str]] = None, secret_key: Optional[pulumi.Input[str]] = None, sts_endpoint: Optional[pulumi.Input[str]] = None, + sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_region: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None, __props__=None): opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) @@ -785,6 +890,9 @@ def _internal_init(__self__, __props__.__dict__["role_arn"] = role_arn __props__.__dict__["secret_key"] = None if secret_key is None else pulumi.Output.secret(secret_key) __props__.__dict__["sts_endpoint"] = sts_endpoint + __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints + __props__.__dict__["sts_fallback_regions"] = sts_fallback_regions + __props__.__dict__["sts_region"] = sts_region __props__.__dict__["username_template"] = username_template secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["accessKey", "secretKey"]) opts = pulumi.ResourceOptions.merge(opts, secret_opts) @@ -814,6 +922,9 @@ def get(resource_name: str, role_arn: Optional[pulumi.Input[str]] = None, secret_key: Optional[pulumi.Input[str]] = None, sts_endpoint: Optional[pulumi.Input[str]] = None, + sts_fallback_endpoints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_fallback_regions: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + sts_region: Optional[pulumi.Input[str]] = None, username_template: Optional[pulumi.Input[str]] = None) -> 'SecretBackend': """ Get an existing SecretBackend resource's state with the given name, id, and optional extra @@ -855,6 +966,9 @@ def get(resource_name: str, ``` :param pulumi.Input[str] secret_key: The AWS Secret Access Key to use when generating new credentials. :param pulumi.Input[str] sts_endpoint: Specifies a custom HTTP STS endpoint to use. + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_endpoints: Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + :param pulumi.Input[Sequence[pulumi.Input[str]]] sts_fallback_regions: Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + :param pulumi.Input[str] sts_region: Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ :param pulumi.Input[str] username_template: Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -877,6 +991,9 @@ def get(resource_name: str, __props__.__dict__["role_arn"] = role_arn __props__.__dict__["secret_key"] = secret_key __props__.__dict__["sts_endpoint"] = sts_endpoint + __props__.__dict__["sts_fallback_endpoints"] = sts_fallback_endpoints + __props__.__dict__["sts_fallback_regions"] = sts_fallback_regions + __props__.__dict__["sts_region"] = sts_region __props__.__dict__["username_template"] = username_template return SecretBackend(resource_name, opts=opts, __props__=__props__) @@ -1025,6 +1142,30 @@ def sts_endpoint(self) -> pulumi.Output[Optional[str]]: """ return pulumi.get(self, "sts_endpoint") + @property + @pulumi.getter(name="stsFallbackEndpoints") + def sts_fallback_endpoints(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + Ordered list of `sts_endpoint`s to try if the defined one fails. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_endpoints") + + @property + @pulumi.getter(name="stsFallbackRegions") + def sts_fallback_regions(self) -> pulumi.Output[Optional[Sequence[str]]]: + """ + Ordered list of `sts_region`s matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_fallback_regions") + + @property + @pulumi.getter(name="stsRegion") + def sts_region(self) -> pulumi.Output[Optional[str]]: + """ + Specifies the region of the STS endpoint. Should be included if `sts_endpoint` is supplied. Requires Vault 1.19+ + """ + return pulumi.get(self, "sts_region") + @property @pulumi.getter(name="usernameTemplate") def username_template(self) -> pulumi.Output[str]: diff --git a/sdk/python/pulumi_vault/database/_inputs.py b/sdk/python/pulumi_vault/database/_inputs.py index 5c5aaa46..cadcfc38 100644 --- a/sdk/python/pulumi_vault/database/_inputs.py +++ b/sdk/python/pulumi_vault/database/_inputs.py @@ -2625,6 +2625,10 @@ class SecretBackendConnectionPostgresqlArgsDict(TypedDict): """ The root credential password used in the connection URL """ + password_authentication: NotRequired[pulumi.Input[str]] + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ private_key: NotRequired[pulumi.Input[str]] """ The secret key used for the x509 client certificate. Must be PEM encoded. @@ -2666,6 +2670,7 @@ def __init__(__self__, *, max_idle_connections: Optional[pulumi.Input[int]] = None, max_open_connections: Optional[pulumi.Input[int]] = None, password: Optional[pulumi.Input[str]] = None, + password_authentication: Optional[pulumi.Input[str]] = None, private_key: Optional[pulumi.Input[str]] = None, self_managed: Optional[pulumi.Input[bool]] = None, service_account_json: Optional[pulumi.Input[str]] = None, @@ -2681,6 +2686,7 @@ def __init__(__self__, *, :param pulumi.Input[int] max_idle_connections: Maximum number of idle connections to the database. :param pulumi.Input[int] max_open_connections: Maximum number of open connections to the database. :param pulumi.Input[str] password: The root credential password used in the connection URL + :param pulumi.Input[str] password_authentication: When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. :param pulumi.Input[str] private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param pulumi.Input[bool] self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param pulumi.Input[str] service_account_json: A JSON encoded credential for use with IAM authorization @@ -2703,6 +2709,8 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if password_authentication is not None: + pulumi.set(__self__, "password_authentication", password_authentication) if private_key is not None: pulumi.set(__self__, "private_key", private_key) if self_managed is not None: @@ -2802,6 +2810,18 @@ def password(self) -> Optional[pulumi.Input[str]]: def password(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "password", value) + @property + @pulumi.getter(name="passwordAuthentication") + def password_authentication(self) -> Optional[pulumi.Input[str]]: + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ + return pulumi.get(self, "password_authentication") + + @password_authentication.setter + def password_authentication(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "password_authentication", value) + @property @pulumi.getter(name="privateKey") def private_key(self) -> Optional[pulumi.Input[str]]: @@ -7703,6 +7723,10 @@ class SecretsMountPostgresqlArgsDict(TypedDict): """ The root credential password used in the connection URL """ + password_authentication: NotRequired[pulumi.Input[str]] + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ plugin_name: NotRequired[pulumi.Input[str]] """ Specifies the name of the plugin to use. @@ -7760,6 +7784,7 @@ def __init__(__self__, *, max_idle_connections: Optional[pulumi.Input[int]] = None, max_open_connections: Optional[pulumi.Input[int]] = None, password: Optional[pulumi.Input[str]] = None, + password_authentication: Optional[pulumi.Input[str]] = None, plugin_name: Optional[pulumi.Input[str]] = None, private_key: Optional[pulumi.Input[str]] = None, root_rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, @@ -7784,6 +7809,7 @@ def __init__(__self__, *, :param pulumi.Input[int] max_idle_connections: Maximum number of idle connections to the database. :param pulumi.Input[int] max_open_connections: Maximum number of open connections to the database. :param pulumi.Input[str] password: The root credential password used in the connection URL + :param pulumi.Input[str] password_authentication: When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. :param pulumi.Input[str] plugin_name: Specifies the name of the plugin to use. :param pulumi.Input[str] private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param pulumi.Input[Sequence[pulumi.Input[str]]] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. @@ -7815,6 +7841,8 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if password_authentication is not None: + pulumi.set(__self__, "password_authentication", password_authentication) if plugin_name is not None: pulumi.set(__self__, "plugin_name", plugin_name) if private_key is not None: @@ -7959,6 +7987,18 @@ def password(self) -> Optional[pulumi.Input[str]]: def password(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "password", value) + @property + @pulumi.getter(name="passwordAuthentication") + def password_authentication(self) -> Optional[pulumi.Input[str]]: + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ + return pulumi.get(self, "password_authentication") + + @password_authentication.setter + def password_authentication(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "password_authentication", value) + @property @pulumi.getter(name="pluginName") def plugin_name(self) -> Optional[pulumi.Input[str]]: diff --git a/sdk/python/pulumi_vault/database/outputs.py b/sdk/python/pulumi_vault/database/outputs.py index 2c6f2d36..73f0a586 100644 --- a/sdk/python/pulumi_vault/database/outputs.py +++ b/sdk/python/pulumi_vault/database/outputs.py @@ -1928,6 +1928,8 @@ def __key_warning(key: str): suggest = "max_idle_connections" elif key == "maxOpenConnections": suggest = "max_open_connections" + elif key == "passwordAuthentication": + suggest = "password_authentication" elif key == "privateKey": suggest = "private_key" elif key == "selfManaged": @@ -1960,6 +1962,7 @@ def __init__(__self__, *, max_idle_connections: Optional[int] = None, max_open_connections: Optional[int] = None, password: Optional[str] = None, + password_authentication: Optional[str] = None, private_key: Optional[str] = None, self_managed: Optional[bool] = None, service_account_json: Optional[str] = None, @@ -1975,6 +1978,7 @@ def __init__(__self__, *, :param int max_idle_connections: Maximum number of idle connections to the database. :param int max_open_connections: Maximum number of open connections to the database. :param str password: The root credential password used in the connection URL + :param str password_authentication: When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param bool self_managed: If set, allows onboarding static roles with a rootless connection configuration. :param str service_account_json: A JSON encoded credential for use with IAM authorization @@ -1997,6 +2001,8 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if password_authentication is not None: + pulumi.set(__self__, "password_authentication", password_authentication) if private_key is not None: pulumi.set(__self__, "private_key", private_key) if self_managed is not None: @@ -2068,6 +2074,14 @@ def password(self) -> Optional[str]: """ return pulumi.get(self, "password") + @property + @pulumi.getter(name="passwordAuthentication") + def password_authentication(self) -> Optional[str]: + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ + return pulumi.get(self, "password_authentication") + @property @pulumi.getter(name="privateKey") def private_key(self) -> Optional[str]: @@ -5540,6 +5554,8 @@ def __key_warning(key: str): suggest = "max_idle_connections" elif key == "maxOpenConnections": suggest = "max_open_connections" + elif key == "passwordAuthentication": + suggest = "password_authentication" elif key == "pluginName": suggest = "plugin_name" elif key == "privateKey": @@ -5581,6 +5597,7 @@ def __init__(__self__, *, max_idle_connections: Optional[int] = None, max_open_connections: Optional[int] = None, password: Optional[str] = None, + password_authentication: Optional[str] = None, plugin_name: Optional[str] = None, private_key: Optional[str] = None, root_rotation_statements: Optional[Sequence[str]] = None, @@ -5605,6 +5622,7 @@ def __init__(__self__, *, :param int max_idle_connections: Maximum number of idle connections to the database. :param int max_open_connections: Maximum number of open connections to the database. :param str password: The root credential password used in the connection URL + :param str password_authentication: When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. :param str plugin_name: Specifies the name of the plugin to use. :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded. :param Sequence[str] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials. @@ -5636,6 +5654,8 @@ def __init__(__self__, *, pulumi.set(__self__, "max_open_connections", max_open_connections) if password is not None: pulumi.set(__self__, "password", password) + if password_authentication is not None: + pulumi.set(__self__, "password_authentication", password_authentication) if plugin_name is not None: pulumi.set(__self__, "plugin_name", plugin_name) if private_key is not None: @@ -5740,6 +5760,14 @@ def password(self) -> Optional[str]: """ return pulumi.get(self, "password") + @property + @pulumi.getter(name="passwordAuthentication") + def password_authentication(self) -> Optional[str]: + """ + When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL. + """ + return pulumi.get(self, "password_authentication") + @property @pulumi.getter(name="pluginName") def plugin_name(self) -> Optional[str]: diff --git a/sdk/python/pulumi_vault/pkisecret/__init__.py b/sdk/python/pulumi_vault/pkisecret/__init__.py index 22d4def4..f110da4b 100644 --- a/sdk/python/pulumi_vault/pkisecret/__init__.py +++ b/sdk/python/pulumi_vault/pkisecret/__init__.py @@ -5,8 +5,12 @@ from .. import _utilities import typing # Export this package's modules as members: +from .backend_acme_eab import * +from .backend_config_acme import * from .backend_config_cluster import * +from .backend_config_cmpv2 import * from .backend_config_est import * +from .get_backend_config_cmpv2 import * from .get_backend_config_est import * from .get_backend_issuer import * from .get_backend_issuers import * diff --git a/sdk/python/pulumi_vault/pkisecret/_inputs.py b/sdk/python/pulumi_vault/pkisecret/_inputs.py index 7b5bef23..2078bc5c 100644 --- a/sdk/python/pulumi_vault/pkisecret/_inputs.py +++ b/sdk/python/pulumi_vault/pkisecret/_inputs.py @@ -15,6 +15,8 @@ from .. import _utilities __all__ = [ + 'BackendConfigCmpv2AuthenticatorsArgs', + 'BackendConfigCmpv2AuthenticatorsArgsDict', 'BackendConfigEstAuthenticatorsArgs', 'BackendConfigEstAuthenticatorsArgsDict', 'SecretBackendRolePolicyIdentifierArgs', @@ -23,6 +25,38 @@ MYPY = False +if not MYPY: + class BackendConfigCmpv2AuthenticatorsArgsDict(TypedDict): + cert: NotRequired[pulumi.Input[Mapping[str, pulumi.Input[str]]]] + """ + "The accessor (required) and cert_role (optional) properties for cert auth backends". + """ +elif False: + BackendConfigCmpv2AuthenticatorsArgsDict: TypeAlias = Mapping[str, Any] + +@pulumi.input_type +class BackendConfigCmpv2AuthenticatorsArgs: + def __init__(__self__, *, + cert: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None): + """ + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] cert: "The accessor (required) and cert_role (optional) properties for cert auth backends". + """ + if cert is not None: + pulumi.set(__self__, "cert", cert) + + @property + @pulumi.getter + def cert(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]: + """ + "The accessor (required) and cert_role (optional) properties for cert auth backends". + """ + return pulumi.get(self, "cert") + + @cert.setter + def cert(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]): + pulumi.set(self, "cert", value) + + if not MYPY: class BackendConfigEstAuthenticatorsArgsDict(TypedDict): cert: NotRequired[pulumi.Input[Mapping[str, pulumi.Input[str]]]] diff --git a/sdk/python/pulumi_vault/pkisecret/backend_acme_eab.py b/sdk/python/pulumi_vault/pkisecret/backend_acme_eab.py new file mode 100644 index 00000000..5f237cd8 --- /dev/null +++ b/sdk/python/pulumi_vault/pkisecret/backend_acme_eab.py @@ -0,0 +1,549 @@ +# coding=utf-8 +# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import sys +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +if sys.version_info >= (3, 11): + from typing import NotRequired, TypedDict, TypeAlias +else: + from typing_extensions import NotRequired, TypedDict, TypeAlias +from .. import _utilities + +__all__ = ['BackendAcmeEabArgs', 'BackendAcmeEab'] + +@pulumi.input_type +class BackendAcmeEabArgs: + def __init__(__self__, *, + backend: pulumi.Input[str], + issuer: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None, + role: Optional[pulumi.Input[str]] = None): + """ + The set of arguments for constructing a BackendAcmeEab resource. + :param pulumi.Input[str] backend: The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + :param pulumi.Input[str] issuer: Create an EAB token that is specific to an issuer's ACME directory. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + :param pulumi.Input[str] role: Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + pulumi.set(__self__, "backend", backend) + if issuer is not None: + pulumi.set(__self__, "issuer", issuer) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + if role is not None: + pulumi.set(__self__, "role", role) + + @property + @pulumi.getter + def backend(self) -> pulumi.Input[str]: + """ + The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: pulumi.Input[str]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter + def issuer(self) -> Optional[pulumi.Input[str]]: + """ + Create an EAB token that is specific to an issuer's ACME directory. + """ + return pulumi.get(self, "issuer") + + @issuer.setter + def issuer(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "issuer", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + @property + @pulumi.getter + def role(self) -> Optional[pulumi.Input[str]]: + """ + Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + return pulumi.get(self, "role") + + @role.setter + def role(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "role", value) + + +@pulumi.input_type +class _BackendAcmeEabState: + def __init__(__self__, *, + acme_directory: Optional[pulumi.Input[str]] = None, + backend: Optional[pulumi.Input[str]] = None, + created_on: Optional[pulumi.Input[str]] = None, + eab_id: Optional[pulumi.Input[str]] = None, + issuer: Optional[pulumi.Input[str]] = None, + key: Optional[pulumi.Input[str]] = None, + key_type: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None, + role: Optional[pulumi.Input[str]] = None): + """ + Input properties used for looking up and filtering BackendAcmeEab resources. + :param pulumi.Input[str] acme_directory: The ACME directory to which the key belongs + :param pulumi.Input[str] backend: The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + :param pulumi.Input[str] created_on: An RFC3339 formatted date time when the EAB token was created + :param pulumi.Input[str] eab_id: The identifier of a specific ACME EAB token + :param pulumi.Input[str] issuer: Create an EAB token that is specific to an issuer's ACME directory. + :param pulumi.Input[str] key: The EAB token + :param pulumi.Input[str] key_type: The key type of the EAB key + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + :param pulumi.Input[str] role: Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + if acme_directory is not None: + pulumi.set(__self__, "acme_directory", acme_directory) + if backend is not None: + pulumi.set(__self__, "backend", backend) + if created_on is not None: + pulumi.set(__self__, "created_on", created_on) + if eab_id is not None: + pulumi.set(__self__, "eab_id", eab_id) + if issuer is not None: + pulumi.set(__self__, "issuer", issuer) + if key is not None: + pulumi.set(__self__, "key", key) + if key_type is not None: + pulumi.set(__self__, "key_type", key_type) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + if role is not None: + pulumi.set(__self__, "role", role) + + @property + @pulumi.getter(name="acmeDirectory") + def acme_directory(self) -> Optional[pulumi.Input[str]]: + """ + The ACME directory to which the key belongs + """ + return pulumi.get(self, "acme_directory") + + @acme_directory.setter + def acme_directory(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "acme_directory", value) + + @property + @pulumi.getter + def backend(self) -> Optional[pulumi.Input[str]]: + """ + The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter(name="createdOn") + def created_on(self) -> Optional[pulumi.Input[str]]: + """ + An RFC3339 formatted date time when the EAB token was created + """ + return pulumi.get(self, "created_on") + + @created_on.setter + def created_on(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "created_on", value) + + @property + @pulumi.getter(name="eabId") + def eab_id(self) -> Optional[pulumi.Input[str]]: + """ + The identifier of a specific ACME EAB token + """ + return pulumi.get(self, "eab_id") + + @eab_id.setter + def eab_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "eab_id", value) + + @property + @pulumi.getter + def issuer(self) -> Optional[pulumi.Input[str]]: + """ + Create an EAB token that is specific to an issuer's ACME directory. + """ + return pulumi.get(self, "issuer") + + @issuer.setter + def issuer(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "issuer", value) + + @property + @pulumi.getter + def key(self) -> Optional[pulumi.Input[str]]: + """ + The EAB token + """ + return pulumi.get(self, "key") + + @key.setter + def key(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "key", value) + + @property + @pulumi.getter(name="keyType") + def key_type(self) -> Optional[pulumi.Input[str]]: + """ + The key type of the EAB key + """ + return pulumi.get(self, "key_type") + + @key_type.setter + def key_type(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "key_type", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + @property + @pulumi.getter + def role(self) -> Optional[pulumi.Input[str]]: + """ + Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + return pulumi.get(self, "role") + + @role.setter + def role(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "role", value) + + +class BackendAcmeEab(pulumi.CustomResource): + @overload + def __init__(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + backend: Optional[pulumi.Input[str]] = None, + issuer: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None, + role: Optional[pulumi.Input[str]] = None, + __props__=None): + """ + Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. + + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + test = vault.Mount("test", + path="pki", + type="pki", + description="PKI secret engine mount") + test_backend_acme_eab = vault.pki_secret.BackendAcmeEab("test", backend=test.path) + ``` + + ## Import + + As EAB tokens are only available on initial creation there is no possibility to + + import or update this resource. + + :param str resource_name: The name of the resource. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] backend: The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + :param pulumi.Input[str] issuer: Create an EAB token that is specific to an issuer's ACME directory. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + :param pulumi.Input[str] role: Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + ... + @overload + def __init__(__self__, + resource_name: str, + args: BackendAcmeEabArgs, + opts: Optional[pulumi.ResourceOptions] = None): + """ + Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones. + + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + test = vault.Mount("test", + path="pki", + type="pki", + description="PKI secret engine mount") + test_backend_acme_eab = vault.pki_secret.BackendAcmeEab("test", backend=test.path) + ``` + + ## Import + + As EAB tokens are only available on initial creation there is no possibility to + + import or update this resource. + + :param str resource_name: The name of the resource. + :param BackendAcmeEabArgs args: The arguments to use to populate this resource's properties. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + ... + def __init__(__self__, resource_name: str, *args, **kwargs): + resource_args, opts = _utilities.get_resource_args_opts(BackendAcmeEabArgs, pulumi.ResourceOptions, *args, **kwargs) + if resource_args is not None: + __self__._internal_init(resource_name, opts, **resource_args.__dict__) + else: + __self__._internal_init(resource_name, *args, **kwargs) + + def _internal_init(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + backend: Optional[pulumi.Input[str]] = None, + issuer: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None, + role: Optional[pulumi.Input[str]] = None, + __props__=None): + opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) + if not isinstance(opts, pulumi.ResourceOptions): + raise TypeError('Expected resource options to be a ResourceOptions instance') + if opts.id is None: + if __props__ is not None: + raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource') + __props__ = BackendAcmeEabArgs.__new__(BackendAcmeEabArgs) + + if backend is None and not opts.urn: + raise TypeError("Missing required property 'backend'") + __props__.__dict__["backend"] = backend + __props__.__dict__["issuer"] = issuer + __props__.__dict__["namespace"] = namespace + __props__.__dict__["role"] = role + __props__.__dict__["acme_directory"] = None + __props__.__dict__["created_on"] = None + __props__.__dict__["eab_id"] = None + __props__.__dict__["key"] = None + __props__.__dict__["key_type"] = None + secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["key"]) + opts = pulumi.ResourceOptions.merge(opts, secret_opts) + super(BackendAcmeEab, __self__).__init__( + 'vault:pkiSecret/backendAcmeEab:BackendAcmeEab', + resource_name, + __props__, + opts) + + @staticmethod + def get(resource_name: str, + id: pulumi.Input[str], + opts: Optional[pulumi.ResourceOptions] = None, + acme_directory: Optional[pulumi.Input[str]] = None, + backend: Optional[pulumi.Input[str]] = None, + created_on: Optional[pulumi.Input[str]] = None, + eab_id: Optional[pulumi.Input[str]] = None, + issuer: Optional[pulumi.Input[str]] = None, + key: Optional[pulumi.Input[str]] = None, + key_type: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None, + role: Optional[pulumi.Input[str]] = None) -> 'BackendAcmeEab': + """ + Get an existing BackendAcmeEab resource's state with the given name, id, and optional extra + properties used to qualify the lookup. + + :param str resource_name: The unique name of the resulting resource. + :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] acme_directory: The ACME directory to which the key belongs + :param pulumi.Input[str] backend: The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + :param pulumi.Input[str] created_on: An RFC3339 formatted date time when the EAB token was created + :param pulumi.Input[str] eab_id: The identifier of a specific ACME EAB token + :param pulumi.Input[str] issuer: Create an EAB token that is specific to an issuer's ACME directory. + :param pulumi.Input[str] key: The EAB token + :param pulumi.Input[str] key_type: The key type of the EAB key + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + :param pulumi.Input[str] role: Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) + + __props__ = _BackendAcmeEabState.__new__(_BackendAcmeEabState) + + __props__.__dict__["acme_directory"] = acme_directory + __props__.__dict__["backend"] = backend + __props__.__dict__["created_on"] = created_on + __props__.__dict__["eab_id"] = eab_id + __props__.__dict__["issuer"] = issuer + __props__.__dict__["key"] = key + __props__.__dict__["key_type"] = key_type + __props__.__dict__["namespace"] = namespace + __props__.__dict__["role"] = role + return BackendAcmeEab(resource_name, opts=opts, __props__=__props__) + + @property + @pulumi.getter(name="acmeDirectory") + def acme_directory(self) -> pulumi.Output[str]: + """ + The ACME directory to which the key belongs + """ + return pulumi.get(self, "acme_directory") + + @property + @pulumi.getter + def backend(self) -> pulumi.Output[str]: + """ + The path to the PKI secret backend to + create the EAB token within, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @property + @pulumi.getter(name="createdOn") + def created_on(self) -> pulumi.Output[str]: + """ + An RFC3339 formatted date time when the EAB token was created + """ + return pulumi.get(self, "created_on") + + @property + @pulumi.getter(name="eabId") + def eab_id(self) -> pulumi.Output[str]: + """ + The identifier of a specific ACME EAB token + """ + return pulumi.get(self, "eab_id") + + @property + @pulumi.getter + def issuer(self) -> pulumi.Output[Optional[str]]: + """ + Create an EAB token that is specific to an issuer's ACME directory. + """ + return pulumi.get(self, "issuer") + + @property + @pulumi.getter + def key(self) -> pulumi.Output[str]: + """ + The EAB token + """ + return pulumi.get(self, "key") + + @property + @pulumi.getter(name="keyType") + def key_type(self) -> pulumi.Output[str]: + """ + The key type of the EAB key + """ + return pulumi.get(self, "key_type") + + @property + @pulumi.getter + def namespace(self) -> pulumi.Output[Optional[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @property + @pulumi.getter + def role(self) -> pulumi.Output[Optional[str]]: + """ + Create an EAB token that is specific to a role's ACME directory. + + **NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with; + + 1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters. + 2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter + 3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter + 4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters + """ + return pulumi.get(self, "role") + diff --git a/sdk/python/pulumi_vault/pkisecret/backend_config_acme.py b/sdk/python/pulumi_vault/pkisecret/backend_config_acme.py new file mode 100644 index 00000000..94e19743 --- /dev/null +++ b/sdk/python/pulumi_vault/pkisecret/backend_config_acme.py @@ -0,0 +1,642 @@ +# coding=utf-8 +# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import sys +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +if sys.version_info >= (3, 11): + from typing import NotRequired, TypedDict, TypeAlias +else: + from typing_extensions import NotRequired, TypedDict, TypeAlias +from .. import _utilities + +__all__ = ['BackendConfigAcmeArgs', 'BackendConfigAcme'] + +@pulumi.input_type +class BackendConfigAcmeArgs: + def __init__(__self__, *, + backend: pulumi.Input[str], + enabled: pulumi.Input[bool], + allow_role_ext_key_usage: Optional[pulumi.Input[bool]] = None, + allowed_issuers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + allowed_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + default_directory_policy: Optional[pulumi.Input[str]] = None, + dns_resolver: Optional[pulumi.Input[str]] = None, + eab_policy: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None): + """ + The set of arguments for constructing a BackendConfigAcme resource. + :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled. + :param pulumi.Input[bool] allow_role_ext_key_usage: Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_issuers: Specifies which issuers are allowed for use with ACME. + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_roles: Specifies which roles are allowed for use with ACME. + :param pulumi.Input[str] default_directory_policy: Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + :param pulumi.Input[str] dns_resolver: DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + :param pulumi.Input[str] namespace: The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + pulumi.set(__self__, "backend", backend) + pulumi.set(__self__, "enabled", enabled) + if allow_role_ext_key_usage is not None: + pulumi.set(__self__, "allow_role_ext_key_usage", allow_role_ext_key_usage) + if allowed_issuers is not None: + pulumi.set(__self__, "allowed_issuers", allowed_issuers) + if allowed_roles is not None: + pulumi.set(__self__, "allowed_roles", allowed_roles) + if default_directory_policy is not None: + pulumi.set(__self__, "default_directory_policy", default_directory_policy) + if dns_resolver is not None: + pulumi.set(__self__, "dns_resolver", dns_resolver) + if eab_policy is not None: + pulumi.set(__self__, "eab_policy", eab_policy) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + + @property + @pulumi.getter + def backend(self) -> pulumi.Input[str]: + """ + The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: pulumi.Input[str]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter + def enabled(self) -> pulumi.Input[bool]: + """ + Specifies whether ACME is enabled. + """ + return pulumi.get(self, "enabled") + + @enabled.setter + def enabled(self, value: pulumi.Input[bool]): + pulumi.set(self, "enabled", value) + + @property + @pulumi.getter(name="allowRoleExtKeyUsage") + def allow_role_ext_key_usage(self) -> Optional[pulumi.Input[bool]]: + """ + Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + """ + return pulumi.get(self, "allow_role_ext_key_usage") + + @allow_role_ext_key_usage.setter + def allow_role_ext_key_usage(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "allow_role_ext_key_usage", value) + + @property + @pulumi.getter(name="allowedIssuers") + def allowed_issuers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Specifies which issuers are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_issuers") + + @allowed_issuers.setter + def allowed_issuers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "allowed_issuers", value) + + @property + @pulumi.getter(name="allowedRoles") + def allowed_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Specifies which roles are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_roles") + + @allowed_roles.setter + def allowed_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "allowed_roles", value) + + @property + @pulumi.getter(name="defaultDirectoryPolicy") + def default_directory_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + """ + return pulumi.get(self, "default_directory_policy") + + @default_directory_policy.setter + def default_directory_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "default_directory_policy", value) + + @property + @pulumi.getter(name="dnsResolver") + def dns_resolver(self) -> Optional[pulumi.Input[str]]: + """ + DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + """ + return pulumi.get(self, "dns_resolver") + + @dns_resolver.setter + def dns_resolver(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "dns_resolver", value) + + @property + @pulumi.getter(name="eabPolicy") + def eab_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + """ + return pulumi.get(self, "eab_policy") + + @eab_policy.setter + def eab_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "eab_policy", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + +@pulumi.input_type +class _BackendConfigAcmeState: + def __init__(__self__, *, + allow_role_ext_key_usage: Optional[pulumi.Input[bool]] = None, + allowed_issuers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + allowed_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_directory_policy: Optional[pulumi.Input[str]] = None, + dns_resolver: Optional[pulumi.Input[str]] = None, + eab_policy: Optional[pulumi.Input[str]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None): + """ + Input properties used for looking up and filtering BackendConfigAcme resources. + :param pulumi.Input[bool] allow_role_ext_key_usage: Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_issuers: Specifies which issuers are allowed for use with ACME. + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_roles: Specifies which roles are allowed for use with ACME. + :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + :param pulumi.Input[str] default_directory_policy: Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + :param pulumi.Input[str] dns_resolver: DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled. + :param pulumi.Input[str] namespace: The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + if allow_role_ext_key_usage is not None: + pulumi.set(__self__, "allow_role_ext_key_usage", allow_role_ext_key_usage) + if allowed_issuers is not None: + pulumi.set(__self__, "allowed_issuers", allowed_issuers) + if allowed_roles is not None: + pulumi.set(__self__, "allowed_roles", allowed_roles) + if backend is not None: + pulumi.set(__self__, "backend", backend) + if default_directory_policy is not None: + pulumi.set(__self__, "default_directory_policy", default_directory_policy) + if dns_resolver is not None: + pulumi.set(__self__, "dns_resolver", dns_resolver) + if eab_policy is not None: + pulumi.set(__self__, "eab_policy", eab_policy) + if enabled is not None: + pulumi.set(__self__, "enabled", enabled) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + + @property + @pulumi.getter(name="allowRoleExtKeyUsage") + def allow_role_ext_key_usage(self) -> Optional[pulumi.Input[bool]]: + """ + Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + """ + return pulumi.get(self, "allow_role_ext_key_usage") + + @allow_role_ext_key_usage.setter + def allow_role_ext_key_usage(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "allow_role_ext_key_usage", value) + + @property + @pulumi.getter(name="allowedIssuers") + def allowed_issuers(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Specifies which issuers are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_issuers") + + @allowed_issuers.setter + def allowed_issuers(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "allowed_issuers", value) + + @property + @pulumi.getter(name="allowedRoles") + def allowed_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Specifies which roles are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_roles") + + @allowed_roles.setter + def allowed_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "allowed_roles", value) + + @property + @pulumi.getter + def backend(self) -> Optional[pulumi.Input[str]]: + """ + The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter(name="defaultDirectoryPolicy") + def default_directory_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + """ + return pulumi.get(self, "default_directory_policy") + + @default_directory_policy.setter + def default_directory_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "default_directory_policy", value) + + @property + @pulumi.getter(name="dnsResolver") + def dns_resolver(self) -> Optional[pulumi.Input[str]]: + """ + DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + """ + return pulumi.get(self, "dns_resolver") + + @dns_resolver.setter + def dns_resolver(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "dns_resolver", value) + + @property + @pulumi.getter(name="eabPolicy") + def eab_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + """ + return pulumi.get(self, "eab_policy") + + @eab_policy.setter + def eab_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "eab_policy", value) + + @property + @pulumi.getter + def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + Specifies whether ACME is enabled. + """ + return pulumi.get(self, "enabled") + + @enabled.setter + def enabled(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "enabled", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + +class BackendConfigAcme(pulumi.CustomResource): + @overload + def __init__(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + allow_role_ext_key_usage: Optional[pulumi.Input[bool]] = None, + allowed_issuers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + allowed_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_directory_policy: Optional[pulumi.Input[str]] = None, + dns_resolver: Optional[pulumi.Input[str]] = None, + eab_policy: Optional[pulumi.Input[str]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None, + __props__=None): + """ + Allows setting the ACME server configuration used by specified mount. + + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + pki = vault.Mount("pki", + path="pki", + type="pki", + default_lease_ttl_seconds=3600, + max_lease_ttl_seconds=86400) + pki_config_cluster = vault.pki_secret.BackendConfigCluster("pki_config_cluster", + backend=pki.path, + path="http://127.0.0.1:8200/v1/pki", + aia_path="http://127.0.0.1:8200/v1/pki") + example = vault.pki_secret.BackendConfigAcme("example", + backend=pki.path, + enabled=True, + allowed_issuers=["*"], + allowed_roles=["*"], + allow_role_ext_key_usage=False, + default_directory_policy="sign-verbatim", + dns_resolver="", + eab_policy="not-required") + ``` + + ## Import + + The ACME configuration can be imported using the resource's `id`. + In the case of the example above the `id` would be `pki/config/acme`, + where the `pki` component is the resource's `backend`, e.g. + + ```sh + $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme + ``` + + :param str resource_name: The name of the resource. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] allow_role_ext_key_usage: Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_issuers: Specifies which issuers are allowed for use with ACME. + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_roles: Specifies which roles are allowed for use with ACME. + :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + :param pulumi.Input[str] default_directory_policy: Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + :param pulumi.Input[str] dns_resolver: DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled. + :param pulumi.Input[str] namespace: The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + ... + @overload + def __init__(__self__, + resource_name: str, + args: BackendConfigAcmeArgs, + opts: Optional[pulumi.ResourceOptions] = None): + """ + Allows setting the ACME server configuration used by specified mount. + + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + pki = vault.Mount("pki", + path="pki", + type="pki", + default_lease_ttl_seconds=3600, + max_lease_ttl_seconds=86400) + pki_config_cluster = vault.pki_secret.BackendConfigCluster("pki_config_cluster", + backend=pki.path, + path="http://127.0.0.1:8200/v1/pki", + aia_path="http://127.0.0.1:8200/v1/pki") + example = vault.pki_secret.BackendConfigAcme("example", + backend=pki.path, + enabled=True, + allowed_issuers=["*"], + allowed_roles=["*"], + allow_role_ext_key_usage=False, + default_directory_policy="sign-verbatim", + dns_resolver="", + eab_policy="not-required") + ``` + + ## Import + + The ACME configuration can be imported using the resource's `id`. + In the case of the example above the `id` would be `pki/config/acme`, + where the `pki` component is the resource's `backend`, e.g. + + ```sh + $ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme + ``` + + :param str resource_name: The name of the resource. + :param BackendConfigAcmeArgs args: The arguments to use to populate this resource's properties. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + ... + def __init__(__self__, resource_name: str, *args, **kwargs): + resource_args, opts = _utilities.get_resource_args_opts(BackendConfigAcmeArgs, pulumi.ResourceOptions, *args, **kwargs) + if resource_args is not None: + __self__._internal_init(resource_name, opts, **resource_args.__dict__) + else: + __self__._internal_init(resource_name, *args, **kwargs) + + def _internal_init(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + allow_role_ext_key_usage: Optional[pulumi.Input[bool]] = None, + allowed_issuers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + allowed_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_directory_policy: Optional[pulumi.Input[str]] = None, + dns_resolver: Optional[pulumi.Input[str]] = None, + eab_policy: Optional[pulumi.Input[str]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None, + __props__=None): + opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) + if not isinstance(opts, pulumi.ResourceOptions): + raise TypeError('Expected resource options to be a ResourceOptions instance') + if opts.id is None: + if __props__ is not None: + raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource') + __props__ = BackendConfigAcmeArgs.__new__(BackendConfigAcmeArgs) + + __props__.__dict__["allow_role_ext_key_usage"] = allow_role_ext_key_usage + __props__.__dict__["allowed_issuers"] = allowed_issuers + __props__.__dict__["allowed_roles"] = allowed_roles + if backend is None and not opts.urn: + raise TypeError("Missing required property 'backend'") + __props__.__dict__["backend"] = backend + __props__.__dict__["default_directory_policy"] = default_directory_policy + __props__.__dict__["dns_resolver"] = dns_resolver + __props__.__dict__["eab_policy"] = eab_policy + if enabled is None and not opts.urn: + raise TypeError("Missing required property 'enabled'") + __props__.__dict__["enabled"] = enabled + __props__.__dict__["namespace"] = namespace + super(BackendConfigAcme, __self__).__init__( + 'vault:pkiSecret/backendConfigAcme:BackendConfigAcme', + resource_name, + __props__, + opts) + + @staticmethod + def get(resource_name: str, + id: pulumi.Input[str], + opts: Optional[pulumi.ResourceOptions] = None, + allow_role_ext_key_usage: Optional[pulumi.Input[bool]] = None, + allowed_issuers: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + allowed_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_directory_policy: Optional[pulumi.Input[str]] = None, + dns_resolver: Optional[pulumi.Input[str]] = None, + eab_policy: Optional[pulumi.Input[str]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None) -> 'BackendConfigAcme': + """ + Get an existing BackendConfigAcme resource's state with the given name, id, and optional extra + properties used to qualify the lookup. + + :param str resource_name: The unique name of the resulting resource. + :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[bool] allow_role_ext_key_usage: Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_issuers: Specifies which issuers are allowed for use with ACME. + :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_roles: Specifies which roles are allowed for use with ACME. + :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + :param pulumi.Input[str] default_directory_policy: Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + :param pulumi.Input[str] dns_resolver: DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + :param pulumi.Input[str] eab_policy: Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + :param pulumi.Input[bool] enabled: Specifies whether ACME is enabled. + :param pulumi.Input[str] namespace: The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) + + __props__ = _BackendConfigAcmeState.__new__(_BackendConfigAcmeState) + + __props__.__dict__["allow_role_ext_key_usage"] = allow_role_ext_key_usage + __props__.__dict__["allowed_issuers"] = allowed_issuers + __props__.__dict__["allowed_roles"] = allowed_roles + __props__.__dict__["backend"] = backend + __props__.__dict__["default_directory_policy"] = default_directory_policy + __props__.__dict__["dns_resolver"] = dns_resolver + __props__.__dict__["eab_policy"] = eab_policy + __props__.__dict__["enabled"] = enabled + __props__.__dict__["namespace"] = namespace + return BackendConfigAcme(resource_name, opts=opts, __props__=__props__) + + @property + @pulumi.getter(name="allowRoleExtKeyUsage") + def allow_role_ext_key_usage(self) -> pulumi.Output[Optional[bool]]: + """ + Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+** + """ + return pulumi.get(self, "allow_role_ext_key_usage") + + @property + @pulumi.getter(name="allowedIssuers") + def allowed_issuers(self) -> pulumi.Output[Sequence[str]]: + """ + Specifies which issuers are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_issuers") + + @property + @pulumi.getter(name="allowedRoles") + def allowed_roles(self) -> pulumi.Output[Sequence[str]]: + """ + Specifies which roles are allowed for use with ACME. + """ + return pulumi.get(self, "allowed_roles") + + @property + @pulumi.getter + def backend(self) -> pulumi.Output[str]: + """ + The path the PKI secret backend is mounted at, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @property + @pulumi.getter(name="defaultDirectoryPolicy") + def default_directory_policy(self) -> pulumi.Output[str]: + """ + Specifies the policy to be used for non-role-qualified ACME requests. + Allowed values are `forbid`, `sign-verbatim`, `role:`, `external-policy` or `external-policy:`. + """ + return pulumi.get(self, "default_directory_policy") + + @property + @pulumi.getter(name="dnsResolver") + def dns_resolver(self) -> pulumi.Output[Optional[str]]: + """ + DNS resolver to use for domain resolution on this mount. + Must be in the format `:`, with both parts mandatory. + """ + return pulumi.get(self, "dns_resolver") + + @property + @pulumi.getter(name="eabPolicy") + def eab_policy(self) -> pulumi.Output[str]: + """ + Specifies the policy to use for external account binding behaviour. + Allowed values are `not-required`, `new-account-required` or `always-required`. + """ + return pulumi.get(self, "eab_policy") + + @property + @pulumi.getter + def enabled(self) -> pulumi.Output[bool]: + """ + Specifies whether ACME is enabled. + """ + return pulumi.get(self, "enabled") + + @property + @pulumi.getter + def namespace(self) -> pulumi.Output[Optional[str]]: + """ + The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + diff --git a/sdk/python/pulumi_vault/pkisecret/backend_config_cmpv2.py b/sdk/python/pulumi_vault/pkisecret/backend_config_cmpv2.py new file mode 100644 index 00000000..21eaf4bf --- /dev/null +++ b/sdk/python/pulumi_vault/pkisecret/backend_config_cmpv2.py @@ -0,0 +1,525 @@ +# coding=utf-8 +# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import sys +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +if sys.version_info >= (3, 11): + from typing import NotRequired, TypedDict, TypeAlias +else: + from typing_extensions import NotRequired, TypedDict, TypeAlias +from .. import _utilities +from . import outputs +from ._inputs import * + +__all__ = ['BackendConfigCmpv2Args', 'BackendConfigCmpv2'] + +@pulumi.input_type +class BackendConfigCmpv2Args: + def __init__(__self__, *, + backend: pulumi.Input[str], + audit_fields: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + authenticators: Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']] = None, + default_path_policy: Optional[pulumi.Input[str]] = None, + enable_sentinel_parsing: Optional[pulumi.Input[bool]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None): + """ + The set of arguments for constructing a BackendConfigCmpv2 resource. + :param pulumi.Input[str] backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_fields: Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + :param pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs'] authenticators: Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + :param pulumi.Input[str] default_path_policy: Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + :param pulumi.Input[bool] enable_sentinel_parsing: If set, parse out fields from the provided CSR making them available for Sentinel policies. + :param pulumi.Input[bool] enabled: Specifies whether CMPv2 is enabled. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + pulumi.set(__self__, "backend", backend) + if audit_fields is not None: + pulumi.set(__self__, "audit_fields", audit_fields) + if authenticators is not None: + pulumi.set(__self__, "authenticators", authenticators) + if default_path_policy is not None: + pulumi.set(__self__, "default_path_policy", default_path_policy) + if enable_sentinel_parsing is not None: + pulumi.set(__self__, "enable_sentinel_parsing", enable_sentinel_parsing) + if enabled is not None: + pulumi.set(__self__, "enabled", enabled) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + + @property + @pulumi.getter + def backend(self) -> pulumi.Input[str]: + """ + The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: pulumi.Input[str]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter(name="auditFields") + def audit_fields(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + """ + return pulumi.get(self, "audit_fields") + + @audit_fields.setter + def audit_fields(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "audit_fields", value) + + @property + @pulumi.getter + def authenticators(self) -> Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']]: + """ + Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + """ + return pulumi.get(self, "authenticators") + + @authenticators.setter + def authenticators(self, value: Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']]): + pulumi.set(self, "authenticators", value) + + @property + @pulumi.getter(name="defaultPathPolicy") + def default_path_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + """ + return pulumi.get(self, "default_path_policy") + + @default_path_policy.setter + def default_path_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "default_path_policy", value) + + @property + @pulumi.getter(name="enableSentinelParsing") + def enable_sentinel_parsing(self) -> Optional[pulumi.Input[bool]]: + """ + If set, parse out fields from the provided CSR making them available for Sentinel policies. + """ + return pulumi.get(self, "enable_sentinel_parsing") + + @enable_sentinel_parsing.setter + def enable_sentinel_parsing(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "enable_sentinel_parsing", value) + + @property + @pulumi.getter + def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + Specifies whether CMPv2 is enabled. + """ + return pulumi.get(self, "enabled") + + @enabled.setter + def enabled(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "enabled", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + +@pulumi.input_type +class _BackendConfigCmpv2State: + def __init__(__self__, *, + audit_fields: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + authenticators: Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']] = None, + backend: Optional[pulumi.Input[str]] = None, + default_path_policy: Optional[pulumi.Input[str]] = None, + enable_sentinel_parsing: Optional[pulumi.Input[bool]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + last_updated: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None): + """ + Input properties used for looking up and filtering BackendConfigCmpv2 resources. + :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_fields: Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + :param pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs'] authenticators: Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + :param pulumi.Input[str] backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + :param pulumi.Input[str] default_path_policy: Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + :param pulumi.Input[bool] enable_sentinel_parsing: If set, parse out fields from the provided CSR making them available for Sentinel policies. + :param pulumi.Input[bool] enabled: Specifies whether CMPv2 is enabled. + :param pulumi.Input[str] last_updated: A read-only timestamp representing the last time the configuration was updated. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + if audit_fields is not None: + pulumi.set(__self__, "audit_fields", audit_fields) + if authenticators is not None: + pulumi.set(__self__, "authenticators", authenticators) + if backend is not None: + pulumi.set(__self__, "backend", backend) + if default_path_policy is not None: + pulumi.set(__self__, "default_path_policy", default_path_policy) + if enable_sentinel_parsing is not None: + pulumi.set(__self__, "enable_sentinel_parsing", enable_sentinel_parsing) + if enabled is not None: + pulumi.set(__self__, "enabled", enabled) + if last_updated is not None: + pulumi.set(__self__, "last_updated", last_updated) + if namespace is not None: + pulumi.set(__self__, "namespace", namespace) + + @property + @pulumi.getter(name="auditFields") + def audit_fields(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + """ + return pulumi.get(self, "audit_fields") + + @audit_fields.setter + def audit_fields(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "audit_fields", value) + + @property + @pulumi.getter + def authenticators(self) -> Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']]: + """ + Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + """ + return pulumi.get(self, "authenticators") + + @authenticators.setter + def authenticators(self, value: Optional[pulumi.Input['BackendConfigCmpv2AuthenticatorsArgs']]): + pulumi.set(self, "authenticators", value) + + @property + @pulumi.getter + def backend(self) -> Optional[pulumi.Input[str]]: + """ + The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @backend.setter + def backend(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "backend", value) + + @property + @pulumi.getter(name="defaultPathPolicy") + def default_path_policy(self) -> Optional[pulumi.Input[str]]: + """ + Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + """ + return pulumi.get(self, "default_path_policy") + + @default_path_policy.setter + def default_path_policy(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "default_path_policy", value) + + @property + @pulumi.getter(name="enableSentinelParsing") + def enable_sentinel_parsing(self) -> Optional[pulumi.Input[bool]]: + """ + If set, parse out fields from the provided CSR making them available for Sentinel policies. + """ + return pulumi.get(self, "enable_sentinel_parsing") + + @enable_sentinel_parsing.setter + def enable_sentinel_parsing(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "enable_sentinel_parsing", value) + + @property + @pulumi.getter + def enabled(self) -> Optional[pulumi.Input[bool]]: + """ + Specifies whether CMPv2 is enabled. + """ + return pulumi.get(self, "enabled") + + @enabled.setter + def enabled(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "enabled", value) + + @property + @pulumi.getter(name="lastUpdated") + def last_updated(self) -> Optional[pulumi.Input[str]]: + """ + A read-only timestamp representing the last time the configuration was updated. + """ + return pulumi.get(self, "last_updated") + + @last_updated.setter + def last_updated(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "last_updated", value) + + @property + @pulumi.getter + def namespace(self) -> Optional[pulumi.Input[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + + @namespace.setter + def namespace(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "namespace", value) + + +class BackendConfigCmpv2(pulumi.CustomResource): + @overload + def __init__(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + audit_fields: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + authenticators: Optional[pulumi.Input[Union['BackendConfigCmpv2AuthenticatorsArgs', 'BackendConfigCmpv2AuthenticatorsArgsDict']]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_path_policy: Optional[pulumi.Input[str]] = None, + enable_sentinel_parsing: Optional[pulumi.Input[bool]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None, + __props__=None): + """ + Allows setting the CMPv2 configuration on a PKI Secret Backend + + ## Import + + The PKI config cluster can be imported using the resource's `id`. + In the case of the example above the `id` would be `pki-root/config/cmpv2`, + where the `pki-root` component is the resource's `backend`, e.g. + + ```sh + $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 + ``` + + :param str resource_name: The name of the resource. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_fields: Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + :param pulumi.Input[Union['BackendConfigCmpv2AuthenticatorsArgs', 'BackendConfigCmpv2AuthenticatorsArgsDict']] authenticators: Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + :param pulumi.Input[str] backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + :param pulumi.Input[str] default_path_policy: Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + :param pulumi.Input[bool] enable_sentinel_parsing: If set, parse out fields from the provided CSR making them available for Sentinel policies. + :param pulumi.Input[bool] enabled: Specifies whether CMPv2 is enabled. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + ... + @overload + def __init__(__self__, + resource_name: str, + args: BackendConfigCmpv2Args, + opts: Optional[pulumi.ResourceOptions] = None): + """ + Allows setting the CMPv2 configuration on a PKI Secret Backend + + ## Import + + The PKI config cluster can be imported using the resource's `id`. + In the case of the example above the `id` would be `pki-root/config/cmpv2`, + where the `pki-root` component is the resource's `backend`, e.g. + + ```sh + $ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2 + ``` + + :param str resource_name: The name of the resource. + :param BackendConfigCmpv2Args args: The arguments to use to populate this resource's properties. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + ... + def __init__(__self__, resource_name: str, *args, **kwargs): + resource_args, opts = _utilities.get_resource_args_opts(BackendConfigCmpv2Args, pulumi.ResourceOptions, *args, **kwargs) + if resource_args is not None: + __self__._internal_init(resource_name, opts, **resource_args.__dict__) + else: + __self__._internal_init(resource_name, *args, **kwargs) + + def _internal_init(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + audit_fields: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + authenticators: Optional[pulumi.Input[Union['BackendConfigCmpv2AuthenticatorsArgs', 'BackendConfigCmpv2AuthenticatorsArgsDict']]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_path_policy: Optional[pulumi.Input[str]] = None, + enable_sentinel_parsing: Optional[pulumi.Input[bool]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + namespace: Optional[pulumi.Input[str]] = None, + __props__=None): + opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) + if not isinstance(opts, pulumi.ResourceOptions): + raise TypeError('Expected resource options to be a ResourceOptions instance') + if opts.id is None: + if __props__ is not None: + raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource') + __props__ = BackendConfigCmpv2Args.__new__(BackendConfigCmpv2Args) + + __props__.__dict__["audit_fields"] = audit_fields + __props__.__dict__["authenticators"] = authenticators + if backend is None and not opts.urn: + raise TypeError("Missing required property 'backend'") + __props__.__dict__["backend"] = backend + __props__.__dict__["default_path_policy"] = default_path_policy + __props__.__dict__["enable_sentinel_parsing"] = enable_sentinel_parsing + __props__.__dict__["enabled"] = enabled + __props__.__dict__["namespace"] = namespace + __props__.__dict__["last_updated"] = None + super(BackendConfigCmpv2, __self__).__init__( + 'vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2', + resource_name, + __props__, + opts) + + @staticmethod + def get(resource_name: str, + id: pulumi.Input[str], + opts: Optional[pulumi.ResourceOptions] = None, + audit_fields: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + authenticators: Optional[pulumi.Input[Union['BackendConfigCmpv2AuthenticatorsArgs', 'BackendConfigCmpv2AuthenticatorsArgsDict']]] = None, + backend: Optional[pulumi.Input[str]] = None, + default_path_policy: Optional[pulumi.Input[str]] = None, + enable_sentinel_parsing: Optional[pulumi.Input[bool]] = None, + enabled: Optional[pulumi.Input[bool]] = None, + last_updated: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[str]] = None) -> 'BackendConfigCmpv2': + """ + Get an existing BackendConfigCmpv2 resource's state with the given name, id, and optional extra + properties used to qualify the lookup. + + :param str resource_name: The unique name of the resulting resource. + :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[Sequence[pulumi.Input[str]]] audit_fields: Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + :param pulumi.Input[Union['BackendConfigCmpv2AuthenticatorsArgs', 'BackendConfigCmpv2AuthenticatorsArgsDict']] authenticators: Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + :param pulumi.Input[str] backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + :param pulumi.Input[str] default_path_policy: Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + :param pulumi.Input[bool] enable_sentinel_parsing: If set, parse out fields from the provided CSR making them available for Sentinel policies. + :param pulumi.Input[bool] enabled: Specifies whether CMPv2 is enabled. + :param pulumi.Input[str] last_updated: A read-only timestamp representing the last time the configuration was updated. + :param pulumi.Input[str] namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) + + __props__ = _BackendConfigCmpv2State.__new__(_BackendConfigCmpv2State) + + __props__.__dict__["audit_fields"] = audit_fields + __props__.__dict__["authenticators"] = authenticators + __props__.__dict__["backend"] = backend + __props__.__dict__["default_path_policy"] = default_path_policy + __props__.__dict__["enable_sentinel_parsing"] = enable_sentinel_parsing + __props__.__dict__["enabled"] = enabled + __props__.__dict__["last_updated"] = last_updated + __props__.__dict__["namespace"] = namespace + return BackendConfigCmpv2(resource_name, opts=opts, __props__=__props__) + + @property + @pulumi.getter(name="auditFields") + def audit_fields(self) -> pulumi.Output[Sequence[str]]: + """ + Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. + + + """ + return pulumi.get(self, "audit_fields") + + @property + @pulumi.getter + def authenticators(self) -> pulumi.Output['outputs.BackendConfigCmpv2Authenticators']: + """ + Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema). + """ + return pulumi.get(self, "authenticators") + + @property + @pulumi.getter + def backend(self) -> pulumi.Output[str]: + """ + The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + """ + return pulumi.get(self, "backend") + + @property + @pulumi.getter(name="defaultPathPolicy") + def default_path_policy(self) -> pulumi.Output[Optional[str]]: + """ + Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:. + """ + return pulumi.get(self, "default_path_policy") + + @property + @pulumi.getter(name="enableSentinelParsing") + def enable_sentinel_parsing(self) -> pulumi.Output[Optional[bool]]: + """ + If set, parse out fields from the provided CSR making them available for Sentinel policies. + """ + return pulumi.get(self, "enable_sentinel_parsing") + + @property + @pulumi.getter + def enabled(self) -> pulumi.Output[Optional[bool]]: + """ + Specifies whether CMPv2 is enabled. + """ + return pulumi.get(self, "enabled") + + @property + @pulumi.getter(name="lastUpdated") + def last_updated(self) -> pulumi.Output[str]: + """ + A read-only timestamp representing the last time the configuration was updated. + """ + return pulumi.get(self, "last_updated") + + @property + @pulumi.getter + def namespace(self) -> pulumi.Output[Optional[str]]: + """ + The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + return pulumi.get(self, "namespace") + diff --git a/sdk/python/pulumi_vault/pkisecret/get_backend_config_cmpv2.py b/sdk/python/pulumi_vault/pkisecret/get_backend_config_cmpv2.py new file mode 100644 index 00000000..b5487600 --- /dev/null +++ b/sdk/python/pulumi_vault/pkisecret/get_backend_config_cmpv2.py @@ -0,0 +1,209 @@ +# coding=utf-8 +# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import sys +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +if sys.version_info >= (3, 11): + from typing import NotRequired, TypedDict, TypeAlias +else: + from typing_extensions import NotRequired, TypedDict, TypeAlias +from .. import _utilities +from . import outputs + +__all__ = [ + 'GetBackendConfigCmpv2Result', + 'AwaitableGetBackendConfigCmpv2Result', + 'get_backend_config_cmpv2', + 'get_backend_config_cmpv2_output', +] + +@pulumi.output_type +class GetBackendConfigCmpv2Result: + """ + A collection of values returned by getBackendConfigCmpv2. + """ + def __init__(__self__, audit_fields=None, authenticators=None, backend=None, default_path_policy=None, enable_sentinel_parsing=None, enabled=None, id=None, last_updated=None, namespace=None): + if audit_fields and not isinstance(audit_fields, list): + raise TypeError("Expected argument 'audit_fields' to be a list") + pulumi.set(__self__, "audit_fields", audit_fields) + if authenticators and not isinstance(authenticators, list): + raise TypeError("Expected argument 'authenticators' to be a list") + pulumi.set(__self__, "authenticators", authenticators) + if backend and not isinstance(backend, str): + raise TypeError("Expected argument 'backend' to be a str") + pulumi.set(__self__, "backend", backend) + if default_path_policy and not isinstance(default_path_policy, str): + raise TypeError("Expected argument 'default_path_policy' to be a str") + pulumi.set(__self__, "default_path_policy", default_path_policy) + if enable_sentinel_parsing and not isinstance(enable_sentinel_parsing, bool): + raise TypeError("Expected argument 'enable_sentinel_parsing' to be a bool") + pulumi.set(__self__, "enable_sentinel_parsing", enable_sentinel_parsing) + if enabled and not isinstance(enabled, bool): + raise TypeError("Expected argument 'enabled' to be a bool") + pulumi.set(__self__, "enabled", enabled) + if id and not isinstance(id, str): + raise TypeError("Expected argument 'id' to be a str") + pulumi.set(__self__, "id", id) + if last_updated and not isinstance(last_updated, str): + raise TypeError("Expected argument 'last_updated' to be a str") + pulumi.set(__self__, "last_updated", last_updated) + if namespace and not isinstance(namespace, str): + raise TypeError("Expected argument 'namespace' to be a str") + pulumi.set(__self__, "namespace", namespace) + + @property + @pulumi.getter(name="auditFields") + def audit_fields(self) -> Sequence[str]: + return pulumi.get(self, "audit_fields") + + @property + @pulumi.getter + def authenticators(self) -> Sequence['outputs.GetBackendConfigCmpv2AuthenticatorResult']: + return pulumi.get(self, "authenticators") + + @property + @pulumi.getter + def backend(self) -> str: + return pulumi.get(self, "backend") + + @property + @pulumi.getter(name="defaultPathPolicy") + def default_path_policy(self) -> str: + return pulumi.get(self, "default_path_policy") + + @property + @pulumi.getter(name="enableSentinelParsing") + def enable_sentinel_parsing(self) -> bool: + return pulumi.get(self, "enable_sentinel_parsing") + + @property + @pulumi.getter + def enabled(self) -> bool: + return pulumi.get(self, "enabled") + + @property + @pulumi.getter + def id(self) -> str: + """ + The provider-assigned unique ID for this managed resource. + """ + return pulumi.get(self, "id") + + @property + @pulumi.getter(name="lastUpdated") + def last_updated(self) -> str: + return pulumi.get(self, "last_updated") + + @property + @pulumi.getter + def namespace(self) -> Optional[str]: + return pulumi.get(self, "namespace") + + +class AwaitableGetBackendConfigCmpv2Result(GetBackendConfigCmpv2Result): + # pylint: disable=using-constant-test + def __await__(self): + if False: + yield self + return GetBackendConfigCmpv2Result( + audit_fields=self.audit_fields, + authenticators=self.authenticators, + backend=self.backend, + default_path_policy=self.default_path_policy, + enable_sentinel_parsing=self.enable_sentinel_parsing, + enabled=self.enabled, + id=self.id, + last_updated=self.last_updated, + namespace=self.namespace) + + +def get_backend_config_cmpv2(backend: Optional[str] = None, + namespace: Optional[str] = None, + opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetBackendConfigCmpv2Result: + """ + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + pki = vault.Mount("pki", + path="pki", + type="pki", + description="PKI secret engine mount") + cmpv2_config = vault.pkiSecret.get_backend_config_cmpv2_output(backend=pki.path) + ``` + + + :param str backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + + # Attributes Reference + :param str namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + __args__ = dict() + __args__['backend'] = backend + __args__['namespace'] = namespace + opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts) + __ret__ = pulumi.runtime.invoke('vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2', __args__, opts=opts, typ=GetBackendConfigCmpv2Result).value + + return AwaitableGetBackendConfigCmpv2Result( + audit_fields=pulumi.get(__ret__, 'audit_fields'), + authenticators=pulumi.get(__ret__, 'authenticators'), + backend=pulumi.get(__ret__, 'backend'), + default_path_policy=pulumi.get(__ret__, 'default_path_policy'), + enable_sentinel_parsing=pulumi.get(__ret__, 'enable_sentinel_parsing'), + enabled=pulumi.get(__ret__, 'enabled'), + id=pulumi.get(__ret__, 'id'), + last_updated=pulumi.get(__ret__, 'last_updated'), + namespace=pulumi.get(__ret__, 'namespace')) +def get_backend_config_cmpv2_output(backend: Optional[pulumi.Input[str]] = None, + namespace: Optional[pulumi.Input[Optional[str]]] = None, + opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetBackendConfigCmpv2Result]: + """ + ## Example Usage + + ```python + import pulumi + import pulumi_vault as vault + + pki = vault.Mount("pki", + path="pki", + type="pki", + description="PKI secret engine mount") + cmpv2_config = vault.pkiSecret.get_backend_config_cmpv2_output(backend=pki.path) + ``` + + + :param str backend: The path to the PKI secret backend to + read the CMPv2 configuration from, with no leading or trailing `/`s. + + # Attributes Reference + :param str namespace: The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). + *Available only for Vault Enterprise*. + """ + __args__ = dict() + __args__['backend'] = backend + __args__['namespace'] = namespace + opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts) + __ret__ = pulumi.runtime.invoke_output('vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2', __args__, opts=opts, typ=GetBackendConfigCmpv2Result) + return __ret__.apply(lambda __response__: GetBackendConfigCmpv2Result( + audit_fields=pulumi.get(__response__, 'audit_fields'), + authenticators=pulumi.get(__response__, 'authenticators'), + backend=pulumi.get(__response__, 'backend'), + default_path_policy=pulumi.get(__response__, 'default_path_policy'), + enable_sentinel_parsing=pulumi.get(__response__, 'enable_sentinel_parsing'), + enabled=pulumi.get(__response__, 'enabled'), + id=pulumi.get(__response__, 'id'), + last_updated=pulumi.get(__response__, 'last_updated'), + namespace=pulumi.get(__response__, 'namespace'))) diff --git a/sdk/python/pulumi_vault/pkisecret/outputs.py b/sdk/python/pulumi_vault/pkisecret/outputs.py index 617b8d21..d98313c1 100644 --- a/sdk/python/pulumi_vault/pkisecret/outputs.py +++ b/sdk/python/pulumi_vault/pkisecret/outputs.py @@ -15,11 +15,32 @@ from .. import _utilities __all__ = [ + 'BackendConfigCmpv2Authenticators', 'BackendConfigEstAuthenticators', 'SecretBackendRolePolicyIdentifier', + 'GetBackendConfigCmpv2AuthenticatorResult', 'GetBackendConfigEstAuthenticatorResult', ] +@pulumi.output_type +class BackendConfigCmpv2Authenticators(dict): + def __init__(__self__, *, + cert: Optional[Mapping[str, str]] = None): + """ + :param Mapping[str, str] cert: "The accessor (required) and cert_role (optional) properties for cert auth backends". + """ + if cert is not None: + pulumi.set(__self__, "cert", cert) + + @property + @pulumi.getter + def cert(self) -> Optional[Mapping[str, str]]: + """ + "The accessor (required) and cert_role (optional) properties for cert auth backends". + """ + return pulumi.get(self, "cert") + + @pulumi.output_type class BackendConfigEstAuthenticators(dict): def __init__(__self__, *, @@ -97,6 +118,25 @@ def notice(self) -> Optional[str]: return pulumi.get(self, "notice") +@pulumi.output_type +class GetBackendConfigCmpv2AuthenticatorResult(dict): + def __init__(__self__, *, + cert: Optional[Mapping[str, str]] = None): + """ + :param Mapping[str, str] cert: The accessor and cert_role properties for cert auth backends + """ + if cert is not None: + pulumi.set(__self__, "cert", cert) + + @property + @pulumi.getter + def cert(self) -> Optional[Mapping[str, str]]: + """ + The accessor and cert_role properties for cert auth backends + """ + return pulumi.get(self, "cert") + + @pulumi.output_type class GetBackendConfigEstAuthenticatorResult(dict): def __init__(__self__, *, diff --git a/sdk/python/pulumi_vault/pkisecret/secret_backend_role.py b/sdk/python/pulumi_vault/pkisecret/secret_backend_role.py index b4cdbaad..c55e21ae 100644 --- a/sdk/python/pulumi_vault/pkisecret/secret_backend_role.py +++ b/sdk/python/pulumi_vault/pkisecret/secret_backend_role.py @@ -38,6 +38,7 @@ def __init__(__self__, *, allowed_user_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None, client_flag: Optional[pulumi.Input[bool]] = None, + cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, code_signing_flag: Optional[pulumi.Input[bool]] = None, countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, email_protection_flag: Optional[pulumi.Input[bool]] = None, @@ -86,6 +87,7 @@ def __init__(__self__, *, :param pulumi.Input[Sequence[pulumi.Input[str]]] allowed_user_ids: Defines allowed User IDs :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use + :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use @@ -158,6 +160,8 @@ def __init__(__self__, *, pulumi.set(__self__, "basic_constraints_valid_for_non_ca", basic_constraints_valid_for_non_ca) if client_flag is not None: pulumi.set(__self__, "client_flag", client_flag) + if cn_validations is not None: + pulumi.set(__self__, "cn_validations", cn_validations) if code_signing_flag is not None: pulumi.set(__self__, "code_signing_flag", code_signing_flag) if countries is not None: @@ -421,6 +425,18 @@ def client_flag(self) -> Optional[pulumi.Input[bool]]: def client_flag(self, value: Optional[pulumi.Input[bool]]): pulumi.set(self, "client_flag", value) + @property + @pulumi.getter(name="cnValidations") + def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + """ + return pulumi.get(self, "cn_validations") + + @cn_validations.setter + def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "cn_validations", value) + @property @pulumi.getter(name="codeSigningFlag") def code_signing_flag(self) -> Optional[pulumi.Input[bool]]: @@ -799,6 +815,7 @@ def __init__(__self__, *, backend: Optional[pulumi.Input[str]] = None, basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None, client_flag: Optional[pulumi.Input[bool]] = None, + cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, code_signing_flag: Optional[pulumi.Input[bool]] = None, countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, email_protection_flag: Optional[pulumi.Input[bool]] = None, @@ -847,6 +864,7 @@ def __init__(__self__, *, :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use + :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use @@ -920,6 +938,8 @@ def __init__(__self__, *, pulumi.set(__self__, "basic_constraints_valid_for_non_ca", basic_constraints_valid_for_non_ca) if client_flag is not None: pulumi.set(__self__, "client_flag", client_flag) + if cn_validations is not None: + pulumi.set(__self__, "cn_validations", cn_validations) if code_signing_flag is not None: pulumi.set(__self__, "code_signing_flag", code_signing_flag) if countries is not None: @@ -1183,6 +1203,18 @@ def client_flag(self) -> Optional[pulumi.Input[bool]]: def client_flag(self, value: Optional[pulumi.Input[bool]]): pulumi.set(self, "client_flag", value) + @property + @pulumi.getter(name="cnValidations") + def cn_validations(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + """ + return pulumi.get(self, "cn_validations") + + @cn_validations.setter + def cn_validations(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "cn_validations", value) + @property @pulumi.getter(name="codeSigningFlag") def code_signing_flag(self) -> Optional[pulumi.Input[bool]]: @@ -1563,6 +1595,7 @@ def __init__(__self__, backend: Optional[pulumi.Input[str]] = None, basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None, client_flag: Optional[pulumi.Input[bool]] = None, + cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, code_signing_flag: Optional[pulumi.Input[bool]] = None, countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, email_protection_flag: Optional[pulumi.Input[bool]] = None, @@ -1648,6 +1681,7 @@ def __init__(__self__, :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use + :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use @@ -1761,6 +1795,7 @@ def _internal_init(__self__, backend: Optional[pulumi.Input[str]] = None, basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None, client_flag: Optional[pulumi.Input[bool]] = None, + cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, code_signing_flag: Optional[pulumi.Input[bool]] = None, countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, email_protection_flag: Optional[pulumi.Input[bool]] = None, @@ -1818,6 +1853,7 @@ def _internal_init(__self__, __props__.__dict__["backend"] = backend __props__.__dict__["basic_constraints_valid_for_non_ca"] = basic_constraints_valid_for_non_ca __props__.__dict__["client_flag"] = client_flag + __props__.__dict__["cn_validations"] = cn_validations __props__.__dict__["code_signing_flag"] = code_signing_flag __props__.__dict__["countries"] = countries __props__.__dict__["email_protection_flag"] = email_protection_flag @@ -1874,6 +1910,7 @@ def get(resource_name: str, backend: Optional[pulumi.Input[str]] = None, basic_constraints_valid_for_non_ca: Optional[pulumi.Input[bool]] = None, client_flag: Optional[pulumi.Input[bool]] = None, + cn_validations: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, code_signing_flag: Optional[pulumi.Input[bool]] = None, countries: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, email_protection_flag: Optional[pulumi.Input[bool]] = None, @@ -1927,6 +1964,7 @@ def get(resource_name: str, :param pulumi.Input[str] backend: The path the PKI secret backend is mounted at, with no leading or trailing `/`s. :param pulumi.Input[bool] basic_constraints_valid_for_non_ca: Flag to mark basic constraints valid when issuing non-CA certificates :param pulumi.Input[bool] client_flag: Flag to specify certificates for client use + :param pulumi.Input[Sequence[pulumi.Input[str]]] cn_validations: Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` :param pulumi.Input[bool] code_signing_flag: Flag to specify certificates for code signing use :param pulumi.Input[Sequence[pulumi.Input[str]]] countries: The country of generated certificates :param pulumi.Input[bool] email_protection_flag: Flag to specify certificates for email protection use @@ -1987,6 +2025,7 @@ def get(resource_name: str, __props__.__dict__["backend"] = backend __props__.__dict__["basic_constraints_valid_for_non_ca"] = basic_constraints_valid_for_non_ca __props__.__dict__["client_flag"] = client_flag + __props__.__dict__["cn_validations"] = cn_validations __props__.__dict__["code_signing_flag"] = code_signing_flag __props__.__dict__["countries"] = countries __props__.__dict__["email_protection_flag"] = email_protection_flag @@ -2154,6 +2193,14 @@ def client_flag(self) -> pulumi.Output[Optional[bool]]: """ return pulumi.get(self, "client_flag") + @property + @pulumi.getter(name="cnValidations") + def cn_validations(self) -> pulumi.Output[Sequence[str]]: + """ + Validations to run on the Common Name field of the certificate, choices: `email`, `hostname`, `disabled` + """ + return pulumi.get(self, "cn_validations") + @property @pulumi.getter(name="codeSigningFlag") def code_signing_flag(self) -> pulumi.Output[Optional[bool]]: diff --git a/sdk/python/pulumi_vault/ssh/secret_backend_role.py b/sdk/python/pulumi_vault/ssh/secret_backend_role.py index 488ba175..2fc729ad 100644 --- a/sdk/python/pulumi_vault/ssh/secret_backend_role.py +++ b/sdk/python/pulumi_vault/ssh/secret_backend_role.py @@ -54,6 +54,9 @@ def __init__(__self__, *, :param pulumi.Input[str] key_type: Specifies the type of credentials generated by this role. This can be either `otp`, `dynamic` or `ca`. :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`. + :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`. :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. @@ -187,6 +190,11 @@ def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="allowEmptyPrincipals") def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]: + """ + Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. + """ return pulumi.get(self, "allow_empty_principals") @allow_empty_principals.setter @@ -498,6 +506,9 @@ def __init__(__self__, *, Input properties used for looking up and filtering SecretBackendRole resources. :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`. + :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`. :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. @@ -611,6 +622,11 @@ def allow_bare_domains(self, value: Optional[pulumi.Input[bool]]): @property @pulumi.getter(name="allowEmptyPrincipals") def allow_empty_principals(self) -> Optional[pulumi.Input[bool]]: + """ + Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. + """ return pulumi.get(self, "allow_empty_principals") @allow_empty_principals.setter @@ -982,6 +998,9 @@ def __init__(__self__, :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`. + :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`. :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. @@ -1180,6 +1199,9 @@ def get(resource_name: str, :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] algorithm_signer: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. :param pulumi.Input[bool] allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in `allowed_domains`. + :param pulumi.Input[bool] allow_empty_principals: Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. :param pulumi.Input[bool] allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. :param pulumi.Input[bool] allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in `allowed_domains`. :param pulumi.Input[bool] allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. @@ -1263,6 +1285,11 @@ def allow_bare_domains(self) -> pulumi.Output[Optional[bool]]: @property @pulumi.getter(name="allowEmptyPrincipals") def allow_empty_principals(self) -> pulumi.Output[Optional[bool]]: + """ + Allow signing certificates with no + valid principals (e.g. any valid principal). For backwards compatibility + only. The default of false is highly recommended. + """ return pulumi.get(self, "allow_empty_principals") @property diff --git a/upstream b/upstream index c96967c1..afb9eca1 160000 --- a/upstream +++ b/upstream @@ -1 +1 @@ -Subproject commit c96967c1b8009fc6e99a057760a6adc2d691b8fd +Subproject commit afb9eca1e2c4db85df89a6d8e19426c54cbb1be2