@pulumi/vault
Version:
A Pulumi package for creating and managing HashiCorp Vault cloud resources.
427 lines (426 loc) • 15.4 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Provides a resource to create a role in an [Cert auth backend within Vault](https://www.vaultproject.io/docs/auth/cert.html).
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as std from "@pulumi/std";
* import * as vault from "@pulumi/vault";
*
* const cert = new vault.AuthBackend("cert", {
* path: "cert",
* type: "cert",
* });
* const certCertAuthBackendRole = new vault.CertAuthBackendRole("cert", {
* name: "foo",
* certificate: std.file({
* input: "/path/to/certs/ca-cert.pem",
* }).then(invoke => invoke.result),
* backend: cert.path,
* allowedNames: [
* "foo.example.org",
* "baz.example.org",
* ],
* tokenTtl: 300,
* tokenMaxTtl: 600,
* tokenPolicies: ["foo"],
* });
* ```
*/
export declare class CertAuthBackendRole extends pulumi.CustomResource {
/**
* Get an existing CertAuthBackendRole resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertAuthBackendRoleState, opts?: pulumi.CustomResourceOptions): CertAuthBackendRole;
/**
* Returns true if the given object is an instance of CertAuthBackendRole. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is CertAuthBackendRole;
/**
* Allowed the common names for authenticated client certificates
*/
readonly allowedCommonNames: pulumi.Output<string[]>;
/**
* Allowed alternative dns names for authenticated client certificates
*/
readonly allowedDnsSans: pulumi.Output<string[]>;
/**
* Allowed emails for authenticated client certificates
*/
readonly allowedEmailSans: pulumi.Output<string[]>;
/**
* DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
*/
readonly allowedNames: pulumi.Output<string[]>;
/**
* Allowed organization units for authenticated client certificates.
*/
readonly allowedOrganizationalUnits: pulumi.Output<string[] | undefined>;
/**
* Allowed URIs for authenticated client certificates
*/
readonly allowedUriSans: pulumi.Output<string[]>;
/**
* Path to the mounted Cert auth backend
*/
readonly backend: pulumi.Output<string | undefined>;
/**
* CA certificate used to validate client certificates
*/
readonly certificate: pulumi.Output<string>;
/**
* The name to display on tokens issued under this role.
*/
readonly displayName: pulumi.Output<string>;
/**
* Name of the role
*/
readonly name: pulumi.Output<string>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
readonly namespace: pulumi.Output<string | undefined>;
/**
* Any additional CA certificates
* needed to verify OCSP responses. Provided as base64 encoded PEM data.
* Requires Vault version 1.13+.
*/
readonly ocspCaCertificates: pulumi.Output<string | undefined>;
/**
* If enabled, validate certificates'
* revocation status using OCSP. Requires Vault version 1.13+.
*/
readonly ocspEnabled: pulumi.Output<boolean>;
/**
* If true and an OCSP response cannot
* be fetched or is of an unknown status, the login will proceed as if the
* certificate has not been revoked.
* Requires Vault version 1.13+.
*/
readonly ocspFailOpen: pulumi.Output<boolean>;
/**
* If set to true, rather than
* accepting the first successful OCSP response, query all servers and consider
* the certificate valid only if all servers agree.
* Requires Vault version 1.13+.
*/
readonly ocspQueryAllServers: pulumi.Output<boolean>;
/**
* : A comma-separated list of OCSP
* server addresses. If unset, the OCSP server is determined from the
* AuthorityInformationAccess extension on the certificate being inspected.
* Requires Vault version 1.13+.
*/
readonly ocspServersOverrides: pulumi.Output<string[] | undefined>;
/**
* TLS extensions required on
* client certificates
*/
readonly requiredExtensions: pulumi.Output<string[]>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
readonly tokenBoundCidrs: pulumi.Output<string[] | undefined>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
readonly tokenExplicitMaxTtl: pulumi.Output<number | undefined>;
/**
* The maximum lifetime of the generated token
*/
readonly tokenMaxTtl: pulumi.Output<number | undefined>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
readonly tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
readonly tokenNumUses: pulumi.Output<number | undefined>;
/**
* Generated Token's Period
*/
readonly tokenPeriod: pulumi.Output<number | undefined>;
/**
* Generated Token's Policies
*/
readonly tokenPolicies: pulumi.Output<string[] | undefined>;
/**
* The initial ttl of the token to generate in seconds
*/
readonly tokenTtl: pulumi.Output<number | undefined>;
/**
* The type of token to generate, service or batch
*/
readonly tokenType: pulumi.Output<string | undefined>;
/**
* Create a CertAuthBackendRole resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: CertAuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering CertAuthBackendRole resources.
*/
export interface CertAuthBackendRoleState {
/**
* Allowed the common names for authenticated client certificates
*/
allowedCommonNames?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed alternative dns names for authenticated client certificates
*/
allowedDnsSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed emails for authenticated client certificates
*/
allowedEmailSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
*/
allowedNames?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed organization units for authenticated client certificates.
*/
allowedOrganizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed URIs for authenticated client certificates
*/
allowedUriSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Path to the mounted Cert auth backend
*/
backend?: pulumi.Input<string>;
/**
* CA certificate used to validate client certificates
*/
certificate?: pulumi.Input<string>;
/**
* The name to display on tokens issued under this role.
*/
displayName?: pulumi.Input<string>;
/**
* Name of the role
*/
name?: pulumi.Input<string>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Any additional CA certificates
* needed to verify OCSP responses. Provided as base64 encoded PEM data.
* Requires Vault version 1.13+.
*/
ocspCaCertificates?: pulumi.Input<string>;
/**
* If enabled, validate certificates'
* revocation status using OCSP. Requires Vault version 1.13+.
*/
ocspEnabled?: pulumi.Input<boolean>;
/**
* If true and an OCSP response cannot
* be fetched or is of an unknown status, the login will proceed as if the
* certificate has not been revoked.
* Requires Vault version 1.13+.
*/
ocspFailOpen?: pulumi.Input<boolean>;
/**
* If set to true, rather than
* accepting the first successful OCSP response, query all servers and consider
* the certificate valid only if all servers agree.
* Requires Vault version 1.13+.
*/
ocspQueryAllServers?: pulumi.Input<boolean>;
/**
* : A comma-separated list of OCSP
* server addresses. If unset, the OCSP server is determined from the
* AuthorityInformationAccess extension on the certificate being inspected.
* Requires Vault version 1.13+.
*/
ocspServersOverrides?: pulumi.Input<pulumi.Input<string>[]>;
/**
* TLS extensions required on
* client certificates
*/
requiredExtensions?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a CertAuthBackendRole resource.
*/
export interface CertAuthBackendRoleArgs {
/**
* Allowed the common names for authenticated client certificates
*/
allowedCommonNames?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed alternative dns names for authenticated client certificates
*/
allowedDnsSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed emails for authenticated client certificates
*/
allowedEmailSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates
*/
allowedNames?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed organization units for authenticated client certificates.
*/
allowedOrganizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allowed URIs for authenticated client certificates
*/
allowedUriSans?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Path to the mounted Cert auth backend
*/
backend?: pulumi.Input<string>;
/**
* CA certificate used to validate client certificates
*/
certificate: pulumi.Input<string>;
/**
* The name to display on tokens issued under this role.
*/
displayName?: pulumi.Input<string>;
/**
* Name of the role
*/
name?: pulumi.Input<string>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Any additional CA certificates
* needed to verify OCSP responses. Provided as base64 encoded PEM data.
* Requires Vault version 1.13+.
*/
ocspCaCertificates?: pulumi.Input<string>;
/**
* If enabled, validate certificates'
* revocation status using OCSP. Requires Vault version 1.13+.
*/
ocspEnabled?: pulumi.Input<boolean>;
/**
* If true and an OCSP response cannot
* be fetched or is of an unknown status, the login will proceed as if the
* certificate has not been revoked.
* Requires Vault version 1.13+.
*/
ocspFailOpen?: pulumi.Input<boolean>;
/**
* If set to true, rather than
* accepting the first successful OCSP response, query all servers and consider
* the certificate valid only if all servers agree.
* Requires Vault version 1.13+.
*/
ocspQueryAllServers?: pulumi.Input<boolean>;
/**
* : A comma-separated list of OCSP
* server addresses. If unset, the OCSP server is determined from the
* AuthorityInformationAccess extension on the certificate being inspected.
* Requires Vault version 1.13+.
*/
ocspServersOverrides?: pulumi.Input<pulumi.Input<string>[]>;
/**
* TLS extensions required on
* client certificates
*/
requiredExtensions?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
}