@pulumi/vault
Version:
A Pulumi package for creating and managing HashiCorp Vault cloud resources.
290 lines (289 loc) • 10.9 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Reads a GCP auth role from a Vault server.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
*
* export = async () => {
* const role = await vault.gcp.getAuthBackendRole({
* backend: "my-gcp-backend",
* roleName: "my-role",
* });
* return {
* "role-id": role.roleId,
* };
* }
* ```
*/
export declare function getAuthBackendRole(args: GetAuthBackendRoleArgs, opts?: pulumi.InvokeOptions): Promise<GetAuthBackendRoleResult>;
/**
* A collection of arguments for invoking getAuthBackendRole.
*/
export interface GetAuthBackendRoleArgs {
/**
* The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".
*/
backend?: string;
/**
* The namespace of the target resource.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured namespace.
* *Available only for Vault Enterprise*.
*/
namespace?: string;
/**
* The name of the role to retrieve the Role ID for.
*/
roleName: string;
/**
* List of CIDR blocks; if set, specifies blocks of IP
* addresses which can authenticate successfully, and ties the resulting token to these blocks
* as well.
*/
tokenBoundCidrs?: string[];
/**
* If set, will encode an
* [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
* onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
* `tokenMaxTtl` would otherwise allow a renewal.
*/
tokenExplicitMaxTtl?: number;
/**
* The maximum lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
tokenMaxTtl?: number;
/**
* If set, the default policy will not be set on
* generated tokens; otherwise it will be added to the policies set in token_policies.
*/
tokenNoDefaultPolicy?: boolean;
/**
* The
* [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
* if any, in number of seconds to set on the token.
*/
tokenNumUses?: number;
/**
* (Optional) If set, indicates that the
* token generated using this role should never expire. The token should be renewed within the
* duration specified by this value. At each renewal, the token's TTL will be set to the
* value of this field. Specified in seconds.
*/
tokenPeriod?: number;
/**
* List of policies to encode onto generated tokens. Depending
* on the auth method, this list may be supplemented by user/group/other values.
*/
tokenPolicies?: string[];
/**
* The incremental lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
tokenTtl?: number;
/**
* The type of token that should be generated. Can be `service`,
* `batch`, or `default` to use the mount's tuned default (which unless changed will be
* `service` tokens). For token store roles, there are two additional possibilities:
* `default-service` and `default-batch` which specify the type to return unless the client
* requests a different type at generation time.
*/
tokenType?: string;
}
/**
* A collection of values returned by getAuthBackendRole.
*/
export interface GetAuthBackendRoleResult {
readonly backend?: string;
/**
* GCP regions bound to the role. Returned when `type` is `gce`.
*/
readonly boundInstanceGroups: string[];
/**
* GCP labels bound to the role. Returned when `type` is `gce`.
*/
readonly boundLabels: string[];
/**
* GCP projects bound to the role.
*/
readonly boundProjects: string[];
/**
* GCP regions bound to the role. Returned when `type` is `gce`.
*/
readonly boundRegions: string[];
/**
* GCP service accounts bound to the role. Returned when `type` is `iam`.
*/
readonly boundServiceAccounts: string[];
/**
* GCP zones bound to the role. Returned when `type` is `gce`.
*/
readonly boundZones: string[];
/**
* The provider-assigned unique ID for this managed resource.
*/
readonly id: string;
readonly namespace?: string;
/**
* The RoleID of the GCP role.
*/
readonly roleId: string;
readonly roleName: string;
/**
* List of CIDR blocks; if set, specifies blocks of IP
* addresses which can authenticate successfully, and ties the resulting token to these blocks
* as well.
*/
readonly tokenBoundCidrs?: string[];
/**
* If set, will encode an
* [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
* onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
* `tokenMaxTtl` would otherwise allow a renewal.
*/
readonly tokenExplicitMaxTtl?: number;
/**
* The maximum lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
readonly tokenMaxTtl?: number;
/**
* If set, the default policy will not be set on
* generated tokens; otherwise it will be added to the policies set in token_policies.
*/
readonly tokenNoDefaultPolicy?: boolean;
/**
* The
* [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
* if any, in number of seconds to set on the token.
*/
readonly tokenNumUses?: number;
/**
* (Optional) If set, indicates that the
* token generated using this role should never expire. The token should be renewed within the
* duration specified by this value. At each renewal, the token's TTL will be set to the
* value of this field. Specified in seconds.
*/
readonly tokenPeriod?: number;
/**
* List of policies to encode onto generated tokens. Depending
* on the auth method, this list may be supplemented by user/group/other values.
*/
readonly tokenPolicies?: string[];
/**
* The incremental lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
readonly tokenTtl?: number;
/**
* The type of token that should be generated. Can be `service`,
* `batch`, or `default` to use the mount's tuned default (which unless changed will be
* `service` tokens). For token store roles, there are two additional possibilities:
* `default-service` and `default-batch` which specify the type to return unless the client
* requests a different type at generation time.
*/
readonly tokenType?: string;
/**
* Type of GCP role. Expected values are `iam` or `gce`.
*/
readonly type: string;
}
/**
* Reads a GCP auth role from a Vault server.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
*
* export = async () => {
* const role = await vault.gcp.getAuthBackendRole({
* backend: "my-gcp-backend",
* roleName: "my-role",
* });
* return {
* "role-id": role.roleId,
* };
* }
* ```
*/
export declare function getAuthBackendRoleOutput(args: GetAuthBackendRoleOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetAuthBackendRoleResult>;
/**
* A collection of arguments for invoking getAuthBackendRole.
*/
export interface GetAuthBackendRoleOutputArgs {
/**
* The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".
*/
backend?: pulumi.Input<string>;
/**
* The namespace of the target resource.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured namespace.
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* The name of the role to retrieve the Role ID for.
*/
roleName: pulumi.Input<string>;
/**
* List of CIDR blocks; if set, specifies blocks of IP
* addresses which can authenticate successfully, and ties the resulting token to these blocks
* as well.
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* If set, will encode an
* [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
* onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
* `tokenMaxTtl` would otherwise allow a renewal.
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If set, the default policy will not be set on
* generated tokens; otherwise it will be added to the policies set in token_policies.
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The
* [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
* if any, in number of seconds to set on the token.
*/
tokenNumUses?: pulumi.Input<number>;
/**
* (Optional) If set, indicates that the
* token generated using this role should never expire. The token should be renewed within the
* duration specified by this value. At each renewal, the token's TTL will be set to the
* value of this field. Specified in seconds.
*/
tokenPeriod?: pulumi.Input<number>;
/**
* List of policies to encode onto generated tokens. Depending
* on the auth method, this list may be supplemented by user/group/other values.
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The incremental lifetime for generated tokens in number of seconds.
* Its current value will be referenced at renewal time.
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token that should be generated. Can be `service`,
* `batch`, or `default` to use the mount's tuned default (which unless changed will be
* `service` tokens). For token store roles, there are two additional possibilities:
* `default-service` and `default-batch` which specify the type to return unless the client
* requests a different type at generation time.
*/
tokenType?: pulumi.Input<string>;
}