@pulumi/vault
Version:
A Pulumi package for creating and managing HashiCorp Vault cloud resources.
288 lines (287 loc) • 11 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Manages an Kubernetes auth backend role in a Vault server. See the [Vault
* documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more
* information.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
*
* const kubernetes = new vault.AuthBackend("kubernetes", {type: "kubernetes"});
* const example = new vault.kubernetes.AuthBackendRole("example", {
* backend: kubernetes.path,
* roleName: "example-role",
* boundServiceAccountNames: ["example"],
* boundServiceAccountNamespaces: ["example"],
* tokenTtl: 3600,
* tokenPolicies: [
* "default",
* "dev",
* "prod",
* ],
* audience: "vault",
* });
* ```
*
* ## Import
*
* Kubernetes auth backend role can be imported using the `path`, e.g.
*
* ```sh
* $ pulumi import vault:kubernetes/authBackendRole:AuthBackendRole foo auth/kubernetes/role/foo
* ```
*/
export declare class AuthBackendRole extends pulumi.CustomResource {
/**
* Get an existing AuthBackendRole resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole;
/**
* Returns true if the given object is an instance of AuthBackendRole. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is AuthBackendRole;
/**
* Configures how identity aliases are generated.
* Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
*/
readonly aliasNameSource: pulumi.Output<string>;
/**
* Audience claim to verify in the JWT.
*
* > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
* before setting this to something other its default value. There are **important** security
* implications to be aware of.
*/
readonly audience: pulumi.Output<string | undefined>;
/**
* Unique name of the kubernetes backend to configure.
*/
readonly backend: pulumi.Output<string | undefined>;
/**
* List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
*/
readonly boundServiceAccountNames: pulumi.Output<string[]>;
/**
* List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
*/
readonly boundServiceAccountNamespaces: pulumi.Output<string[]>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
readonly namespace: pulumi.Output<string | undefined>;
/**
* Name of the role.
*/
readonly roleName: pulumi.Output<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
readonly tokenBoundCidrs: pulumi.Output<string[] | undefined>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
readonly tokenExplicitMaxTtl: pulumi.Output<number | undefined>;
/**
* The maximum lifetime of the generated token
*/
readonly tokenMaxTtl: pulumi.Output<number | undefined>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
readonly tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
readonly tokenNumUses: pulumi.Output<number | undefined>;
/**
* Generated Token's Period
*/
readonly tokenPeriod: pulumi.Output<number | undefined>;
/**
* Generated Token's Policies
*/
readonly tokenPolicies: pulumi.Output<string[] | undefined>;
/**
* The initial ttl of the token to generate in seconds
*/
readonly tokenTtl: pulumi.Output<number | undefined>;
/**
* The type of token to generate, service or batch
*/
readonly tokenType: pulumi.Output<string | undefined>;
/**
* Create a AuthBackendRole resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering AuthBackendRole resources.
*/
export interface AuthBackendRoleState {
/**
* Configures how identity aliases are generated.
* Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
*/
aliasNameSource?: pulumi.Input<string>;
/**
* Audience claim to verify in the JWT.
*
* > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
* before setting this to something other its default value. There are **important** security
* implications to be aware of.
*/
audience?: pulumi.Input<string>;
/**
* Unique name of the kubernetes backend to configure.
*/
backend?: pulumi.Input<string>;
/**
* List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
*/
boundServiceAccountNames?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
*/
boundServiceAccountNamespaces?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Name of the role.
*/
roleName?: pulumi.Input<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a AuthBackendRole resource.
*/
export interface AuthBackendRoleArgs {
/**
* Configures how identity aliases are generated.
* Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
*/
aliasNameSource?: pulumi.Input<string>;
/**
* Audience claim to verify in the JWT.
*
* > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
* before setting this to something other its default value. There are **important** security
* implications to be aware of.
*/
audience?: pulumi.Input<string>;
/**
* Unique name of the kubernetes backend to configure.
*/
backend?: pulumi.Input<string>;
/**
* List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
*/
boundServiceAccountNames: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
*/
boundServiceAccountNamespaces: pulumi.Input<pulumi.Input<string>[]>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Name of the role.
*/
roleName: pulumi.Input<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
}