@pulumi/vault
Version:
A Pulumi package for creating and managing HashiCorp Vault cloud resources.
589 lines (588 loc) • 21 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Provides a resource for managing an [LDAP auth backend within Vault](https://www.vaultproject.io/docs/auth/ldap.html).
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
*
* const ldap = new vault.ldap.AuthBackend("ldap", {
* path: "ldap",
* url: "ldaps://dc-01.example.org",
* userdn: "OU=Users,OU=Accounts,DC=example,DC=org",
* userattr: "sAMAccountName",
* upndomain: "EXAMPLE.ORG",
* discoverdn: false,
* groupdn: "OU=Groups,DC=example,DC=org",
* groupfilter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))",
* rotationSchedule: "0 * * * SAT",
* rotationWindow: 3600,
* });
* ```
*
* ## Import
*
* LDAP authentication backends can be imported using the `path`, e.g.
*
* ```sh
* $ pulumi import vault:ldap/authBackend:AuthBackend ldap ldap
* ```
*/
export declare class AuthBackend extends pulumi.CustomResource {
/**
* Get an existing AuthBackend resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendState, opts?: pulumi.CustomResourceOptions): AuthBackend;
/**
* Returns true if the given object is an instance of AuthBackend. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is AuthBackend;
/**
* The accessor for this auth mount.
*/
readonly accessor: pulumi.Output<string>;
/**
* DN of object to bind when performing user search
*/
readonly binddn: pulumi.Output<string>;
/**
* Password to use with `binddn` when performing user search
*/
readonly bindpass: pulumi.Output<string>;
/**
* Control case senstivity of objects fetched from LDAP, this is used for object matching in vault
*/
readonly caseSensitiveNames: pulumi.Output<boolean>;
/**
* Trusted CA to validate TLS certificate
*/
readonly certificate: pulumi.Output<string>;
readonly clientTlsCert: pulumi.Output<string>;
readonly clientTlsKey: pulumi.Output<string>;
/**
* Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)
*/
readonly connectionTimeout: pulumi.Output<number>;
/**
* Prevents users from bypassing authentication when providing an empty password.
*/
readonly denyNullBind: pulumi.Output<boolean>;
/**
* Description for the LDAP auth backend mount
*/
readonly description: pulumi.Output<string>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
readonly disableAutomatedRotation: pulumi.Output<boolean | undefined>;
/**
* If set, opts out of mount migration on path updates.
* See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
*/
readonly disableRemount: pulumi.Output<boolean | undefined>;
/**
* Use anonymous bind to discover the bind DN of a user.
*/
readonly discoverdn: pulumi.Output<boolean>;
/**
* LDAP attribute to follow on objects returned by groupfilter
*/
readonly groupattr: pulumi.Output<string>;
/**
* Base DN under which to perform group search
*/
readonly groupdn: pulumi.Output<string>;
/**
* Go template used to construct group membership query
*/
readonly groupfilter: pulumi.Output<string>;
/**
* Control whether or TLS certificates must be validated
*/
readonly insecureTls: pulumi.Output<boolean>;
/**
* Specifies if the auth method is local only.
*/
readonly local: pulumi.Output<boolean | undefined>;
/**
* Sets the max page size for LDAP lookups, by default it's set to -1.
* *Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.
*/
readonly maxPageSize: pulumi.Output<number | undefined>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
readonly namespace: pulumi.Output<string | undefined>;
/**
* Path to mount the LDAP auth backend under
*/
readonly path: pulumi.Output<string | undefined>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
readonly rotationPeriod: pulumi.Output<number | undefined>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
readonly rotationSchedule: pulumi.Output<string | undefined>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
readonly rotationWindow: pulumi.Output<number | undefined>;
/**
* Control use of TLS when conecting to LDAP
*/
readonly starttls: pulumi.Output<boolean>;
/**
* Maximum acceptable version of TLS
*/
readonly tlsMaxVersion: pulumi.Output<string>;
/**
* Minimum acceptable version of TLS
*/
readonly tlsMinVersion: pulumi.Output<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
readonly tokenBoundCidrs: pulumi.Output<string[] | undefined>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
readonly tokenExplicitMaxTtl: pulumi.Output<number | undefined>;
/**
* The maximum lifetime of the generated token
*/
readonly tokenMaxTtl: pulumi.Output<number | undefined>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
readonly tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
readonly tokenNumUses: pulumi.Output<number | undefined>;
/**
* Generated Token's Period
*/
readonly tokenPeriod: pulumi.Output<number | undefined>;
/**
* Generated Token's Policies
*/
readonly tokenPolicies: pulumi.Output<string[] | undefined>;
/**
* The initial ttl of the token to generate in seconds
*/
readonly tokenTtl: pulumi.Output<number | undefined>;
/**
* The type of token to generate, service or batch
*/
readonly tokenType: pulumi.Output<string | undefined>;
/**
* The `userPrincipalDomain` used to construct the UPN string for the authenticating user.
*/
readonly upndomain: pulumi.Output<string>;
/**
* The URL of the LDAP server
*/
readonly url: pulumi.Output<string>;
/**
* Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
*/
readonly useTokenGroups: pulumi.Output<boolean>;
/**
* Attribute on user object matching username passed in
*/
readonly userattr: pulumi.Output<string>;
/**
* Base DN under which to perform user search
*/
readonly userdn: pulumi.Output<string>;
/**
* LDAP user search filter
*/
readonly userfilter: pulumi.Output<string>;
/**
* Force the auth method to use the username passed by the user as the alias name.
*/
readonly usernameAsAlias: pulumi.Output<boolean>;
/**
* Create a AuthBackend resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: AuthBackendArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering AuthBackend resources.
*/
export interface AuthBackendState {
/**
* The accessor for this auth mount.
*/
accessor?: pulumi.Input<string>;
/**
* DN of object to bind when performing user search
*/
binddn?: pulumi.Input<string>;
/**
* Password to use with `binddn` when performing user search
*/
bindpass?: pulumi.Input<string>;
/**
* Control case senstivity of objects fetched from LDAP, this is used for object matching in vault
*/
caseSensitiveNames?: pulumi.Input<boolean>;
/**
* Trusted CA to validate TLS certificate
*/
certificate?: pulumi.Input<string>;
clientTlsCert?: pulumi.Input<string>;
clientTlsKey?: pulumi.Input<string>;
/**
* Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)
*/
connectionTimeout?: pulumi.Input<number>;
/**
* Prevents users from bypassing authentication when providing an empty password.
*/
denyNullBind?: pulumi.Input<boolean>;
/**
* Description for the LDAP auth backend mount
*/
description?: pulumi.Input<string>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
disableAutomatedRotation?: pulumi.Input<boolean>;
/**
* If set, opts out of mount migration on path updates.
* See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
*/
disableRemount?: pulumi.Input<boolean>;
/**
* Use anonymous bind to discover the bind DN of a user.
*/
discoverdn?: pulumi.Input<boolean>;
/**
* LDAP attribute to follow on objects returned by groupfilter
*/
groupattr?: pulumi.Input<string>;
/**
* Base DN under which to perform group search
*/
groupdn?: pulumi.Input<string>;
/**
* Go template used to construct group membership query
*/
groupfilter?: pulumi.Input<string>;
/**
* Control whether or TLS certificates must be validated
*/
insecureTls?: pulumi.Input<boolean>;
/**
* Specifies if the auth method is local only.
*/
local?: pulumi.Input<boolean>;
/**
* Sets the max page size for LDAP lookups, by default it's set to -1.
* *Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.
*/
maxPageSize?: pulumi.Input<number>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Path to mount the LDAP auth backend under
*/
path?: pulumi.Input<string>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
rotationPeriod?: pulumi.Input<number>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
rotationSchedule?: pulumi.Input<string>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
rotationWindow?: pulumi.Input<number>;
/**
* Control use of TLS when conecting to LDAP
*/
starttls?: pulumi.Input<boolean>;
/**
* Maximum acceptable version of TLS
*/
tlsMaxVersion?: pulumi.Input<string>;
/**
* Minimum acceptable version of TLS
*/
tlsMinVersion?: pulumi.Input<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
/**
* The `userPrincipalDomain` used to construct the UPN string for the authenticating user.
*/
upndomain?: pulumi.Input<string>;
/**
* The URL of the LDAP server
*/
url?: pulumi.Input<string>;
/**
* Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
*/
useTokenGroups?: pulumi.Input<boolean>;
/**
* Attribute on user object matching username passed in
*/
userattr?: pulumi.Input<string>;
/**
* Base DN under which to perform user search
*/
userdn?: pulumi.Input<string>;
/**
* LDAP user search filter
*/
userfilter?: pulumi.Input<string>;
/**
* Force the auth method to use the username passed by the user as the alias name.
*/
usernameAsAlias?: pulumi.Input<boolean>;
}
/**
* The set of arguments for constructing a AuthBackend resource.
*/
export interface AuthBackendArgs {
/**
* DN of object to bind when performing user search
*/
binddn?: pulumi.Input<string>;
/**
* Password to use with `binddn` when performing user search
*/
bindpass?: pulumi.Input<string>;
/**
* Control case senstivity of objects fetched from LDAP, this is used for object matching in vault
*/
caseSensitiveNames?: pulumi.Input<boolean>;
/**
* Trusted CA to validate TLS certificate
*/
certificate?: pulumi.Input<string>;
clientTlsCert?: pulumi.Input<string>;
clientTlsKey?: pulumi.Input<string>;
/**
* Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in `url` (integer: 30)
*/
connectionTimeout?: pulumi.Input<number>;
/**
* Prevents users from bypassing authentication when providing an empty password.
*/
denyNullBind?: pulumi.Input<boolean>;
/**
* Description for the LDAP auth backend mount
*/
description?: pulumi.Input<string>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
disableAutomatedRotation?: pulumi.Input<boolean>;
/**
* If set, opts out of mount migration on path updates.
* See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
*/
disableRemount?: pulumi.Input<boolean>;
/**
* Use anonymous bind to discover the bind DN of a user.
*/
discoverdn?: pulumi.Input<boolean>;
/**
* LDAP attribute to follow on objects returned by groupfilter
*/
groupattr?: pulumi.Input<string>;
/**
* Base DN under which to perform group search
*/
groupdn?: pulumi.Input<string>;
/**
* Go template used to construct group membership query
*/
groupfilter?: pulumi.Input<string>;
/**
* Control whether or TLS certificates must be validated
*/
insecureTls?: pulumi.Input<boolean>;
/**
* Specifies if the auth method is local only.
*/
local?: pulumi.Input<boolean>;
/**
* Sets the max page size for LDAP lookups, by default it's set to -1.
* *Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.
*/
maxPageSize?: pulumi.Input<number>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Path to mount the LDAP auth backend under
*/
path?: pulumi.Input<string>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
rotationPeriod?: pulumi.Input<number>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
rotationSchedule?: pulumi.Input<string>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
rotationWindow?: pulumi.Input<number>;
/**
* Control use of TLS when conecting to LDAP
*/
starttls?: pulumi.Input<boolean>;
/**
* Maximum acceptable version of TLS
*/
tlsMaxVersion?: pulumi.Input<string>;
/**
* Minimum acceptable version of TLS
*/
tlsMinVersion?: pulumi.Input<string>;
/**
* Specifies the blocks of IP addresses which are allowed to use the generated token
*/
tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Generated Token's Explicit Maximum TTL in seconds
*/
tokenExplicitMaxTtl?: pulumi.Input<number>;
/**
* The maximum lifetime of the generated token
*/
tokenMaxTtl?: pulumi.Input<number>;
/**
* If true, the 'default' policy will not automatically be added to generated tokens
*/
tokenNoDefaultPolicy?: pulumi.Input<boolean>;
/**
* The maximum number of times a token may be used, a value of zero means unlimited
*/
tokenNumUses?: pulumi.Input<number>;
/**
* Generated Token's Period
*/
tokenPeriod?: pulumi.Input<number>;
/**
* Generated Token's Policies
*/
tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The initial ttl of the token to generate in seconds
*/
tokenTtl?: pulumi.Input<number>;
/**
* The type of token to generate, service or batch
*/
tokenType?: pulumi.Input<string>;
/**
* The `userPrincipalDomain` used to construct the UPN string for the authenticating user.
*/
upndomain?: pulumi.Input<string>;
/**
* The URL of the LDAP server
*/
url: pulumi.Input<string>;
/**
* Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships
*/
useTokenGroups?: pulumi.Input<boolean>;
/**
* Attribute on user object matching username passed in
*/
userattr?: pulumi.Input<string>;
/**
* Base DN under which to perform user search
*/
userdn?: pulumi.Input<string>;
/**
* LDAP user search filter
*/
userfilter?: pulumi.Input<string>;
/**
* Force the auth method to use the username passed by the user as the alias name.
*/
usernameAsAlias?: pulumi.Input<boolean>;
}