@pulumi/vault
Version:
A Pulumi package for creating and managing HashiCorp Vault cloud resources.
612 lines (611 loc) • 23.7 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
*
* const config = new vault.ldap.SecretBackend("config", {
* path: "my-custom-ldap",
* binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
* bindpass: "SuperSecretPassw0rd",
* url: "ldaps://localhost",
* insecureTls: true,
* userdn: "CN=Users,DC=corp,DC=example,DC=net",
* rotationSchedule: "0 * * * SAT",
* rotationWindow: 3600,
* });
* ```
*
* ## Import
*
* LDAP secret backend can be imported using the `${mount}/config`, e.g.
*
* ```sh
* $ pulumi import vault:ldap/secretBackend:SecretBackend config ldap/config
* ```
*/
export declare class SecretBackend extends pulumi.CustomResource {
/**
* Get an existing SecretBackend resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendState, opts?: pulumi.CustomResourceOptions): SecretBackend;
/**
* Returns true if the given object is an instance of SecretBackend. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is SecretBackend;
/**
* Accessor of the mount
*/
readonly accessor: pulumi.Output<string>;
/**
* List of managed key registry entry names that the mount in question is allowed to access
*/
readonly allowedManagedKeys: pulumi.Output<string[] | undefined>;
/**
* List of headers to allow and pass from the request to the plugin
*/
readonly allowedResponseHeaders: pulumi.Output<string[] | undefined>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
*/
readonly auditNonHmacRequestKeys: pulumi.Output<string[]>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
*/
readonly auditNonHmacResponseKeys: pulumi.Output<string[]>;
/**
* Distinguished name of object to bind when performing user and group search.
*/
readonly binddn: pulumi.Output<string>;
/**
* Password to use along with binddn when performing user search.
*/
readonly bindpass: pulumi.Output<string>;
/**
* CA certificate to use when verifying LDAP server certificate, must be
* x509 PEM encoded.
*/
readonly certificate: pulumi.Output<string | undefined>;
/**
* Client certificate to provide to the LDAP server, must be x509 PEM encoded.
*/
readonly clientTlsCert: pulumi.Output<string | undefined>;
/**
* Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
*/
readonly clientTlsKey: pulumi.Output<string | undefined>;
/**
* Timeout, in seconds, when attempting to connect to the LDAP server before trying
* the next URL in the configuration.
*/
readonly connectionTimeout: pulumi.Output<number | undefined>;
/**
* The type of credential to generate. Valid values include `password` and `phrase`. Default is `password`.
*/
readonly credentialType: pulumi.Output<string>;
/**
* Default lease duration for tokens and secrets in seconds
*/
readonly defaultLeaseTtlSeconds: pulumi.Output<number>;
/**
* List of headers to allow and pass from the request to the plugin
*/
readonly delegatedAuthAccessors: pulumi.Output<string[] | undefined>;
/**
* Human-friendly description of the mount
*/
readonly description: pulumi.Output<string | undefined>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
readonly disableAutomatedRotation: pulumi.Output<boolean | undefined>;
/**
* If set, opts out of mount migration on path updates.
*/
readonly disableRemount: pulumi.Output<boolean | undefined>;
/**
* Enable the secrets engine to access Vault's external entropy source
*/
readonly externalEntropyAccess: pulumi.Output<boolean | undefined>;
/**
* If set to true, disables caching.
*/
readonly forceNoCache: pulumi.Output<boolean>;
/**
* The key to use for signing plugin workload identity tokens
*/
readonly identityTokenKey: pulumi.Output<string | undefined>;
/**
* Skip LDAP server SSL Certificate verification. This is not recommended for production.
* Defaults to `false`.
*/
readonly insecureTls: pulumi.Output<boolean | undefined>;
/**
* Specifies whether to show this mount in the UI-specific listing endpoint
*/
readonly listingVisibility: pulumi.Output<string | undefined>;
/**
* Local mount flag that can be explicitly set to true to enforce local mount in HA environment
*/
readonly local: pulumi.Output<boolean | undefined>;
/**
* Maximum possible lease duration for tokens and secrets in seconds
*/
readonly maxLeaseTtlSeconds: pulumi.Output<number>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
readonly namespace: pulumi.Output<string | undefined>;
/**
* Specifies mount type specific options that are passed to the backend
*/
readonly options: pulumi.Output<{
[key: string]: string;
} | undefined>;
/**
* List of headers to allow and pass from the request to the plugin
*/
readonly passthroughRequestHeaders: pulumi.Output<string[] | undefined>;
/**
* Name of the password policy to use to generate passwords.
*/
readonly passwordPolicy: pulumi.Output<string | undefined>;
/**
* The unique path this backend should be mounted at. Must
* not begin or end with a `/`. Defaults to `ldap`.
*/
readonly path: pulumi.Output<string | undefined>;
/**
* Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
*/
readonly pluginVersion: pulumi.Output<string | undefined>;
/**
* Timeout, in seconds, for the connection when making requests against the server
* before returning back an error.
*/
readonly requestTimeout: pulumi.Output<number>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
readonly rotationPeriod: pulumi.Output<number | undefined>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
readonly rotationSchedule: pulumi.Output<string | undefined>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
readonly rotationWindow: pulumi.Output<number | undefined>;
/**
* The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
*/
readonly schema: pulumi.Output<string>;
/**
* Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
*/
readonly sealWrap: pulumi.Output<boolean>;
/**
* If set to true, static roles will not be rotated during import.
* Defaults to false. Requires Vault 1.16 or above.
*/
readonly skipStaticRoleImportRotation: pulumi.Output<boolean | undefined>;
/**
* Issue a StartTLS command after establishing unencrypted connection.
*/
readonly starttls: pulumi.Output<boolean>;
/**
* Enables userPrincipalDomain login with [username]@UPNDomain.
*/
readonly upndomain: pulumi.Output<string>;
/**
* LDAP URL to connect to. Multiple URLs can be specified by concatenating
* them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
*/
readonly url: pulumi.Output<string>;
/**
* Attribute used when searching users. Defaults to `cn`.
*/
readonly userattr: pulumi.Output<string>;
/**
* LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
*/
readonly userdn: pulumi.Output<string | undefined>;
/**
* Create a SecretBackend resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: SecretBackendArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering SecretBackend resources.
*/
export interface SecretBackendState {
/**
* Accessor of the mount
*/
accessor?: pulumi.Input<string>;
/**
* List of managed key registry entry names that the mount in question is allowed to access
*/
allowedManagedKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of headers to allow and pass from the request to the plugin
*/
allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
*/
auditNonHmacRequestKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
*/
auditNonHmacResponseKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Distinguished name of object to bind when performing user and group search.
*/
binddn?: pulumi.Input<string>;
/**
* Password to use along with binddn when performing user search.
*/
bindpass?: pulumi.Input<string>;
/**
* CA certificate to use when verifying LDAP server certificate, must be
* x509 PEM encoded.
*/
certificate?: pulumi.Input<string>;
/**
* Client certificate to provide to the LDAP server, must be x509 PEM encoded.
*/
clientTlsCert?: pulumi.Input<string>;
/**
* Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
*/
clientTlsKey?: pulumi.Input<string>;
/**
* Timeout, in seconds, when attempting to connect to the LDAP server before trying
* the next URL in the configuration.
*/
connectionTimeout?: pulumi.Input<number>;
/**
* The type of credential to generate. Valid values include `password` and `phrase`. Default is `password`.
*/
credentialType?: pulumi.Input<string>;
/**
* Default lease duration for tokens and secrets in seconds
*/
defaultLeaseTtlSeconds?: pulumi.Input<number>;
/**
* List of headers to allow and pass from the request to the plugin
*/
delegatedAuthAccessors?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Human-friendly description of the mount
*/
description?: pulumi.Input<string>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
disableAutomatedRotation?: pulumi.Input<boolean>;
/**
* If set, opts out of mount migration on path updates.
*/
disableRemount?: pulumi.Input<boolean>;
/**
* Enable the secrets engine to access Vault's external entropy source
*/
externalEntropyAccess?: pulumi.Input<boolean>;
/**
* If set to true, disables caching.
*/
forceNoCache?: pulumi.Input<boolean>;
/**
* The key to use for signing plugin workload identity tokens
*/
identityTokenKey?: pulumi.Input<string>;
/**
* Skip LDAP server SSL Certificate verification. This is not recommended for production.
* Defaults to `false`.
*/
insecureTls?: pulumi.Input<boolean>;
/**
* Specifies whether to show this mount in the UI-specific listing endpoint
*/
listingVisibility?: pulumi.Input<string>;
/**
* Local mount flag that can be explicitly set to true to enforce local mount in HA environment
*/
local?: pulumi.Input<boolean>;
/**
* Maximum possible lease duration for tokens and secrets in seconds
*/
maxLeaseTtlSeconds?: pulumi.Input<number>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Specifies mount type specific options that are passed to the backend
*/
options?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* List of headers to allow and pass from the request to the plugin
*/
passthroughRequestHeaders?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Name of the password policy to use to generate passwords.
*/
passwordPolicy?: pulumi.Input<string>;
/**
* The unique path this backend should be mounted at. Must
* not begin or end with a `/`. Defaults to `ldap`.
*/
path?: pulumi.Input<string>;
/**
* Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
*/
pluginVersion?: pulumi.Input<string>;
/**
* Timeout, in seconds, for the connection when making requests against the server
* before returning back an error.
*/
requestTimeout?: pulumi.Input<number>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
rotationPeriod?: pulumi.Input<number>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
rotationSchedule?: pulumi.Input<string>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
rotationWindow?: pulumi.Input<number>;
/**
* The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
*/
schema?: pulumi.Input<string>;
/**
* Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
*/
sealWrap?: pulumi.Input<boolean>;
/**
* If set to true, static roles will not be rotated during import.
* Defaults to false. Requires Vault 1.16 or above.
*/
skipStaticRoleImportRotation?: pulumi.Input<boolean>;
/**
* Issue a StartTLS command after establishing unencrypted connection.
*/
starttls?: pulumi.Input<boolean>;
/**
* Enables userPrincipalDomain login with [username]@UPNDomain.
*/
upndomain?: pulumi.Input<string>;
/**
* LDAP URL to connect to. Multiple URLs can be specified by concatenating
* them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
*/
url?: pulumi.Input<string>;
/**
* Attribute used when searching users. Defaults to `cn`.
*/
userattr?: pulumi.Input<string>;
/**
* LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
*/
userdn?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a SecretBackend resource.
*/
export interface SecretBackendArgs {
/**
* List of managed key registry entry names that the mount in question is allowed to access
*/
allowedManagedKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of headers to allow and pass from the request to the plugin
*/
allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
*/
auditNonHmacRequestKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
*/
auditNonHmacResponseKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Distinguished name of object to bind when performing user and group search.
*/
binddn: pulumi.Input<string>;
/**
* Password to use along with binddn when performing user search.
*/
bindpass: pulumi.Input<string>;
/**
* CA certificate to use when verifying LDAP server certificate, must be
* x509 PEM encoded.
*/
certificate?: pulumi.Input<string>;
/**
* Client certificate to provide to the LDAP server, must be x509 PEM encoded.
*/
clientTlsCert?: pulumi.Input<string>;
/**
* Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
*/
clientTlsKey?: pulumi.Input<string>;
/**
* Timeout, in seconds, when attempting to connect to the LDAP server before trying
* the next URL in the configuration.
*/
connectionTimeout?: pulumi.Input<number>;
/**
* The type of credential to generate. Valid values include `password` and `phrase`. Default is `password`.
*/
credentialType?: pulumi.Input<string>;
/**
* Default lease duration for tokens and secrets in seconds
*/
defaultLeaseTtlSeconds?: pulumi.Input<number>;
/**
* List of headers to allow and pass from the request to the plugin
*/
delegatedAuthAccessors?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Human-friendly description of the mount
*/
description?: pulumi.Input<string>;
/**
* Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
*/
disableAutomatedRotation?: pulumi.Input<boolean>;
/**
* If set, opts out of mount migration on path updates.
*/
disableRemount?: pulumi.Input<boolean>;
/**
* Enable the secrets engine to access Vault's external entropy source
*/
externalEntropyAccess?: pulumi.Input<boolean>;
/**
* If set to true, disables caching.
*/
forceNoCache?: pulumi.Input<boolean>;
/**
* The key to use for signing plugin workload identity tokens
*/
identityTokenKey?: pulumi.Input<string>;
/**
* Skip LDAP server SSL Certificate verification. This is not recommended for production.
* Defaults to `false`.
*/
insecureTls?: pulumi.Input<boolean>;
/**
* Specifies whether to show this mount in the UI-specific listing endpoint
*/
listingVisibility?: pulumi.Input<string>;
/**
* Local mount flag that can be explicitly set to true to enforce local mount in HA environment
*/
local?: pulumi.Input<boolean>;
/**
* Maximum possible lease duration for tokens and secrets in seconds
*/
maxLeaseTtlSeconds?: pulumi.Input<number>;
/**
* The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
namespace?: pulumi.Input<string>;
/**
* Specifies mount type specific options that are passed to the backend
*/
options?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* List of headers to allow and pass from the request to the plugin
*/
passthroughRequestHeaders?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Name of the password policy to use to generate passwords.
*/
passwordPolicy?: pulumi.Input<string>;
/**
* The unique path this backend should be mounted at. Must
* not begin or end with a `/`. Defaults to `ldap`.
*/
path?: pulumi.Input<string>;
/**
* Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
*/
pluginVersion?: pulumi.Input<string>;
/**
* Timeout, in seconds, for the connection when making requests against the server
* before returning back an error.
*/
requestTimeout?: pulumi.Input<number>;
/**
* The amount of time in seconds Vault should wait before rotating the root credential.
* A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
*/
rotationPeriod?: pulumi.Input<number>;
/**
* The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),
* defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
*/
rotationSchedule?: pulumi.Input<string>;
/**
* The maximum amount of time in seconds allowed to complete
* a rotation when a scheduled token rotation occurs. The default rotation window is
* unbound and the minimum allowable window is `3600`. Requires Vault Enterprise 1.19+.
*/
rotationWindow?: pulumi.Input<number>;
/**
* The LDAP schema to use when storing entry passwords. Valid schemas include `openldap`, `ad`, and `racf`. Default is `openldap`.
*/
schema?: pulumi.Input<string>;
/**
* Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
*/
sealWrap?: pulumi.Input<boolean>;
/**
* If set to true, static roles will not be rotated during import.
* Defaults to false. Requires Vault 1.16 or above.
*/
skipStaticRoleImportRotation?: pulumi.Input<boolean>;
/**
* Issue a StartTLS command after establishing unencrypted connection.
*/
starttls?: pulumi.Input<boolean>;
/**
* Enables userPrincipalDomain login with [username]@UPNDomain.
*/
upndomain?: pulumi.Input<string>;
/**
* LDAP URL to connect to. Multiple URLs can be specified by concatenating
* them with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.
*/
url?: pulumi.Input<string>;
/**
* Attribute used when searching users. Defaults to `cn`.
*/
userattr?: pulumi.Input<string>;
/**
* LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
*/
userdn?: pulumi.Input<string>;
}