pulumi-infisical
Version:
A Pulumi provider for managing Infisical secrets management platform, dynamically bridged from the Terraform Infisical provider with support for projects, secrets, identity management, integrations, and access controls.
1,210 lines • 89.1 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
export interface AccessApprovalPolicyApprover {
/**
* The ID of the approver
*/
id?: pulumi.Input<string | undefined>;
/**
* The type of approver. Either group or user
*/
type: pulumi.Input<string>;
/**
* The username of the approver. By default, this is the email
*/
username?: pulumi.Input<string | undefined>;
}
export interface AppConnection1passwordCredentials {
/**
* The API token to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password
*/
apiToken: pulumi.Input<string>;
/**
* The URL of the 1Password Connect instance to connect to. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password
*/
instanceUrl: pulumi.Input<string>;
}
export interface AppConnectionAwsCredentials {
/**
* The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key
*/
accessKeyId?: pulumi.Input<string | undefined>;
/**
* The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#assume-role-recommended
*/
roleArn?: pulumi.Input<string | undefined>;
/**
* The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key
*/
secretAccessKey?: pulumi.Input<string | undefined>;
}
export interface AppConnectionAzureAppConfigurationCredentials {
/**
* The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
*/
clientId: pulumi.Input<string>;
/**
* The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
*/
clientSecret: pulumi.Input<string>;
/**
* The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration
*/
tenantId: pulumi.Input<string>;
}
export interface AppConnectionAzureClientSecretsCredentials {
/**
* The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
clientId: pulumi.Input<string>;
/**
* The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
clientSecret: pulumi.Input<string>;
/**
* The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
tenantId: pulumi.Input<string>;
}
export interface AppConnectionAzureDevopsCredentials {
/**
* The Azure DevOps access token. Required for access-token method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops
*/
accessToken?: pulumi.Input<string | undefined>;
/**
* The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
clientId?: pulumi.Input<string | undefined>;
/**
* The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
clientSecret?: pulumi.Input<string | undefined>;
/**
* The name of the Azure DevOps organization. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops
*/
organizationName: pulumi.Input<string>;
/**
* The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets
*/
tenantId?: pulumi.Input<string | undefined>;
}
export interface AppConnectionAzureKeyVaultCredentials {
/**
* The Azure application (client) ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
*/
clientId: pulumi.Input<string>;
/**
* The Azure client secret. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
*/
clientSecret: pulumi.Input<string>;
/**
* The Azure Active Directory (AAD) tenant ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault
*/
tenantId: pulumi.Input<string>;
}
export interface AppConnectionBitbucketCredentials {
/**
* The Bitbucket API token for authentication.
*/
apiToken: pulumi.Input<string>;
/**
* The email address associated with the Bitbucket API token.
*/
email: pulumi.Input<string>;
}
export interface AppConnectionCloudflareCredentials {
/**
* The Cloudflare Account ID. This can be found in the sidebar of your Cloudflare dashboard.
*/
accountId: pulumi.Input<string>;
/**
* The Cloudflare API token with the necessary permissions to manage Workers scripts. The token should have Zone:Zone:Read, Zone:Zone Settings:Read, and Zone:Zone:Edit permissions.
*/
apiToken: pulumi.Input<string>;
}
export interface AppConnectionDatabricksCredentials {
/**
* The client ID of the Databricks service principal.
*/
clientId: pulumi.Input<string>;
/**
* The client secret of the Databricks service principal.
*/
clientSecret: pulumi.Input<string>;
/**
* The workspace URL of the Databricks instance.
*/
workspaceUrl: pulumi.Input<string>;
}
export interface AppConnectionFlyioCredentials {
/**
* The Fly.io access token for authentication.
*/
accessToken: pulumi.Input<string>;
}
export interface AppConnectionGcpCredentials {
/**
* The service account email to connect with GCP. The service account ID (the part of the email before '@') must be suffixed with the first two sections of your organization ID e.g. service-account-df92581a-0fe9@my-project.iam.gserviceaccount.com. For more details, refer to the documentation here https://infisical.com/docs/integrations/app-connections/gcp#configure-service-account-for-infisical
*/
serviceAccountEmail?: pulumi.Input<string | undefined>;
}
export interface AppConnectionGithubCredentials {
/**
* The hostname of your GitHub Enterprise instance. Required when<span pulumi-lang-nodejs=" instanceType " pulumi-lang-dotnet=" InstanceType " pulumi-lang-go=" instanceType " pulumi-lang-python=" instance_type " pulumi-lang-yaml=" instanceType " pulumi-lang-java=" instanceType " pulumi-lang-hcl=" instance_type "> instanceType </span>is 'server'.
*/
host?: pulumi.Input<string | undefined>;
/**
* The type of GitHub instance. Use 'cloud' for GitHub.com (default) or 'server' for GitHub Enterprise. When 'server', host is required.
*/
instanceType?: pulumi.Input<string | undefined>;
/**
* The Personal Access Token used to access GitHub.
*/
personalAccessToken: pulumi.Input<string>;
}
export interface AppConnectionGitlabCredentials {
/**
* The Access Token used to access GitLab.
*/
accessToken: pulumi.Input<string>;
/**
* The type of token used to connect with GitLab. Supported options: 'project', 'personal', and 'group'
*/
accessTokenType: pulumi.Input<string>;
/**
* The GitLab instance URL to connect with. (default: https://gitlab.com)
*/
instanceUrl?: pulumi.Input<string | undefined>;
}
export interface AppConnectionHashicorpVaultCredentials {
/**
* The Vault access token. Required for the `access-token` method.
*/
accessToken?: pulumi.Input<string | undefined>;
/**
* The URL of the HashiCorp Vault instance, e.g. `https://vault.example.com`. Required for all methods.
*/
instanceUrl?: pulumi.Input<string | undefined>;
/**
* Optional Vault namespace. Only applicable to HCP Vault Dedicated and Enterprise deployments.
*/
namespace?: pulumi.Input<string | undefined>;
/**
* The AppRole role ID. Required for the `app-role` method.
*/
roleId?: pulumi.Input<string | undefined>;
/**
* The AppRole secret ID. Required for the `app-role` method.
*/
secretId?: pulumi.Input<string | undefined>;
}
export interface AppConnectionLdapCredentials {
/**
* The Distinguished Name (DN) or User Principal Name (UPN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').
*/
dn: pulumi.Input<string>;
/**
* The password to bind with for authentication.
*/
password: pulumi.Input<string>;
/**
* The LDAP provider (e.g., 'active-directory').
*/
provider: pulumi.Input<string>;
/**
* The SSL certificate (PEM format) to use for secure connection when using ldaps:// with a self-signed certificate.
*/
sslCertificate?: pulumi.Input<string | undefined>;
/**
* Whether or not to reject unauthorized SSL certificates (true/false) when using ldaps://. Set to false only in test environments.
*/
sslRejectUnauthorized?: pulumi.Input<boolean | undefined>;
/**
* The LDAP server URL (e.g., 'ldap://example.com:389' or 'ldaps://example.com:636').
*/
url: pulumi.Input<string>;
}
export interface AppConnectionMssqlCredentials {
/**
* The name of the database to connect to.
*/
database: pulumi.Input<string>;
/**
* The hostname of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to connect to the database with.
*/
password: pulumi.Input<string>;
/**
* The port number of the database.
*/
port?: pulumi.Input<number | undefined>;
/**
* The SSL certificate to use for connection.
*/
sslCertificate?: pulumi.Input<string | undefined>;
/**
* Whether or not to use SSL when connecting to the database.
*/
sslEnabled?: pulumi.Input<boolean | undefined>;
/**
* Whether or not to reject unauthorized SSL certificates.
*/
sslRejectUnauthorized?: pulumi.Input<boolean | undefined>;
/**
* The username to connect to the database with.
*/
username: pulumi.Input<string>;
}
export interface AppConnectionMysqlCredentials {
/**
* The name of the database to connect to.
*/
database: pulumi.Input<string>;
/**
* The hostname of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to connect to the database with.
*/
password: pulumi.Input<string>;
/**
* The port number of the database.
*/
port?: pulumi.Input<number | undefined>;
/**
* The SSL certificate to use for connection.
*/
sslCertificate?: pulumi.Input<string | undefined>;
/**
* Whether or not to use SSL when connecting to the database.
*/
sslEnabled?: pulumi.Input<boolean | undefined>;
/**
* Whether or not to reject unauthorized SSL certificates.
*/
sslRejectUnauthorized?: pulumi.Input<boolean | undefined>;
/**
* The username to connect to the database with.
*/
username: pulumi.Input<string>;
}
export interface AppConnectionOracledbCredentials {
/**
* The name of the database to connect to.
*/
database: pulumi.Input<string>;
/**
* The hostname of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to connect to the database with.
*/
password: pulumi.Input<string>;
/**
* The port number of the database.
*/
port?: pulumi.Input<number | undefined>;
/**
* The SSL certificate to use for connection.
*/
sslCertificate?: pulumi.Input<string | undefined>;
/**
* Whether or not to use SSL when connecting to the database.
*/
sslEnabled?: pulumi.Input<boolean | undefined>;
/**
* Whether or not to reject unauthorized SSL certificates.
*/
sslRejectUnauthorized?: pulumi.Input<boolean | undefined>;
/**
* The username to connect to the database with.
*/
username: pulumi.Input<string>;
}
export interface AppConnectionPostgresCredentials {
/**
* The name of the database to connect to.
*/
database: pulumi.Input<string>;
/**
* The hostname of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to connect to the database with.
*/
password: pulumi.Input<string>;
/**
* The port number of the database.
*/
port?: pulumi.Input<number | undefined>;
/**
* The SSL certificate to use for connection.
*/
sslCertificate?: pulumi.Input<string | undefined>;
/**
* Whether or not to use SSL when connecting to the database.
*/
sslEnabled?: pulumi.Input<boolean | undefined>;
/**
* Whether or not to reject unauthorized SSL certificates.
*/
sslRejectUnauthorized?: pulumi.Input<boolean | undefined>;
/**
* The username to connect to the database with.
*/
username: pulumi.Input<string>;
}
export interface AppConnectionRenderCredentials {
/**
* The API key to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/render
*/
apiKey: pulumi.Input<string>;
}
export interface AppConnectionSupabaseCredentials {
/**
* The Supabase access key for authentication.
*/
accessKey: pulumi.Input<string>;
/**
* The Supabase instance URL (e.g., https://your-domain.com).
*/
instanceUrl?: pulumi.Input<string | undefined>;
}
export interface CertManagerApplicationProfileAcmeConfig {
/**
* The ACME directory URL clients should use.
*/
directoryUrl?: pulumi.Input<string | undefined>;
/**
* External Account Binding key identifier. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform.
*/
eabKid?: pulumi.Input<string | undefined>;
/**
* External Account Binding shared secret. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform.
*/
eabSecret?: pulumi.Input<string | undefined>;
/**
* Skip DNS ownership verification. Defaults to false.
*/
skipDnsOwnershipVerification?: pulumi.Input<boolean | undefined>;
/**
* Skip External Account Binding. Defaults to false. Cannot be set to true at the same time as skip_dns_ownership_verification.
*/
skipEabBinding?: pulumi.Input<boolean | undefined>;
}
export interface CertManagerApplicationProfileApiConfig {
/**
* Whether to automatically renew certificates. Defaults to false when omitted.
*/
autoRenew?: pulumi.Input<boolean | undefined>;
/**
* Number of days before expiration to renew (1-30). Defaults to 7 when omitted.
*/
renewBeforeDays?: pulumi.Input<number | undefined>;
}
export interface CertManagerApplicationProfileEstConfig {
/**
* PEM-encoded CA chain used for bootstrap CA validation (only honored when<span pulumi-lang-nodejs=" disableBootstrapCaValidation " pulumi-lang-dotnet=" DisableBootstrapCaValidation " pulumi-lang-go=" disableBootstrapCaValidation " pulumi-lang-python=" disable_bootstrap_ca_validation " pulumi-lang-yaml=" disableBootstrapCaValidation " pulumi-lang-java=" disableBootstrapCaValidation " pulumi-lang-hcl=" disable_bootstrap_ca_validation "> disableBootstrapCaValidation </span>is false).
*/
caChain?: pulumi.Input<string | undefined>;
/**
* Whether to disable bootstrap CA validation. Defaults to false.
*/
disableBootstrapCaValidation?: pulumi.Input<boolean | undefined>;
/**
* The EST endpoint URL clients should use.
*/
endpointUrl?: pulumi.Input<string | undefined>;
/**
* EST passphrase used to authorize certificate requests.
*/
passphrase: pulumi.Input<string>;
}
export interface CertManagerApplicationProfileScepConfig {
/**
* Allow certificate-based renewal. Defaults to true.
*/
allowCertBasedRenewal?: pulumi.Input<boolean | undefined>;
/**
* The SCEP dynamic challenge endpoint URL (only set when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic).
*/
challengeEndpointUrl?: pulumi.Input<string | undefined>;
/**
* Static-mode SCEP challenge password (min 8 chars). Required when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is static.
*/
challengePassword?: pulumi.Input<string | undefined>;
/**
* SCEP challenge type. Supported values: static, dynamic. Defaults to static.
*/
challengeType?: pulumi.Input<string | undefined>;
/**
* Expiry of a dynamic challenge in minutes (1-1440). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic.
*/
dynamicChallengeExpiryMinutes?: pulumi.Input<number | undefined>;
/**
* Maximum pending dynamic challenges (1-1000). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic.
*/
dynamicChallengeMaxPending?: pulumi.Input<number | undefined>;
/**
* Include the issuing CA certificate in SCEP responses. Defaults to true.
*/
includeCaCertInResponse?: pulumi.Input<boolean | undefined>;
/**
* ISO-8601 timestamp when the RA certificate expires.
*/
raCertExpiresAt?: pulumi.Input<string | undefined>;
/**
* The PEM-encoded RA certificate used by the SCEP service.
*/
raCertificatePem?: pulumi.Input<string | undefined>;
/**
* The SCEP endpoint URL clients should use.
*/
scepEndpointUrl?: pulumi.Input<string | undefined>;
}
export interface CertManagerCertificatePolicyAlgorithms {
/**
* List of allowed key algorithms (at least one required). Supported values: RSA-2048, RSA-3072, RSA-4096, ECDSA-P256, ECDSA-P521, ECDSA-P384
*/
keyAlgorithms: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of allowed signature algorithms (at least one required). Supported values: SHA256-RSA, SHA512-RSA, SHA384-ECDSA, SHA384-RSA, SHA256-ECDSA, SHA512-ECDSA
*/
signatures: pulumi.Input<pulumi.Input<string>[]>;
}
export interface CertManagerCertificatePolicyExtendedKeyUsages {
/**
* List of allowed extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
*/
alloweds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of denied extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
*/
denieds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of required extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
*/
requireds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
}
export interface CertManagerCertificatePolicyKeyUsages {
/**
* List of allowed key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
*/
alloweds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of denied key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
*/
denieds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of required key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
*/
requireds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
}
export interface CertManagerCertificatePolicySan {
/**
* List of allowed values for this SAN type
*/
alloweds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of denied values for this SAN type
*/
denieds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of required values for this SAN type
*/
requireds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The SAN type. Possible values: dns_name, ip_address, email, uri
*/
type: pulumi.Input<string>;
}
export interface CertManagerCertificatePolicySubject {
/**
* List of allowed values for this subject attribute
*/
alloweds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of denied values for this subject attribute
*/
denieds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of required values for this subject attribute
*/
requireds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The subject attribute type. Possible values: common_name, organization, country
*/
type: pulumi.Input<string>;
}
export interface CertManagerCertificatePolicyValidity {
/**
* Maximum validity period (e.g., '90d', '2y', '6m')
*/
max?: pulumi.Input<string | undefined>;
}
export interface CertManagerCertificateProfileDefaults {
/**
* Default common name
*/
commonName?: pulumi.Input<string | undefined>;
/**
* Default country (C)
*/
country?: pulumi.Input<string | undefined>;
/**
* Default extended key usages. Supported values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping
*/
extendedKeyUsages?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Default key algorithm. Supported values: RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1
*/
keyAlgorithm?: pulumi.Input<string | undefined>;
/**
* Default key usages. Supported values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only
*/
keyUsages?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Default locality (L)
*/
locality?: pulumi.Input<string | undefined>;
/**
* Default organization (O)
*/
organization?: pulumi.Input<string | undefined>;
/**
* Default organizational unit (OU)
*/
organizationalUnit?: pulumi.Input<string | undefined>;
/**
* Default signature algorithm. Supported values: RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512
*/
signatureAlgorithm?: pulumi.Input<string | undefined>;
/**
* Default state/province (ST)
*/
state?: pulumi.Input<string | undefined>;
/**
* Default certificate validity in days
*/
ttlDays?: pulumi.Input<number | undefined>;
}
export interface DynamicSecretAwsIamConfiguration {
/**
* Configuration for the 'access_key' authentication method.
*/
accessKeyConfig?: pulumi.Input<inputs.DynamicSecretAwsIamConfigurationAccessKeyConfig | undefined>;
/**
* Configuration for the 'assume_role' authentication method.
*/
assumeRoleConfig?: pulumi.Input<inputs.DynamicSecretAwsIamConfigurationAssumeRoleConfig | undefined>;
/**
* IAM AWS Path to scope created IAM User resource access.
*/
awsPath?: pulumi.Input<string | undefined>;
/**
* The authentication method to use. Must be 'access_key' or 'assume_role'.
*/
method: pulumi.Input<string>;
/**
* The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role.
*/
permissionBoundaryPolicyArn?: pulumi.Input<string | undefined>;
/**
* The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas
*/
policyArns?: pulumi.Input<string | undefined>;
/**
* The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas
*/
policyDocument?: pulumi.Input<string | undefined>;
/**
* The AWS data center region.
*/
region: pulumi.Input<string>;
/**
* The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas
*/
userGroups?: pulumi.Input<string | undefined>;
}
export interface DynamicSecretAwsIamConfigurationAccessKeyConfig {
/**
* The managing AWS IAM User Access Key
*/
accessKey: pulumi.Input<string>;
/**
* The managing AWS IAM User Secret Key
*/
secretAccessKey: pulumi.Input<string>;
}
export interface DynamicSecretAwsIamConfigurationAssumeRoleConfig {
/**
* The ARN of the AWS Role to assume.
*/
roleArn: pulumi.Input<string>;
}
export interface DynamicSecretAwsIamMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface DynamicSecretKubernetesConfiguration {
/**
* Configuration for the 'api' authentication method.
*/
apiConfig?: pulumi.Input<inputs.DynamicSecretKubernetesConfigurationApiConfig | undefined>;
/**
* Optional list of audiences to include in the generated token.
*/
audiences?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Choose between Token ('api') or 'gateway' authentication. If using Gateway, the Gateway must be deployed in your Kubernetes cluster.
*/
authMethod: pulumi.Input<string>;
/**
* Choose between 'static' (predefined service account) or 'dynamic' (temporary service accounts with role assignments).
*/
credentialType: pulumi.Input<string>;
/**
* Configuration for the 'dynamic' credential type.
*/
dynamicConfig?: pulumi.Input<inputs.DynamicSecretKubernetesConfigurationDynamicConfig | undefined>;
/**
* Select a gateway for private cluster access. If not specified, the Internet Gateway will be used.
*/
gatewayId?: pulumi.Input<string | undefined>;
/**
* Configuration for the 'static' credential type.
*/
staticConfig?: pulumi.Input<inputs.DynamicSecretKubernetesConfigurationStaticConfig | undefined>;
}
export interface DynamicSecretKubernetesConfigurationApiConfig {
/**
* Custom CA certificate for the Kubernetes API server. Leave blank to use the system/public CA.
*/
ca?: pulumi.Input<string | undefined>;
/**
* Service account token with permissions to create service accounts and manage RBAC.
*/
clusterToken: pulumi.Input<string>;
/**
* Kubernetes API server URL (e.g., https://kubernetes.default.svc).
*/
clusterUrl: pulumi.Input<string>;
/**
* Whether to enable SSL verification for the Kubernetes API server connection.
*/
enableSsl?: pulumi.Input<boolean | undefined>;
}
export interface DynamicSecretKubernetesConfigurationDynamicConfig {
/**
* Kubernetes namespace(s) where the service accounts will be created. You can specify multiple namespaces as a comma-separated list (e.g., “default,kube-system”). During lease creation, you can specify which namespace to use from this allowed list.
*/
allowedNamespaces: pulumi.Input<string>;
/**
* Name of the role to assign to the temporary service account.
*/
role: pulumi.Input<string>;
/**
* Type of role to assign ('cluster-role' or 'role').
*/
roleType: pulumi.Input<string>;
}
export interface DynamicSecretKubernetesConfigurationStaticConfig {
/**
* Kubernetes namespace where the service account exists.
*/
namespace: pulumi.Input<string>;
/**
* Name of the service account to generate tokens for.
*/
serviceAccountName: pulumi.Input<string>;
}
export interface DynamicSecretKubernetesMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface DynamicSecretMongoAtlasConfiguration {
/**
* Admin user private API key
*/
adminPrivateKey: pulumi.Input<string>;
/**
* Admin user public API key
*/
adminPublicKey: pulumi.Input<string>;
/**
* Unique 24-hexadecimal digit string that identifies your project. This is the same as the project ID.
*/
groupId: pulumi.Input<string>;
roles: pulumi.Input<pulumi.Input<inputs.DynamicSecretMongoAtlasConfigurationRole>[]>;
scopes?: pulumi.Input<pulumi.Input<inputs.DynamicSecretMongoAtlasConfigurationScope>[] | undefined>;
}
export interface DynamicSecretMongoAtlasConfigurationRole {
/**
* Collection on which this role applies.
*/
collectionName?: pulumi.Input<string | undefined>;
/**
* Database to which the user is granted access privileges.
*/
databaseName: pulumi.Input<string>;
/**
* Human-readable label that identifies a group of privileges assigned to a database user. This value can either be a built-in role or a custom role.
*/
roleName: pulumi.Input<string>;
}
export interface DynamicSecretMongoAtlasConfigurationScope {
/**
* Human-readable label that identifies the cluster or MongoDB Atlas Data Lake that this database user can access.
*/
name: pulumi.Input<string>;
/**
* Category of resource that this database user can access. Supported options: CLUSTER, DATA_LAKE, STREAM
*/
type: pulumi.Input<string>;
}
export interface DynamicSecretMongoAtlasMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface DynamicSecretMongoDbConfiguration {
/**
* The CA certificate to use to connect to the database.
*/
ca?: pulumi.Input<string | undefined>;
/**
* The name of the database to use.
*/
database: pulumi.Input<string>;
/**
* The host of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to use to connect to the database.
*/
password: pulumi.Input<string>;
/**
* The port of the database server.
*/
port?: pulumi.Input<number | undefined>;
/**
* A list of role names to assign to the user. The role names can either be built-in or custom.
*/
roles: pulumi.Input<pulumi.Input<string>[]>;
/**
* The username to use to connect to the database.
*/
username: pulumi.Input<string>;
}
export interface DynamicSecretMongoDbMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface DynamicSecretSqlDatabaseConfiguration {
/**
* The CA certificate to use to connect to the database.
*/
ca?: pulumi.Input<string | undefined>;
/**
* The database client to use. Currently supported values are postgres, mysql2, oracledb, mssql, sap-ase, and vertica.
*/
client: pulumi.Input<string>;
/**
* The creation statement to use to create the dynamic secret lease.
*/
creationStatement: pulumi.Input<string>;
/**
* The name of the database to use.
*/
database: pulumi.Input<string>;
/**
* The Gateway ID to use to connect to the database.
*/
gatewayId?: pulumi.Input<string | undefined>;
/**
* The host of the database server.
*/
host: pulumi.Input<string>;
/**
* The password to use to connect to the database.
*/
password: pulumi.Input<string>;
/**
* The password requirements to use to create the dynamic secret lease.
*/
passwordRequirements?: pulumi.Input<inputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirements | undefined>;
/**
* The port of the database server.
*/
port: pulumi.Input<number>;
/**
* The renew statement to use to renew the dynamic secret lease.
*/
renewStatement?: pulumi.Input<string | undefined>;
/**
* The revocation statement to use to revoke the dynamic secret lease.
*/
revocationStatement: pulumi.Input<string>;
/**
* The username to use to connect to the database.
*/
username: pulumi.Input<string>;
}
export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirements {
/**
* The symbols allowed in the password.
*/
allowedSymbols?: pulumi.Input<string | undefined>;
/**
* The length of the password to use to create the dynamic secret lease.
*/
length: pulumi.Input<number>;
/**
* The required characters to use to create the dynamic secret lease.
*/
required: pulumi.Input<inputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired>;
}
export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired {
/**
* The number of digits required in the password.
*/
digits: pulumi.Input<number>;
/**
* The number of lowercase characters required in the password.
*/
lowercase: pulumi.Input<number>;
/**
* The number of symbols required in the password.
*/
symbols: pulumi.Input<number>;
/**
* The number of uppercase characters required in the password.
*/
uppercase: pulumi.Input<number>;
}
export interface DynamicSecretSqlDatabaseMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface ExternalKmsAwsConfiguration {
/**
* The AWS KMS key ID to use for the external KMS. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-aws-kms-key-id
*/
awsKmsKeyId: pulumi.Input<string>;
/**
* The AWS region where the KMS key is located
*/
awsRegion: pulumi.Input<string>;
/**
* The AWS credentials for the external KMS
*/
credential: pulumi.Input<inputs.ExternalKmsAwsConfigurationCredential>;
/**
* The Authentication Type to use. Must be access-key or assume-role
*/
type: pulumi.Input<string>;
}
export interface ExternalKmsAwsConfigurationCredential {
/**
* The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-access-key-id
*/
accessKeyId?: pulumi.Input<string | undefined>;
/**
* The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-iam-role-arn-for-role-assumption
*/
roleArn?: pulumi.Input<string | undefined>;
/**
* The external ID of the role to assume for performing operations. Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-assume-role-external-id
*/
roleExternalId?: pulumi.Input<string | undefined>;
/**
* The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-secret-access-key
*/
secretAccessKey?: pulumi.Input<string | undefined>;
}
export interface IdentityAwsAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityAzureAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityGcpAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityJwtAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityKubernetesAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityMetadata {
/**
* The key of the metadata object
*/
key: pulumi.Input<string>;
/**
* The value of the metadata object
*/
value: pulumi.Input<string>;
}
export interface IdentityOidcAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityTokenAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityUniversalAuthAccessTokenTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IdentityUniversalAuthClientSecretTrustedIp {
ipAddress?: pulumi.Input<string | undefined>;
}
export interface IntegrationAwsParameterStoreOptions {
/**
* Tags to attach to the AWS parameter store secrets.
*/
awsTags?: pulumi.Input<pulumi.Input<inputs.IntegrationAwsParameterStoreOptionsAwsTag>[] | undefined>;
/**
* Whether to disable deletion of existing secrets in AWS Parameter Store.
*/
shouldDisableDelete?: pulumi.Input<boolean | undefined>;
}
export interface IntegrationAwsParameterStoreOptionsAwsTag {
/**
* The key of the tag.
*/
key?: pulumi.Input<string | undefined>;
/**
* The value of the tag.
*/
value?: pulumi.Input<string | undefined>;
}
export interface IntegrationAwsSecretsManagerOptions {
/**
* Tags to attach to the AWS Secrets Manager secrets.
*/
awsTags?: pulumi.Input<pulumi.Input<inputs.IntegrationAwsSecretsManagerOptionsAwsTag>[] | undefined>;
/**
* The sync mode for AWS tags. The supported options are `secret-metadata` and <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span>. If `secret-metadata` is selected, the metadata of the Infisical secrets are used as tags in AWS (only supported for one-to-one integrations). If <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span> is selected, then the key/value pairs in the <span pulumi-lang-nodejs="`awsTags`" pulumi-lang-dotnet="`AwsTags`" pulumi-lang-go="`awsTags`" pulumi-lang-python="`aws_tags`" pulumi-lang-yaml="`awsTags`" pulumi-lang-java="`awsTags`" pulumi-lang-hcl="`aws_tags`">`awsTags`</span> field is used.
*/
metadataSyncMode?: pulumi.Input<string | undefined>;
/**
* The prefix to add to the secret name in AWS Secrets Manager.
*/
secretPrefix?: pulumi.Input<string | undefined>;
}
export interface IntegrationAwsSecretsManagerOptionsAwsTag {
/**
* The key of the tag.
*/
key?: pulumi.Input<string | undefined>;
/**
* The value of the tag.
*/
value?: pulumi.Input<string | undefined>;
}
export interface IntegrationGcpSecretManagerOptions {
/**
* The prefix to add to the secret name in GCP Secret Manager.
*/
secretPrefix?: pulumi.Input<string | undefined>;
/**
* The suffix to add to the secret name in GCP Secret Manager.
*/
secretSuffix?: pulumi.Input<string | undefined>;
}
export interface OrgRolePermission {
/**
* Describe what actions an entity can take.
*/
actions: pulumi.Input<pulumi.Input<string>[]>;
/**
* When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
*/
conditions?: pulumi.Input<string | undefined>;
/**
* Whether rule forbids. Set this to true if permission forbids.
*/
inverted?: pulumi.Input<boolean | undefined>;
/**
* Describe the entity the permission pertains to.
*/
subject: pulumi.Input<string>;
}
export interface ProjectGroupRole {
/**
* Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required.
*/
isTemporary?: pulumi.Input<boolean | undefined>;
/**
* The slug of the role
*/
roleSlug: pulumi.Input<string>;
/**
* ISO time for which temporary access should begin. This is in the format YYYY-MM-DDTHH:MM:SSZ e.g. 2024-09-19T12:43:13Z
*/
temporaryAccessStartTime?: pulumi.Input<string | undefined>;
/**
* TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h
*/
temporaryRange?: pulumi.Input<string | undefined>;
}
export interface ProjectIdentityIdentity {
/**
* The auth methods for the identity
*/
authMethods?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The ID of the identity
*/
id?: pulumi.Input<string | undefined>;
/**
* The name of the identity
*/
name?: pulumi.Input<string | undefined>;
}
export interface ProjectIdentityProvisioningMetadata {
/**
* The key of the metadata entry.
*/
key: pulumi.Input<string>;
/**
* The value of the metadata entry.
*/
value: pulumi.Input<string>;
}
export interface ProjectIdentityRole {
/**
* The id of the custom role slug
*/
customRoleId?: pulumi.Input<string | undefined>;
/**
* The ID of the project identity role.
*/
id?: pulumi.Input<string | undefined>;
/**
* Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required.
*/
isTemporary?: pulumi.Input<boolean | undefined>;
/**
* The slug of the role
*/
roleSlug: pulumi.Input<string>;
/**
* ISO time for which temporary access will end. Computed based on<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and temporary_access_start_time
*/
temporaryAccessEndTime?: pulumi.Input<string | undefined>;
/**
* ISO time for which temporary access should begin. The current time is used by default.
*/
temporaryAccessStartTime?: pulumi.Input<string | undefined>;
/**
* Type of temporary access given. Types: relative. Default: relative
*/
temporaryMode?: pulumi.Input<string | undefined>;
/**
* TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h
*/
temporaryRange?: pulumi.Input<string | undefined>;
}
export interface ProjectIdentitySpecificPrivilegePermission {
/**
* Describe what action an entity can take. Enum: create,edit,delete,read
*/
actions: pulumi.Input<pulumi.Input<string>[]>;
/**
* The conditions to scope permissions
*/
conditions: pulumi.Input<inputs.ProjectIdentitySpecificPrivilegePermissionConditions>;
/**
* Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections
*/
subject: pulumi.Input<string>;
}
export interface ProjectIdentitySpecificPrivilegePermissionConditions {
/**
* The environment slug this permission should allow.
*/
environment: pulumi.Input<string>;
/**
* The secret path this permission should be scoped to
*/
secretPath?: pulumi.Input<string | undefined>;
}
export interface ProjectIdentitySpecificPrivilegePermissionsV2 {
/**
* Describe what actions an entity can take.
*/
actions: pulumi.Input<pulumi.Input<string>[]>;
/**
* When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators.
*/
conditions?: pulumi.Input<string | undefined>;
/**
* Whether rule forbids. Set this to true if permission forbids.
*/
inverted?: pulumi.Input<boolean | undefined>;
/**
* Describe the entity the permission pertains to.
*/
subject: pulumi.Input<string>;
}
export interface ProjectRolePermission {
/**
* Describe what action an entity can take. Enum: create,edit,delete,read
*/
action: pulumi.Input<string>;
/**
* The conditions to scope permissions
*/
conditions?: pulumi.Input<inputs.ProjectRolePermissionConditions | undefined>;
/**
* Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections
*/
subject: pulumi.Input<string>;
}
export interface ProjectRolePermissionConditions {
/**
* The environment slug this permission should allow.
*/
environment?: pulumi.Input<string | undefined>;
/**
* The secret path this permission should be scoped to
*/
secretPath?: pulumi.Input<strin