UNPKG

pulumi-infisical

Version:

A Pulumi provider for managing Infisical secrets management platform, dynamically bridged from the Terraform Infisical provider with support for projects, secrets, identity management, integrations, and access controls.

1,414 lines 80.7 kB
import * as outputs from "../types/output"; export interface AccessApprovalPolicyApprover { /** * The ID of the approver */ id?: string; /** * The type of approver. Either group or user */ type: string; /** * The username of the approver. By default, this is the email */ username?: string; } export interface AppConnection1passwordCredentials { /** * The API token to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password */ apiToken: string; /** * The URL of the 1Password Connect instance to connect to. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/1password */ instanceUrl: string; } export interface AppConnectionAwsCredentials { /** * The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key */ accessKeyId?: string; /** * The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#assume-role-recommended */ roleArn?: string; /** * The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key access method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/aws#access-key */ secretAccessKey?: string; } export interface AppConnectionAzureAppConfigurationCredentials { /** * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration */ clientId: string; /** * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration */ clientSecret: string; /** * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-app-configuration */ tenantId: string; } export interface AppConnectionAzureClientSecretsCredentials { /** * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ clientId: string; /** * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ clientSecret: string; /** * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ tenantId: string; } export interface AppConnectionAzureDevopsCredentials { /** * The Azure DevOps access token. Required for access-token method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops */ accessToken?: string; /** * The Azure application (client) ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ clientId?: string; /** * The Azure client secret. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ clientSecret?: string; /** * The name of the Azure DevOps organization. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-devops */ organizationName: string; /** * The Azure Active Directory (AAD) tenant ID. Required for client-secret method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-client-secrets */ tenantId?: string; } export interface AppConnectionAzureKeyVaultCredentials { /** * The Azure application (client) ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault */ clientId: string; /** * The Azure client secret. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault */ clientSecret: string; /** * The Azure Active Directory (AAD) tenant ID. Required for key-vault method. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/azure-key-vault */ tenantId: string; } export interface AppConnectionBitbucketCredentials { /** * The Bitbucket API token for authentication. */ apiToken: string; /** * The email address associated with the Bitbucket API token. */ email: string; } export interface AppConnectionCloudflareCredentials { /** * The Cloudflare Account ID. This can be found in the sidebar of your Cloudflare dashboard. */ accountId: string; /** * The Cloudflare API token with the necessary permissions to manage Workers scripts. The token should have Zone:Zone:Read, Zone:Zone Settings:Read, and Zone:Zone:Edit permissions. */ apiToken: string; } export interface AppConnectionDatabricksCredentials { /** * The client ID of the Databricks service principal. */ clientId: string; /** * The client secret of the Databricks service principal. */ clientSecret: string; /** * The workspace URL of the Databricks instance. */ workspaceUrl: string; } export interface AppConnectionFlyioCredentials { /** * The Fly.io access token for authentication. */ accessToken: string; } export interface AppConnectionGcpCredentials { /** * The service account email to connect with GCP. The service account ID (the part of the email before '@') must be suffixed with the first two sections of your organization ID e.g. service-account-df92581a-0fe9@my-project.iam.gserviceaccount.com. For more details, refer to the documentation here https://infisical.com/docs/integrations/app-connections/gcp#configure-service-account-for-infisical */ serviceAccountEmail?: string; } export interface AppConnectionGithubCredentials { /** * The hostname of your GitHub Enterprise instance. Required when<span pulumi-lang-nodejs=" instanceType " pulumi-lang-dotnet=" InstanceType " pulumi-lang-go=" instanceType " pulumi-lang-python=" instance_type " pulumi-lang-yaml=" instanceType " pulumi-lang-java=" instanceType " pulumi-lang-hcl=" instance_type "> instanceType </span>is 'server'. */ host?: string; /** * The type of GitHub instance. Use 'cloud' for GitHub.com (default) or 'server' for GitHub Enterprise. When 'server', host is required. */ instanceType?: string; /** * The Personal Access Token used to access GitHub. */ personalAccessToken: string; } export interface AppConnectionGitlabCredentials { /** * The Access Token used to access GitLab. */ accessToken: string; /** * The type of token used to connect with GitLab. Supported options: 'project', 'personal', and 'group' */ accessTokenType: string; /** * The GitLab instance URL to connect with. (default: https://gitlab.com) */ instanceUrl?: string; } export interface AppConnectionHashicorpVaultCredentials { /** * The Vault access token. Required for the `access-token` method. */ accessToken?: string; /** * The URL of the HashiCorp Vault instance, e.g. `https://vault.example.com`. Required for all methods. */ instanceUrl?: string; /** * Optional Vault namespace. Only applicable to HCP Vault Dedicated and Enterprise deployments. */ namespace?: string; /** * The AppRole role ID. Required for the `app-role` method. */ roleId?: string; /** * The AppRole secret ID. Required for the `app-role` method. */ secretId?: string; } export interface AppConnectionLdapCredentials { /** * The Distinguished Name (DN) or User Principal Name (UPN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com'). */ dn: string; /** * The password to bind with for authentication. */ password: string; /** * The LDAP provider (e.g., 'active-directory'). */ provider: string; /** * The SSL certificate (PEM format) to use for secure connection when using ldaps:// with a self-signed certificate. */ sslCertificate?: string; /** * Whether or not to reject unauthorized SSL certificates (true/false) when using ldaps://. Set to false only in test environments. */ sslRejectUnauthorized: boolean; /** * The LDAP server URL (e.g., 'ldap://example.com:389' or 'ldaps://example.com:636'). */ url: string; } export interface AppConnectionMssqlCredentials { /** * The name of the database to connect to. */ database: string; /** * The hostname of the database server. */ host: string; /** * The password to connect to the database with. */ password: string; /** * The port number of the database. */ port: number; /** * The SSL certificate to use for connection. */ sslCertificate?: string; /** * Whether or not to use SSL when connecting to the database. */ sslEnabled: boolean; /** * Whether or not to reject unauthorized SSL certificates. */ sslRejectUnauthorized: boolean; /** * The username to connect to the database with. */ username: string; } export interface AppConnectionMysqlCredentials { /** * The name of the database to connect to. */ database: string; /** * The hostname of the database server. */ host: string; /** * The password to connect to the database with. */ password: string; /** * The port number of the database. */ port: number; /** * The SSL certificate to use for connection. */ sslCertificate?: string; /** * Whether or not to use SSL when connecting to the database. */ sslEnabled: boolean; /** * Whether or not to reject unauthorized SSL certificates. */ sslRejectUnauthorized: boolean; /** * The username to connect to the database with. */ username: string; } export interface AppConnectionOracledbCredentials { /** * The name of the database to connect to. */ database: string; /** * The hostname of the database server. */ host: string; /** * The password to connect to the database with. */ password: string; /** * The port number of the database. */ port: number; /** * The SSL certificate to use for connection. */ sslCertificate?: string; /** * Whether or not to use SSL when connecting to the database. */ sslEnabled: boolean; /** * Whether or not to reject unauthorized SSL certificates. */ sslRejectUnauthorized: boolean; /** * The username to connect to the database with. */ username: string; } export interface AppConnectionPostgresCredentials { /** * The name of the database to connect to. */ database: string; /** * The hostname of the database server. */ host: string; /** * The password to connect to the database with. */ password: string; /** * The port number of the database. */ port: number; /** * The SSL certificate to use for connection. */ sslCertificate?: string; /** * Whether or not to use SSL when connecting to the database. */ sslEnabled: boolean; /** * Whether or not to reject unauthorized SSL certificates. */ sslRejectUnauthorized: boolean; /** * The username to connect to the database with. */ username: string; } export interface AppConnectionRenderCredentials { /** * The API key to use for authentication. For more details, refer to the documentation here infisical.com/docs/integrations/app-connections/render */ apiKey: string; } export interface AppConnectionSupabaseCredentials { /** * The Supabase access key for authentication. */ accessKey: string; /** * The Supabase instance URL (e.g., https://your-domain.com). */ instanceUrl?: string; } export interface CertManagerApplicationProfileAcmeConfig { /** * The ACME directory URL clients should use. */ directoryUrl: string; /** * External Account Binding key identifier. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform. */ eabKid: string; /** * External Account Binding shared secret. Populated on create and on import; routine refreshes don't re-fetch it. Rotated only by the explicit rotate endpoint, never by Terraform. */ eabSecret: string; /** * Skip DNS ownership verification. Defaults to false. */ skipDnsOwnershipVerification: boolean; /** * Skip External Account Binding. Defaults to false. Cannot be set to true at the same time as skip_dns_ownership_verification. */ skipEabBinding: boolean; } export interface CertManagerApplicationProfileApiConfig { /** * Whether to automatically renew certificates. Defaults to false when omitted. */ autoRenew: boolean; /** * Number of days before expiration to renew (1-30). Defaults to 7 when omitted. */ renewBeforeDays: number; } export interface CertManagerApplicationProfileEstConfig { /** * PEM-encoded CA chain used for bootstrap CA validation (only honored when<span pulumi-lang-nodejs=" disableBootstrapCaValidation " pulumi-lang-dotnet=" DisableBootstrapCaValidation " pulumi-lang-go=" disableBootstrapCaValidation " pulumi-lang-python=" disable_bootstrap_ca_validation " pulumi-lang-yaml=" disableBootstrapCaValidation " pulumi-lang-java=" disableBootstrapCaValidation " pulumi-lang-hcl=" disable_bootstrap_ca_validation "> disableBootstrapCaValidation </span>is false). */ caChain?: string; /** * Whether to disable bootstrap CA validation. Defaults to false. */ disableBootstrapCaValidation: boolean; /** * The EST endpoint URL clients should use. */ endpointUrl: string; /** * EST passphrase used to authorize certificate requests. */ passphrase: string; } export interface CertManagerApplicationProfileScepConfig { /** * Allow certificate-based renewal. Defaults to true. */ allowCertBasedRenewal: boolean; /** * The SCEP dynamic challenge endpoint URL (only set when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic). */ challengeEndpointUrl: string; /** * Static-mode SCEP challenge password (min 8 chars). Required when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is static. */ challengePassword?: string; /** * SCEP challenge type. Supported values: static, dynamic. Defaults to static. */ challengeType: string; /** * Expiry of a dynamic challenge in minutes (1-1440). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic. */ dynamicChallengeExpiryMinutes: number; /** * Maximum pending dynamic challenges (1-1000). Only used when<span pulumi-lang-nodejs=" challengeType " pulumi-lang-dotnet=" ChallengeType " pulumi-lang-go=" challengeType " pulumi-lang-python=" challenge_type " pulumi-lang-yaml=" challengeType " pulumi-lang-java=" challengeType " pulumi-lang-hcl=" challenge_type "> challengeType </span>is dynamic. */ dynamicChallengeMaxPending: number; /** * Include the issuing CA certificate in SCEP responses. Defaults to true. */ includeCaCertInResponse: boolean; /** * ISO-8601 timestamp when the RA certificate expires. */ raCertExpiresAt: string; /** * The PEM-encoded RA certificate used by the SCEP service. */ raCertificatePem: string; /** * The SCEP endpoint URL clients should use. */ scepEndpointUrl: string; } export interface CertManagerCertificatePolicyAlgorithms { /** * List of allowed key algorithms (at least one required). Supported values: RSA-2048, RSA-3072, RSA-4096, ECDSA-P256, ECDSA-P521, ECDSA-P384 */ keyAlgorithms: string[]; /** * List of allowed signature algorithms (at least one required). Supported values: SHA256-RSA, SHA512-RSA, SHA384-ECDSA, SHA384-RSA, SHA256-ECDSA, SHA512-ECDSA */ signatures: string[]; } export interface CertManagerCertificatePolicyExtendedKeyUsages { /** * List of allowed extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping */ alloweds?: string[]; /** * List of denied extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping */ denieds?: string[]; /** * List of required extended key usages. Possible values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping */ requireds?: string[]; } export interface CertManagerCertificatePolicyKeyUsages { /** * List of allowed key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only */ alloweds?: string[]; /** * List of denied key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only */ denieds?: string[]; /** * List of required key usages. Possible values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only */ requireds?: string[]; } export interface CertManagerCertificatePolicySan { /** * List of allowed values for this SAN type */ alloweds?: string[]; /** * List of denied values for this SAN type */ denieds?: string[]; /** * List of required values for this SAN type */ requireds?: string[]; /** * The SAN type. Possible values: dns_name, ip_address, email, uri */ type: string; } export interface CertManagerCertificatePolicySubject { /** * List of allowed values for this subject attribute */ alloweds?: string[]; /** * List of denied values for this subject attribute */ denieds?: string[]; /** * List of required values for this subject attribute */ requireds?: string[]; /** * The subject attribute type. Possible values: common_name, organization, country */ type: string; } export interface CertManagerCertificatePolicyValidity { /** * Maximum validity period (e.g., '90d', '2y', '6m') */ max?: string; } export interface CertManagerCertificateProfileDefaults { /** * Default common name */ commonName?: string; /** * Default country (C) */ country?: string; /** * Default extended key usages. Supported values: client_auth, server_auth, code_signing, email_protection, ocsp_signing, time_stamping */ extendedKeyUsages?: string[]; /** * Default key algorithm. Supported values: RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1 */ keyAlgorithm?: string; /** * Default key usages. Supported values: digital_signature, key_encipherment, non_repudiation, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only */ keyUsages?: string[]; /** * Default locality (L) */ locality?: string; /** * Default organization (O) */ organization?: string; /** * Default organizational unit (OU) */ organizationalUnit?: string; /** * Default signature algorithm. Supported values: RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512 */ signatureAlgorithm?: string; /** * Default state/province (ST) */ state?: string; /** * Default certificate validity in days */ ttlDays?: number; } export interface DynamicSecretAwsIamConfiguration { /** * Configuration for the 'access_key' authentication method. */ accessKeyConfig?: outputs.DynamicSecretAwsIamConfigurationAccessKeyConfig; /** * Configuration for the 'assume_role' authentication method. */ assumeRoleConfig?: outputs.DynamicSecretAwsIamConfigurationAssumeRoleConfig; /** * IAM AWS Path to scope created IAM User resource access. */ awsPath?: string; /** * The authentication method to use. Must be 'access_key' or 'assume_role'. */ method: string; /** * The IAM Policy ARN of the AWS Permissions Boundary to attach to IAM users created in the role. */ permissionBoundaryPolicyArn?: string; /** * The AWS IAM managed policies that should be attached to the created users. Multiple values can be provided by separating them with commas */ policyArns?: string; /** * The AWS IAM inline policy that should be attached to the created users. Multiple values can be provided by separating them with commas */ policyDocument?: string; /** * The AWS data center region. */ region: string; /** * The AWS IAM groups that should be assigned to the created users. Multiple values can be provided by separating them with commas */ userGroups?: string; } export interface DynamicSecretAwsIamConfigurationAccessKeyConfig { /** * The managing AWS IAM User Access Key */ accessKey: string; /** * The managing AWS IAM User Secret Key */ secretAccessKey: string; } export interface DynamicSecretAwsIamConfigurationAssumeRoleConfig { /** * The ARN of the AWS Role to assume. */ roleArn: string; } export interface DynamicSecretAwsIamMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface DynamicSecretKubernetesConfiguration { /** * Configuration for the 'api' authentication method. */ apiConfig?: outputs.DynamicSecretKubernetesConfigurationApiConfig; /** * Optional list of audiences to include in the generated token. */ audiences?: string[]; /** * Choose between Token ('api') or 'gateway' authentication. If using Gateway, the Gateway must be deployed in your Kubernetes cluster. */ authMethod: string; /** * Choose between 'static' (predefined service account) or 'dynamic' (temporary service accounts with role assignments). */ credentialType: string; /** * Configuration for the 'dynamic' credential type. */ dynamicConfig?: outputs.DynamicSecretKubernetesConfigurationDynamicConfig; /** * Select a gateway for private cluster access. If not specified, the Internet Gateway will be used. */ gatewayId?: string; /** * Configuration for the 'static' credential type. */ staticConfig?: outputs.DynamicSecretKubernetesConfigurationStaticConfig; } export interface DynamicSecretKubernetesConfigurationApiConfig { /** * Custom CA certificate for the Kubernetes API server. Leave blank to use the system/public CA. */ ca?: string; /** * Service account token with permissions to create service accounts and manage RBAC. */ clusterToken: string; /** * Kubernetes API server URL (e.g., https://kubernetes.default.svc). */ clusterUrl: string; /** * Whether to enable SSL verification for the Kubernetes API server connection. */ enableSsl?: boolean; } export interface DynamicSecretKubernetesConfigurationDynamicConfig { /** * Kubernetes namespace(s) where the service accounts will be created. You can specify multiple namespaces as a comma-separated list (e.g., “default,kube-system”). During lease creation, you can specify which namespace to use from this allowed list. */ allowedNamespaces: string; /** * Name of the role to assign to the temporary service account. */ role: string; /** * Type of role to assign ('cluster-role' or 'role'). */ roleType: string; } export interface DynamicSecretKubernetesConfigurationStaticConfig { /** * Kubernetes namespace where the service account exists. */ namespace: string; /** * Name of the service account to generate tokens for. */ serviceAccountName: string; } export interface DynamicSecretKubernetesMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface DynamicSecretMongoAtlasConfiguration { /** * Admin user private API key */ adminPrivateKey: string; /** * Admin user public API key */ adminPublicKey: string; /** * Unique 24-hexadecimal digit string that identifies your project. This is the same as the project ID. */ groupId: string; roles: outputs.DynamicSecretMongoAtlasConfigurationRole[]; scopes: outputs.DynamicSecretMongoAtlasConfigurationScope[]; } export interface DynamicSecretMongoAtlasConfigurationRole { /** * Collection on which this role applies. */ collectionName?: string; /** * Database to which the user is granted access privileges. */ databaseName: string; /** * Human-readable label that identifies a group of privileges assigned to a database user. This value can either be a built-in role or a custom role. */ roleName: string; } export interface DynamicSecretMongoAtlasConfigurationScope { /** * Human-readable label that identifies the cluster or MongoDB Atlas Data Lake that this database user can access. */ name: string; /** * Category of resource that this database user can access. Supported options: CLUSTER, DATA_LAKE, STREAM */ type: string; } export interface DynamicSecretMongoAtlasMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface DynamicSecretMongoDbConfiguration { /** * The CA certificate to use to connect to the database. */ ca?: string; /** * The name of the database to use. */ database: string; /** * The host of the database server. */ host: string; /** * The password to use to connect to the database. */ password: string; /** * The port of the database server. */ port?: number; /** * A list of role names to assign to the user. The role names can either be built-in or custom. */ roles: string[]; /** * The username to use to connect to the database. */ username: string; } export interface DynamicSecretMongoDbMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface DynamicSecretSqlDatabaseConfiguration { /** * The CA certificate to use to connect to the database. */ ca?: string; /** * The database client to use. Currently supported values are postgres, mysql2, oracledb, mssql, sap-ase, and vertica. */ client: string; /** * The creation statement to use to create the dynamic secret lease. */ creationStatement: string; /** * The name of the database to use. */ database: string; /** * The Gateway ID to use to connect to the database. */ gatewayId?: string; /** * The host of the database server. */ host: string; /** * The password to use to connect to the database. */ password: string; /** * The password requirements to use to create the dynamic secret lease. */ passwordRequirements?: outputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirements; /** * The port of the database server. */ port: number; /** * The renew statement to use to renew the dynamic secret lease. */ renewStatement?: string; /** * The revocation statement to use to revoke the dynamic secret lease. */ revocationStatement: string; /** * The username to use to connect to the database. */ username: string; } export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirements { /** * The symbols allowed in the password. */ allowedSymbols?: string; /** * The length of the password to use to create the dynamic secret lease. */ length: number; /** * The required characters to use to create the dynamic secret lease. */ required: outputs.DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired; } export interface DynamicSecretSqlDatabaseConfigurationPasswordRequirementsRequired { /** * The number of digits required in the password. */ digits: number; /** * The number of lowercase characters required in the password. */ lowercase: number; /** * The number of symbols required in the password. */ symbols: number; /** * The number of uppercase characters required in the password. */ uppercase: number; } export interface DynamicSecretSqlDatabaseMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface ExternalKmsAwsConfiguration { /** * The AWS KMS key ID to use for the external KMS. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-aws-kms-key-id */ awsKmsKeyId: string; /** * The AWS region where the KMS key is located */ awsRegion: string; /** * The AWS credentials for the external KMS */ credential: outputs.ExternalKmsAwsConfigurationCredential; /** * The Authentication Type to use. Must be access-key or assume-role */ type: string; } export interface ExternalKmsAwsConfigurationCredential { /** * The AWS Access Key ID used to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-access-key-id */ accessKeyId?: string; /** * The Amazon Resource Name (ARN) of the IAM role to assume for performing operations. Infisical will assume this role using AWS Security Token Service (STS). Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-iam-role-arn-for-role-assumption */ roleArn?: string; /** * The external ID of the role to assume for performing operations. Required for assume-role type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-assume-role-external-id */ roleExternalId?: string; /** * The AWS Secret Access Key associated with the Access Key ID to authenticate requests to AWS services. Required for access-key type. For more details, refer to the documentation here https://infisical.com/docs/documentation/platform/kms-configuration/aws-kms#param-secret-access-key */ secretAccessKey?: string; } export interface GetGroupsGroup { /** * The ID of the group */ id: string; /** * The name of the group */ name: string; /** * The organization ID of the group */ orgId: string; /** * The role of the group in the organization */ role: string; /** * The role ID of the group in the organization */ roleId: string; } export interface GetIdentityDetailsOrganization { /** * The ID of the organization */ id: string; /** * The name of the organization */ name: string; /** * The slug of the organization */ slug: string; } export interface GetProjectsEnvironments { /** * The ID of the environment */ id: string; /** * The name of the environment */ name: string; /** * The slug of the environment */ slug: string; } export interface GetSecretFoldersFolder { /** * The ID of the folder */ id: string; /** * The name of the folder */ name: string; } export interface GetSecretMetadataSecretMetadata { isEncrypted?: boolean; key?: string; value?: string; } export interface GetSecretMetadataTag { color?: string; id?: string; name?: string; slug?: string; } export interface GetSecretsSecrets { /** * The secret comment */ comment: string; /** * The secret type (shared or personal) */ secretType: string; /** * The secret value */ value: string; } export interface IdentityAwsAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityAzureAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityGcpAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityJwtAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityKubernetesAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityMetadata { /** * The key of the metadata object */ key: string; /** * The value of the metadata object */ value: string; } export interface IdentityOidcAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityTokenAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityUniversalAuthAccessTokenTrustedIp { ipAddress: string; } export interface IdentityUniversalAuthClientSecretTrustedIp { ipAddress: string; } export interface IntegrationAwsParameterStoreOptions { /** * Tags to attach to the AWS parameter store secrets. */ awsTags?: outputs.IntegrationAwsParameterStoreOptionsAwsTag[]; /** * Whether to disable deletion of existing secrets in AWS Parameter Store. */ shouldDisableDelete: boolean; } export interface IntegrationAwsParameterStoreOptionsAwsTag { /** * The key of the tag. */ key?: string; /** * The value of the tag. */ value?: string; } export interface IntegrationAwsSecretsManagerOptions { /** * Tags to attach to the AWS Secrets Manager secrets. */ awsTags?: outputs.IntegrationAwsSecretsManagerOptionsAwsTag[]; /** * The sync mode for AWS tags. The supported options are `secret-metadata` and <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span>. If `secret-metadata` is selected, the metadata of the Infisical secrets are used as tags in AWS (only supported for one-to-one integrations). If <span pulumi-lang-nodejs="`custom`" pulumi-lang-dotnet="`Custom`" pulumi-lang-go="`custom`" pulumi-lang-python="`custom`" pulumi-lang-yaml="`custom`" pulumi-lang-java="`custom`" pulumi-lang-hcl="`custom`">`custom`</span> is selected, then the key/value pairs in the <span pulumi-lang-nodejs="`awsTags`" pulumi-lang-dotnet="`AwsTags`" pulumi-lang-go="`awsTags`" pulumi-lang-python="`aws_tags`" pulumi-lang-yaml="`awsTags`" pulumi-lang-java="`awsTags`" pulumi-lang-hcl="`aws_tags`">`awsTags`</span> field is used. */ metadataSyncMode?: string; /** * The prefix to add to the secret name in AWS Secrets Manager. */ secretPrefix?: string; } export interface IntegrationAwsSecretsManagerOptionsAwsTag { /** * The key of the tag. */ key?: string; /** * The value of the tag. */ value?: string; } export interface IntegrationGcpSecretManagerOptions { /** * The prefix to add to the secret name in GCP Secret Manager. */ secretPrefix?: string; /** * The suffix to add to the secret name in GCP Secret Manager. */ secretSuffix?: string; } export interface OrgRolePermission { /** * Describe what actions an entity can take. */ actions: string[]; /** * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators. */ conditions?: string; /** * Whether rule forbids. Set this to true if permission forbids. */ inverted: boolean; /** * Describe the entity the permission pertains to. */ subject: string; } export interface ProjectGroupRole { /** * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required. */ isTemporary?: boolean; /** * The slug of the role */ roleSlug: string; /** * ISO time for which temporary access should begin. This is in the format YYYY-MM-DDTHH:MM:SSZ e.g. 2024-09-19T12:43:13Z */ temporaryAccessStartTime?: string; /** * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h */ temporaryRange?: string; } export interface ProjectIdentityIdentity { /** * The auth methods for the identity */ authMethods: string[]; /** * The ID of the identity */ id: string; /** * The name of the identity */ name: string; } export interface ProjectIdentityProvisioningMetadata { /** * The key of the metadata entry. */ key: string; /** * The value of the metadata entry. */ value: string; } export interface ProjectIdentityRole { /** * The id of the custom role slug */ customRoleId: string; /** * The ID of the project identity role. */ id: string; /** * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required. */ isTemporary: boolean; /** * The slug of the role */ roleSlug: string; /** * ISO time for which temporary access will end. Computed based on<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and temporary_access_start_time */ temporaryAccessEndTime: string; /** * ISO time for which temporary access should begin. The current time is used by default. */ temporaryAccessStartTime: string; /** * Type of temporary access given. Types: relative. Default: relative */ temporaryMode: string; /** * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h */ temporaryRange: string; } export interface ProjectIdentitySpecificPrivilegePermission { /** * Describe what action an entity can take. Enum: create,edit,delete,read */ actions: string[]; /** * The conditions to scope permissions */ conditions: outputs.ProjectIdentitySpecificPrivilegePermissionConditions; /** * Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections */ subject: string; } export interface ProjectIdentitySpecificPrivilegePermissionConditions { /** * The environment slug this permission should allow. */ environment: string; /** * The secret path this permission should be scoped to */ secretPath?: string; } export interface ProjectIdentitySpecificPrivilegePermissionsV2 { /** * Describe what actions an entity can take. */ actions: string[]; /** * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators. */ conditions?: string; /** * Whether rule forbids. Set this to true if permission forbids. */ inverted: boolean; /** * Describe the entity the permission pertains to. */ subject: string; } export interface ProjectRolePermission { /** * Describe what action an entity can take. Enum: create,edit,delete,read */ action: string; /** * The conditions to scope permissions */ conditions?: outputs.ProjectRolePermissionConditions; /** * Describe what action an entity can take. Enum: role,member,groups,settings,integrations,webhooks,service-tokens,environments,tags,audit-logs,ip-allowlist,workspace,secrets,secret-rollback,secret-approval,secret-rotation,identity,certificate-authorities,certificates,certificate-policies,kms,pki-alerts,pki-collections */ subject: string; } export interface ProjectRolePermissionConditions { /** * The environment slug this permission should allow. */ environment?: string; /** * The secret path this permission should be scoped to */ secretPath?: string; } export interface ProjectRolePermissionsV2 { /** * Describe what actions an entity can take. */ actions: string[]; /** * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators. */ conditions?: string; /** * Whether rule forbids. Set this to true if permission forbids. */ inverted: boolean; /** * Describe the entity the permission pertains to. */ subject: string; } export interface ProjectTemplateEnvironment { /** * The name of the environment */ name: string; /** * The position of the environment */ position: number; /** * The slug of the environment */ slug: string; } export interface ProjectTemplateRole { /** * The name of the role */ name: string; /** * The permissions assigned to the role. Refer to the documentation here https://infisical.com/docs/api-reference/endpoints/project-templates/create#body-roles-permissions for its usage. */ permissions: outputs.ProjectTemplateRolePermission[]; /** * The slug of the role */ slug: string; } export interface ProjectTemplateRolePermission { /** * Describe what actions an entity can take. */ actions: string[]; /** * When specified, only matching conditions will be allowed to access given resource. Refer to the documentation in https://infisical.com/docs/internals/permissions#conditions for the complete list of supported properties and operators. */ conditions?: string; /** * Whether rule forbids. Set this to true if permission forbids. */ inverted: boolean; /** * Describe the entity the permission pertains to. */ subject: string; } export interface ProjectUserRole { /** * The id of the custom role slug */ customRoleId: string; /** * The ID of the project user role. */ id: string; /** * Flag to indicate the assigned role is temporary or not. When<span pulumi-lang-nodejs=" isTemporary " pulumi-lang-dotnet=" IsTemporary " pulumi-lang-go=" isTemporary " pulumi-lang-python=" is_temporary " pulumi-lang-yaml=" isTemporary " pulumi-lang-java=" isTemporary " pulumi-lang-hcl=" is_temporary "> isTemporary </span>is true fields temporary_mode,<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and<span pulumi-lang-nodejs=" temporaryAccessStartTime " pulumi-lang-dotnet=" TemporaryAccessStartTime " pulumi-lang-go=" temporaryAccessStartTime " pulumi-lang-python=" temporary_access_start_time " pulumi-lang-yaml=" temporaryAccessStartTime " pulumi-lang-java=" temporaryAccessStartTime " pulumi-lang-hcl=" temporary_access_start_time "> temporaryAccessStartTime </span>is required. */ isTemporary: boolean; /** * The slug of the role */ roleSlug: string; /** * ISO time for which temporary access will end. Computed based on<span pulumi-lang-nodejs=" temporaryRange " pulumi-lang-dotnet=" TemporaryRange " pulumi-lang-go=" temporaryRange " pulumi-lang-python=" temporary_range " pulumi-lang-yaml=" temporaryRange " pulumi-lang-java=" temporaryRange " pulumi-lang-hcl=" temporary_range "> temporaryRange </span>and temporary_access_start_time */ temporaryAccessEndTime: string; /** * ISO time for which temporary access should begin. The current time is used by default. */ temporaryAccessStartTime: string; /** * Type of temporary access given. Types: relative. Default: relative */ temporaryMode: string; /** * TTL for the temporary time. Eg: 1m, 1h, 1d. Default: 1h */ temporaryRange: string; } export interface ProjectUserUser { /** * The email of the user */ email: string; /** * The first name of the user */ firstName: string; /** * The id of the user */ id: string; /** * The last name of the user */ lastName: string; } export interface SecretApprovalPolicyApprover { /** * The ID of the