diff --git a/Makefile b/Makefile index eda13357..33c70e4b 100644 --- a/Makefile +++ b/Makefile @@ -4,13 +4,12 @@ PROJECT_NAME ?= provider-vault PROJECT_REPO ?= github.com/upbound/$(PROJECT_NAME) -export TERRAFORM_VERSION ?= 1.3.9 +export TERRAFORM_VERSION := 1.5.5 export TERRAFORM_PROVIDER_SOURCE ?= hashicorp/vault export TERRAFORM_PROVIDER_REPO ?= https://github.com/hashicorp/terraform-provider-vault -export TERRAFORM_PROVIDER_VERSION ?= 3.15.0 +export TERRAFORM_PROVIDER_VERSION ?= 3.25.0 export TERRAFORM_PROVIDER_DOWNLOAD_NAME ?= terraform-provider-vault -export TERRAFORM_NATIVE_PROVIDER_BINARY ?= terraform-provider-null_v3.15.0_x5 export TERRAFORM_DOCS_PATH ?= website/docs/r PLATFORMS ?= linux_amd64 linux_arm64 diff --git a/apis/ad/v1alpha1/zz_generated_terraformed.go b/apis/ad/v1alpha1/zz_generated_terraformed.go index 6d7dce4b..3eec8e86 100755 --- a/apis/ad/v1alpha1/zz_generated_terraformed.go +++ b/apis/ad/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretRole diff --git a/apis/approle/v1alpha1/zz_authbackendlogin_types.go b/apis/approle/v1alpha1/zz_authbackendlogin_types.go index b8949b1a..61d6e81a 100755 --- a/apis/approle/v1alpha1/zz_authbackendlogin_types.go +++ b/apis/approle/v1alpha1/zz_authbackendlogin_types.go @@ -29,11 +29,6 @@ type AuthBackendLoginInitParameters struct { // The ID of the role to log in with. // The RoleID to log in with. RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"` - - // The secret ID of the role to log in with. Required - // unless bind_secret_id is set to false on the role. - // The SecretID to log in with. - SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"` } type AuthBackendLoginObservation struct { @@ -46,10 +41,6 @@ type AuthBackendLoginObservation struct { // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // The Vault token created. - // The token. - ClientToken *string `json:"clientToken,omitempty" tf:"client_token,omitempty"` - ID *string `json:"id,omitempty" tf:"id,omitempty"` // How long the token is valid for, in seconds. @@ -81,11 +72,6 @@ type AuthBackendLoginObservation struct { // The ID of the role to log in with. // The RoleID to log in with. RoleID *string `json:"roleId,omitempty" tf:"role_id,omitempty"` - - // The secret ID of the role to log in with. Required - // unless bind_secret_id is set to false on the role. - // The SecretID to log in with. - SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"` } type AuthBackendLoginParameters struct { @@ -112,7 +98,7 @@ type AuthBackendLoginParameters struct { // unless bind_secret_id is set to false on the role. // The SecretID to log in with. // +kubebuilder:validation:Optional - SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"` + SecretIDSecretRef *v1.SecretKeySelector `json:"secretIdSecretRef,omitempty" tf:"-"` } // AuthBackendLoginSpec defines the desired state of AuthBackendLogin diff --git a/apis/approle/v1alpha1/zz_generated.deepcopy.go b/apis/approle/v1alpha1/zz_generated.deepcopy.go index 2a1d8445..cb611e91 100644 --- a/apis/approle/v1alpha1/zz_generated.deepcopy.go +++ b/apis/approle/v1alpha1/zz_generated.deepcopy.go @@ -59,11 +59,6 @@ func (in *AuthBackendLoginInitParameters) DeepCopyInto(out *AuthBackendLoginInit *out = new(string) **out = **in } - if in.SecretID != nil { - in, out := &in.SecretID, &out.SecretID - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginInitParameters. @@ -121,11 +116,6 @@ func (in *AuthBackendLoginObservation) DeepCopyInto(out *AuthBackendLoginObserva *out = new(string) **out = **in } - if in.ClientToken != nil { - in, out := &in.ClientToken, &out.ClientToken - *out = new(string) - **out = **in - } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -182,11 +172,6 @@ func (in *AuthBackendLoginObservation) DeepCopyInto(out *AuthBackendLoginObserva *out = new(string) **out = **in } - if in.SecretID != nil { - in, out := &in.SecretID, &out.SecretID - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendLoginObservation. @@ -217,9 +202,9 @@ func (in *AuthBackendLoginParameters) DeepCopyInto(out *AuthBackendLoginParamete *out = new(string) **out = **in } - if in.SecretID != nil { - in, out := &in.SecretID, &out.SecretID - *out = new(string) + if in.SecretIDSecretRef != nil { + in, out := &in.SecretIDSecretRef, &out.SecretIDSecretRef + *out = new(v1.SecretKeySelector) **out = **in } } diff --git a/apis/approle/v1alpha1/zz_generated_terraformed.go b/apis/approle/v1alpha1/zz_generated_terraformed.go index 20e824d4..cd38d6ee 100755 --- a/apis/approle/v1alpha1/zz_generated_terraformed.go +++ b/apis/approle/v1alpha1/zz_generated_terraformed.go @@ -20,7 +20,7 @@ func (mg *AuthBackendLogin) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this AuthBackendLogin func (tr *AuthBackendLogin) GetConnectionDetailsMapping() map[string]string { - return nil + return map[string]string{"client_token": "status.atProvider.clientToken", "secret_id": "spec.forProvider.secretIdSecretRef"} } // GetObservation of this AuthBackendLogin diff --git a/apis/aws/v1alpha1/zz_authbackendclient_types.go b/apis/aws/v1alpha1/zz_authbackendclient_types.go index 812e4cf2..b235fb73 100755 --- a/apis/aws/v1alpha1/zz_authbackendclient_types.go +++ b/apis/aws/v1alpha1/zz_authbackendclient_types.go @@ -52,6 +52,14 @@ type AuthBackendClientInitParameters struct { // calls. The sts_endpoint argument must be set when using sts_region. // Region to override the default region for making AWS STS API calls. StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"` + + // Available in Vault v1.15+. If set, + // overrides both sts_endpoint and sts_region to instead use the region + // specified in the client request headers for IAM-based authentication. + // This can be useful when you have client requests coming from different + // regions and want flexibility in which regional STS API is used. + // If set, will override sts_region and use the region from the client request's header + UseStsRegionFromClient *bool `json:"useStsRegionFromClient,omitempty" tf:"use_sts_region_from_client,omitempty"` } type AuthBackendClientObservation struct { @@ -95,6 +103,14 @@ type AuthBackendClientObservation struct { // calls. The sts_endpoint argument must be set when using sts_region. // Region to override the default region for making AWS STS API calls. StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"` + + // Available in Vault v1.15+. If set, + // overrides both sts_endpoint and sts_region to instead use the region + // specified in the client request headers for IAM-based authentication. + // This can be useful when you have client requests coming from different + // regions and want flexibility in which regional STS API is used. + // If set, will override sts_region and use the region from the client request's header + UseStsRegionFromClient *bool `json:"useStsRegionFromClient,omitempty" tf:"use_sts_region_from_client,omitempty"` } type AuthBackendClientParameters struct { @@ -155,6 +171,15 @@ type AuthBackendClientParameters struct { // Region to override the default region for making AWS STS API calls. // +kubebuilder:validation:Optional StsRegion *string `json:"stsRegion,omitempty" tf:"sts_region,omitempty"` + + // Available in Vault v1.15+. If set, + // overrides both sts_endpoint and sts_region to instead use the region + // specified in the client request headers for IAM-based authentication. + // This can be useful when you have client requests coming from different + // regions and want flexibility in which regional STS API is used. + // If set, will override sts_region and use the region from the client request's header + // +kubebuilder:validation:Optional + UseStsRegionFromClient *bool `json:"useStsRegionFromClient,omitempty" tf:"use_sts_region_from_client,omitempty"` } // AuthBackendClientSpec defines the desired state of AuthBackendClient diff --git a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go index 9facbc32..3558538e 100755 --- a/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go +++ b/apis/aws/v1alpha1/zz_authbackendconfigidentity_types.go @@ -37,6 +37,13 @@ type AuthBackendConfigIdentityInitParameters struct { // added to both audit logs, and on the iam_alias // The metadata to include on the token returned by the login endpoint. IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` } type AuthBackendConfigIdentityObservation struct { @@ -65,6 +72,13 @@ type AuthBackendConfigIdentityObservation struct { IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` } type AuthBackendConfigIdentityParameters struct { @@ -96,6 +110,14 @@ type AuthBackendConfigIdentityParameters struct { // The metadata to include on the token returned by the login endpoint. // +kubebuilder:validation:Optional IAMMetadata []*string `json:"iamMetadata,omitempty" tf:"iam_metadata,omitempty"` + + // The namespace to provision the resource in. + // The value should not contain leading or trailing forward slashes. + // The namespace is always relative to the provider's configured namespace. + // Available only for Vault Enterprise. + // Target namespace. (requires Enterprise) + // +kubebuilder:validation:Optional + Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` } // AuthBackendConfigIdentitySpec defines the desired state of AuthBackendConfigIdentity diff --git a/apis/aws/v1alpha1/zz_authbackendrole_types.go b/apis/aws/v1alpha1/zz_authbackendrole_types.go index da83b02c..6d51fbf5 100755 --- a/apis/aws/v1alpha1/zz_authbackendrole_types.go +++ b/apis/aws/v1alpha1/zz_authbackendrole_types.go @@ -25,6 +25,7 @@ type AuthBackendRoleInitParameters struct { // The auth type permitted for this role. AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // Path to the mounted aws auth backend. // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -209,6 +210,7 @@ type AuthBackendRoleObservation struct { // The auth type permitted for this role. AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // Path to the mounted aws auth backend. // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -401,6 +403,7 @@ type AuthBackendRoleParameters struct { // +kubebuilder:validation:Optional AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // Path to the mounted aws auth backend. // Unique name of the auth backend to configure. // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` diff --git a/apis/aws/v1alpha1/zz_generated.deepcopy.go b/apis/aws/v1alpha1/zz_generated.deepcopy.go index af8957cf..ff2f2558 100644 --- a/apis/aws/v1alpha1/zz_generated.deepcopy.go +++ b/apis/aws/v1alpha1/zz_generated.deepcopy.go @@ -298,6 +298,11 @@ func (in *AuthBackendClientInitParameters) DeepCopyInto(out *AuthBackendClientIn *out = new(string) **out = **in } + if in.UseStsRegionFromClient != nil { + in, out := &in.UseStsRegionFromClient, &out.UseStsRegionFromClient + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendClientInitParameters. @@ -385,6 +390,11 @@ func (in *AuthBackendClientObservation) DeepCopyInto(out *AuthBackendClientObser *out = new(string) **out = **in } + if in.UseStsRegionFromClient != nil { + in, out := &in.UseStsRegionFromClient, &out.UseStsRegionFromClient + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendClientObservation. @@ -445,6 +455,11 @@ func (in *AuthBackendClientParameters) DeepCopyInto(out *AuthBackendClientParame *out = new(string) **out = **in } + if in.UseStsRegionFromClient != nil { + in, out := &in.UseStsRegionFromClient, &out.UseStsRegionFromClient + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendClientParameters. @@ -559,6 +574,11 @@ func (in *AuthBackendConfigIdentityInitParameters) DeepCopyInto(out *AuthBackend } } } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigIdentityInitParameters. @@ -648,6 +668,11 @@ func (in *AuthBackendConfigIdentityObservation) DeepCopyInto(out *AuthBackendCon *out = new(string) **out = **in } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigIdentityObservation. @@ -700,6 +725,11 @@ func (in *AuthBackendConfigIdentityParameters) DeepCopyInto(out *AuthBackendConf } } } + if in.Namespace != nil { + in, out := &in.Namespace, &out.Namespace + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendConfigIdentityParameters. @@ -2828,6 +2858,26 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.Local != nil { + in, out := &in.Local, &out.Local + *out = new(bool) + **out = **in + } if in.MaxLeaseTTLSeconds != nil { in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds *out = new(float64) @@ -2848,6 +2898,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -2930,6 +2985,26 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.Local != nil { + in, out := &in.Local, &out.Local + *out = new(bool) + **out = **in + } if in.MaxLeaseTTLSeconds != nil { in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds *out = new(float64) @@ -2950,6 +3025,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -3000,6 +3080,26 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.Local != nil { + in, out := &in.Local, &out.Local + *out = new(bool) + **out = **in + } if in.MaxLeaseTTLSeconds != nil { in, out := &in.MaxLeaseTTLSeconds, &out.MaxLeaseTTLSeconds *out = new(float64) @@ -3020,6 +3120,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.SecretKeySecretRef != nil { in, out := &in.SecretKeySecretRef, &out.SecretKeySecretRef *out = new(v1.SecretKeySelector) diff --git a/apis/aws/v1alpha1/zz_generated_terraformed.go b/apis/aws/v1alpha1/zz_generated_terraformed.go index d3b5d785..049239c6 100755 --- a/apis/aws/v1alpha1/zz_generated_terraformed.go +++ b/apis/aws/v1alpha1/zz_generated_terraformed.go @@ -850,7 +850,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole diff --git a/apis/aws/v1alpha1/zz_secretbackend_types.go b/apis/aws/v1alpha1/zz_secretbackend_types.go index 2f5f93c3..9a291ba0 100755 --- a/apis/aws/v1alpha1/zz_secretbackend_types.go +++ b/apis/aws/v1alpha1/zz_secretbackend_types.go @@ -33,6 +33,22 @@ type SecretBackendInitParameters struct { // Specifies a custom HTTP IAM endpoint to use. IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"` + // The audience claim value. Requires Vault 1.16+. + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.16+. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. + // Specifies if the secret backend is local only + Local *bool `json:"local,omitempty" tf:"local,omitempty"` + // The maximum TTL that can be requested // for credentials issued by this backend. // Maximum possible lease duration for secrets in seconds @@ -54,6 +70,10 @@ type SecretBackendInitParameters struct { // The AWS region to make API calls against. Defaults to us-east-1. Region *string `json:"region,omitempty" tf:"region,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // Specifies a custom HTTP STS endpoint to use. // Specifies a custom HTTP STS endpoint to use. StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"` @@ -85,6 +105,22 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value. Requires Vault 1.16+. + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.16+. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. + // Specifies if the secret backend is local only + Local *bool `json:"local,omitempty" tf:"local,omitempty"` + // The maximum TTL that can be requested // for credentials issued by this backend. // Maximum possible lease duration for secrets in seconds @@ -106,6 +142,10 @@ type SecretBackendObservation struct { // The AWS region to make API calls against. Defaults to us-east-1. Region *string `json:"region,omitempty" tf:"region,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // Specifies a custom HTTP STS endpoint to use. // Specifies a custom HTTP STS endpoint to use. StsEndpoint *string `json:"stsEndpoint,omitempty" tf:"sts_endpoint,omitempty"` @@ -145,6 +185,26 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional IAMEndpoint *string `json:"iamEndpoint,omitempty" tf:"iam_endpoint,omitempty"` + // The audience claim value. Requires Vault 1.16+. + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.16+. + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.16+. + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. + // Specifies if the secret backend is local only + // +kubebuilder:validation:Optional + Local *bool `json:"local,omitempty" tf:"local,omitempty"` + // The maximum TTL that can be requested // for credentials issued by this backend. // Maximum possible lease duration for secrets in seconds @@ -170,6 +230,11 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Region *string `json:"region,omitempty" tf:"region,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. + // Role ARN to assume for plugin identity token federation. + // +kubebuilder:validation:Optional + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // The AWS Secret Key this backend should use to // issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. // The AWS Secret Access Key to use when generating new credentials. diff --git a/apis/azure/v1alpha1/zz_generated.deepcopy.go b/apis/azure/v1alpha1/zz_generated.deepcopy.go index 88b39966..595801e2 100644 --- a/apis/azure/v1alpha1/zz_generated.deepcopy.go +++ b/apis/azure/v1alpha1/zz_generated.deepcopy.go @@ -1222,16 +1222,37 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.PermanentlyDelete != nil { + in, out := &in.PermanentlyDelete, &out.PermanentlyDelete + *out = new(bool) + **out = **in + } if in.Role != nil { in, out := &in.Role, &out.Role *out = new(string) **out = **in } + if in.SignInAudience != nil { + in, out := &in.SignInAudience, &out.SignInAudience + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) **out = **in } + if in.Tags != nil { + in, out := &in.Tags, &out.Tags + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters. @@ -1323,16 +1344,37 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(string) **out = **in } + if in.PermanentlyDelete != nil { + in, out := &in.PermanentlyDelete, &out.PermanentlyDelete + *out = new(bool) + **out = **in + } if in.Role != nil { in, out := &in.Role, &out.Role *out = new(string) **out = **in } + if in.SignInAudience != nil { + in, out := &in.SignInAudience, &out.SignInAudience + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) **out = **in } + if in.Tags != nil { + in, out := &in.Tags, &out.Tags + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleObservation. @@ -1387,16 +1429,37 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.PermanentlyDelete != nil { + in, out := &in.PermanentlyDelete, &out.PermanentlyDelete + *out = new(bool) + **out = **in + } if in.Role != nil { in, out := &in.Role, &out.Role *out = new(string) **out = **in } + if in.SignInAudience != nil { + in, out := &in.SignInAudience, &out.SignInAudience + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) **out = **in } + if in.Tags != nil { + in, out := &in.Tags, &out.Tags + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleParameters. diff --git a/apis/azure/v1alpha1/zz_generated_terraformed.go b/apis/azure/v1alpha1/zz_generated_terraformed.go index 4fab660b..b2a603b9 100755 --- a/apis/azure/v1alpha1/zz_generated_terraformed.go +++ b/apis/azure/v1alpha1/zz_generated_terraformed.go @@ -262,7 +262,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole diff --git a/apis/azure/v1alpha1/zz_secretbackendrole_types.go b/apis/azure/v1alpha1/zz_secretbackendrole_types.go index 060a9d31..846c5389 100755 --- a/apis/azure/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/azure/v1alpha1/zz_secretbackendrole_types.go @@ -60,7 +60,7 @@ type AzureRolesParameters struct { type SecretBackendRoleInitParameters struct { // Application Object ID for an existing service principal that will - // be used instead of creating dynamic service principals. If present, azure_roles will be ignored. + // be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. // Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"` @@ -89,20 +89,34 @@ type SecretBackendRoleInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Indicates whether the applications and service principals created by Vault will be permanently + // deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + // Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + PermanentlyDelete *bool `json:"permanentlyDelete,omitempty" tf:"permanently_delete,omitempty"` + // Name of the Azure role // Name of the role to create Role *string `json:"role,omitempty" tf:"role,omitempty"` + // Specifies the security principal types that are allowed to sign in to the application. + // Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + // Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + SignInAudience *string `json:"signInAudience,omitempty" tf:"sign_in_audience,omitempty"` + // – Specifies the default TTL for service principals generated using this role. // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. // Human-friendly description of the mount for the backend. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + + // - A list of Azure tags to attach to an application. Requires Vault 1.16+. + // Comma-separated strings of Azure tags to attach to an application. + Tags []*string `json:"tags,omitempty" tf:"tags,omitempty"` } type SecretBackendRoleObservation struct { // Application Object ID for an existing service principal that will - // be used instead of creating dynamic service principals. If present, azure_roles will be ignored. + // be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. // Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"` @@ -133,20 +147,34 @@ type SecretBackendRoleObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Indicates whether the applications and service principals created by Vault will be permanently + // deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + // Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + PermanentlyDelete *bool `json:"permanentlyDelete,omitempty" tf:"permanently_delete,omitempty"` + // Name of the Azure role // Name of the role to create Role *string `json:"role,omitempty" tf:"role,omitempty"` + // Specifies the security principal types that are allowed to sign in to the application. + // Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + // Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + SignInAudience *string `json:"signInAudience,omitempty" tf:"sign_in_audience,omitempty"` + // – Specifies the default TTL for service principals generated using this role. // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. // Human-friendly description of the mount for the backend. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + + // - A list of Azure tags to attach to an application. Requires Vault 1.16+. + // Comma-separated strings of Azure tags to attach to an application. + Tags []*string `json:"tags,omitempty" tf:"tags,omitempty"` } type SecretBackendRoleParameters struct { // Application Object ID for an existing service principal that will - // be used instead of creating dynamic service principals. If present, azure_roles will be ignored. + // be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. // Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. // +kubebuilder:validation:Optional ApplicationObjectID *string `json:"applicationObjectId,omitempty" tf:"application_object_id,omitempty"` @@ -182,16 +210,33 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Indicates whether the applications and service principals created by Vault will be permanently + // deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. + // Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + // +kubebuilder:validation:Optional + PermanentlyDelete *bool `json:"permanentlyDelete,omitempty" tf:"permanently_delete,omitempty"` + // Name of the Azure role // Name of the role to create // +kubebuilder:validation:Optional Role *string `json:"role,omitempty" tf:"role,omitempty"` + // Specifies the security principal types that are allowed to sign in to the application. + // Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + // Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + // +kubebuilder:validation:Optional + SignInAudience *string `json:"signInAudience,omitempty" tf:"sign_in_audience,omitempty"` + // – Specifies the default TTL for service principals generated using this role. // Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. // Human-friendly description of the mount for the backend. // +kubebuilder:validation:Optional TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + + // - A list of Azure tags to attach to an application. Requires Vault 1.16+. + // Comma-separated strings of Azure tags to attach to an application. + // +kubebuilder:validation:Optional + Tags []*string `json:"tags,omitempty" tf:"tags,omitempty"` } // SecretBackendRoleSpec defines the desired state of SecretBackendRole diff --git a/apis/cert/v1alpha1/zz_authbackendrole_types.go b/apis/cert/v1alpha1/zz_authbackendrole_types.go index 694ae54c..e8beb98f 100755 --- a/apis/cert/v1alpha1/zz_authbackendrole_types.go +++ b/apis/cert/v1alpha1/zz_authbackendrole_types.go @@ -39,6 +39,21 @@ type AuthBackendRoleInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + OcspCACertificates *string `json:"ocspCaCertificates,omitempty" tf:"ocsp_ca_certificates,omitempty"` + + // If enabled, validate certificates' revocation status using OCSP. + OcspEnabled *bool `json:"ocspEnabled,omitempty" tf:"ocsp_enabled,omitempty"` + + // If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + OcspFailOpen *bool `json:"ocspFailOpen,omitempty" tf:"ocsp_fail_open,omitempty"` + + // If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + OcspQueryAllServers *bool `json:"ocspQueryAllServers,omitempty" tf:"ocsp_query_all_servers,omitempty"` + + // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` + RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token @@ -97,6 +112,21 @@ type AuthBackendRoleObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + OcspCACertificates *string `json:"ocspCaCertificates,omitempty" tf:"ocsp_ca_certificates,omitempty"` + + // If enabled, validate certificates' revocation status using OCSP. + OcspEnabled *bool `json:"ocspEnabled,omitempty" tf:"ocsp_enabled,omitempty"` + + // If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + OcspFailOpen *bool `json:"ocspFailOpen,omitempty" tf:"ocsp_fail_open,omitempty"` + + // If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + OcspQueryAllServers *bool `json:"ocspQueryAllServers,omitempty" tf:"ocsp_query_all_servers,omitempty"` + + // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` + RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` // Specifies the blocks of IP addresses which are allowed to use the generated token @@ -166,6 +196,26 @@ type AuthBackendRoleParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + // +kubebuilder:validation:Optional + OcspCACertificates *string `json:"ocspCaCertificates,omitempty" tf:"ocsp_ca_certificates,omitempty"` + + // If enabled, validate certificates' revocation status using OCSP. + // +kubebuilder:validation:Optional + OcspEnabled *bool `json:"ocspEnabled,omitempty" tf:"ocsp_enabled,omitempty"` + + // If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + // +kubebuilder:validation:Optional + OcspFailOpen *bool `json:"ocspFailOpen,omitempty" tf:"ocsp_fail_open,omitempty"` + + // If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + // +kubebuilder:validation:Optional + OcspQueryAllServers *bool `json:"ocspQueryAllServers,omitempty" tf:"ocsp_query_all_servers,omitempty"` + + // A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + // +kubebuilder:validation:Optional + OcspServersOverride []*string `json:"ocspServersOverride,omitempty" tf:"ocsp_servers_override,omitempty"` + // +kubebuilder:validation:Optional RequiredExtensions []*string `json:"requiredExtensions,omitempty" tf:"required_extensions,omitempty"` diff --git a/apis/cert/v1alpha1/zz_generated.deepcopy.go b/apis/cert/v1alpha1/zz_generated.deepcopy.go index 106e31c9..31654b24 100644 --- a/apis/cert/v1alpha1/zz_generated.deepcopy.go +++ b/apis/cert/v1alpha1/zz_generated.deepcopy.go @@ -145,6 +145,37 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa *out = new(string) **out = **in } + if in.OcspCACertificates != nil { + in, out := &in.OcspCACertificates, &out.OcspCACertificates + *out = new(string) + **out = **in + } + if in.OcspEnabled != nil { + in, out := &in.OcspEnabled, &out.OcspEnabled + *out = new(bool) + **out = **in + } + if in.OcspFailOpen != nil { + in, out := &in.OcspFailOpen, &out.OcspFailOpen + *out = new(bool) + **out = **in + } + if in.OcspQueryAllServers != nil { + in, out := &in.OcspQueryAllServers, &out.OcspQueryAllServers + *out = new(bool) + **out = **in + } + if in.OcspServersOverride != nil { + in, out := &in.OcspServersOverride, &out.OcspServersOverride + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.RequiredExtensions != nil { in, out := &in.RequiredExtensions, &out.RequiredExtensions *out = make([]*string, len(*in)) @@ -367,6 +398,37 @@ func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservati *out = new(string) **out = **in } + if in.OcspCACertificates != nil { + in, out := &in.OcspCACertificates, &out.OcspCACertificates + *out = new(string) + **out = **in + } + if in.OcspEnabled != nil { + in, out := &in.OcspEnabled, &out.OcspEnabled + *out = new(bool) + **out = **in + } + if in.OcspFailOpen != nil { + in, out := &in.OcspFailOpen, &out.OcspFailOpen + *out = new(bool) + **out = **in + } + if in.OcspQueryAllServers != nil { + in, out := &in.OcspQueryAllServers, &out.OcspQueryAllServers + *out = new(bool) + **out = **in + } + if in.OcspServersOverride != nil { + in, out := &in.OcspServersOverride, &out.OcspServersOverride + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.RequiredExtensions != nil { in, out := &in.RequiredExtensions, &out.RequiredExtensions *out = make([]*string, len(*in)) @@ -552,6 +614,37 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters *out = new(string) **out = **in } + if in.OcspCACertificates != nil { + in, out := &in.OcspCACertificates, &out.OcspCACertificates + *out = new(string) + **out = **in + } + if in.OcspEnabled != nil { + in, out := &in.OcspEnabled, &out.OcspEnabled + *out = new(bool) + **out = **in + } + if in.OcspFailOpen != nil { + in, out := &in.OcspFailOpen, &out.OcspFailOpen + *out = new(bool) + **out = **in + } + if in.OcspQueryAllServers != nil { + in, out := &in.OcspQueryAllServers, &out.OcspQueryAllServers + *out = new(bool) + **out = **in + } + if in.OcspServersOverride != nil { + in, out := &in.OcspServersOverride, &out.OcspServersOverride + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.RequiredExtensions != nil { in, out := &in.RequiredExtensions, &out.RequiredExtensions *out = make([]*string, len(*in)) diff --git a/apis/consul/v1alpha1/zz_generated_terraformed.go b/apis/consul/v1alpha1/zz_generated_terraformed.go index 1072eeb6..7fedc89c 100755 --- a/apis/consul/v1alpha1/zz_generated_terraformed.go +++ b/apis/consul/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole diff --git a/apis/database/v1alpha1/zz_generated.deepcopy.go b/apis/database/v1alpha1/zz_generated.deepcopy.go index 97a9324f..fdf9c0f4 100644 --- a/apis/database/v1alpha1/zz_generated.deepcopy.go +++ b/apis/database/v1alpha1/zz_generated.deepcopy.go @@ -1227,6 +1227,11 @@ func (in *MssqlParameters) DeepCopy() *MssqlParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLAuroraInitParameters) DeepCopyInto(out *MySQLAuroraInitParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1247,6 +1252,11 @@ func (in *MySQLAuroraInitParameters) DeepCopyInto(out *MySQLAuroraInitParameters *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1272,6 +1282,11 @@ func (in *MySQLAuroraInitParameters) DeepCopy() *MySQLAuroraInitParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1292,6 +1307,11 @@ func (in *MySQLAuroraObservation) DeepCopyInto(out *MySQLAuroraObservation) { *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1317,6 +1337,11 @@ func (in *MySQLAuroraObservation) DeepCopy() *MySQLAuroraObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1342,6 +1367,21 @@ func (in *MySQLAuroraParameters) DeepCopyInto(out *MySQLAuroraParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1367,6 +1407,11 @@ func (in *MySQLAuroraParameters) DeepCopy() *MySQLAuroraParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLInitParameters) DeepCopyInto(out *MySQLInitParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1417,6 +1462,11 @@ func (in *MySQLInitParameters) DeepCopy() *MySQLInitParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLLegacyInitParameters) DeepCopyInto(out *MySQLLegacyInitParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1437,6 +1487,11 @@ func (in *MySQLLegacyInitParameters) DeepCopyInto(out *MySQLLegacyInitParameters *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1462,6 +1517,11 @@ func (in *MySQLLegacyInitParameters) DeepCopy() *MySQLLegacyInitParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLLegacyObservation) DeepCopyInto(out *MySQLLegacyObservation) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1482,6 +1542,11 @@ func (in *MySQLLegacyObservation) DeepCopyInto(out *MySQLLegacyObservation) { *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1507,6 +1572,11 @@ func (in *MySQLLegacyObservation) DeepCopy() *MySQLLegacyObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLLegacyParameters) DeepCopyInto(out *MySQLLegacyParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1532,6 +1602,21 @@ func (in *MySQLLegacyParameters) DeepCopyInto(out *MySQLLegacyParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1557,6 +1642,11 @@ func (in *MySQLLegacyParameters) DeepCopy() *MySQLLegacyParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLObservation) DeepCopyInto(out *MySQLObservation) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1607,6 +1697,11 @@ func (in *MySQLObservation) DeepCopy() *MySQLObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1632,6 +1727,11 @@ func (in *MySQLParameters) DeepCopyInto(out *MySQLParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) @@ -1667,6 +1767,11 @@ func (in *MySQLParameters) DeepCopy() *MySQLParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLRDSInitParameters) DeepCopyInto(out *MySQLRDSInitParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1687,6 +1792,11 @@ func (in *MySQLRDSInitParameters) DeepCopyInto(out *MySQLRDSInitParameters) { *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1712,6 +1822,11 @@ func (in *MySQLRDSInitParameters) DeepCopy() *MySQLRDSInitParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLRDSObservation) DeepCopyInto(out *MySQLRDSObservation) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1732,6 +1847,11 @@ func (in *MySQLRDSObservation) DeepCopyInto(out *MySQLRDSObservation) { *out = new(float64) **out = **in } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1757,6 +1877,11 @@ func (in *MySQLRDSObservation) DeepCopy() *MySQLRDSObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MySQLRDSParameters) DeepCopyInto(out *MySQLRDSParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1782,6 +1907,21 @@ func (in *MySQLRDSParameters) DeepCopyInto(out *MySQLRDSParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1812,6 +1952,11 @@ func (in *OracleInitParameters) DeepCopyInto(out *OracleInitParameters) { *out = new(string) **out = **in } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -1827,6 +1972,11 @@ func (in *OracleInitParameters) DeepCopyInto(out *OracleInitParameters) { *out = new(float64) **out = **in } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1857,6 +2007,11 @@ func (in *OracleObservation) DeepCopyInto(out *OracleObservation) { *out = new(string) **out = **in } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -1872,6 +2027,11 @@ func (in *OracleObservation) DeepCopyInto(out *OracleObservation) { *out = new(float64) **out = **in } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1902,6 +2062,11 @@ func (in *OracleParameters) DeepCopyInto(out *OracleParameters) { *out = new(string) **out = **in } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -1922,6 +2087,11 @@ func (in *OracleParameters) DeepCopyInto(out *OracleParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -1947,6 +2117,11 @@ func (in *OracleParameters) DeepCopy() *OracleParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PostgresqlInitParameters) DeepCopyInto(out *PostgresqlInitParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -1997,6 +2172,11 @@ func (in *PostgresqlInitParameters) DeepCopy() *PostgresqlInitParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PostgresqlObservation) DeepCopyInto(out *PostgresqlObservation) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -2047,6 +2227,11 @@ func (in *PostgresqlObservation) DeepCopy() *PostgresqlObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) { *out = *in + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -2077,6 +2262,11 @@ func (in *PostgresqlParameters) DeepCopyInto(out *PostgresqlParameters) { *out = new(v1.SecretKeySelector) **out = **in } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -3229,6 +3419,26 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.CredentialConfig != nil { + in, out := &in.CredentialConfig, &out.CredentialConfig + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.CredentialType != nil { + in, out := &in.CredentialType, &out.CredentialType + *out = new(string) + **out = **in + } if in.DBName != nil { in, out := &in.DBName, &out.DBName *out = new(string) @@ -3350,6 +3560,26 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.CredentialConfig != nil { + in, out := &in.CredentialConfig, &out.CredentialConfig + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.CredentialType != nil { + in, out := &in.CredentialType, &out.CredentialType + *out = new(string) + **out = **in + } if in.DBName != nil { in, out := &in.DBName, &out.DBName *out = new(string) @@ -3444,6 +3674,26 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.CredentialConfig != nil { + in, out := &in.CredentialConfig, &out.CredentialConfig + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.CredentialType != nil { + in, out := &in.CredentialType, &out.CredentialType + *out = new(string) + **out = **in + } if in.DBName != nil { in, out := &in.DBName, &out.DBName *out = new(string) @@ -3604,6 +3854,11 @@ func (in *SecretBackendStaticRoleInitParameters) DeepCopyInto(out *SecretBackend *out = new(float64) **out = **in } + if in.RotationSchedule != nil { + in, out := &in.RotationSchedule, &out.RotationSchedule + *out = new(string) + **out = **in + } if in.RotationStatements != nil { in, out := &in.RotationStatements, &out.RotationStatements *out = make([]*string, len(*in)) @@ -3615,6 +3870,11 @@ func (in *SecretBackendStaticRoleInitParameters) DeepCopyInto(out *SecretBackend } } } + if in.RotationWindow != nil { + in, out := &in.RotationWindow, &out.RotationWindow + *out = new(float64) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -3697,6 +3957,11 @@ func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendSta *out = new(float64) **out = **in } + if in.RotationSchedule != nil { + in, out := &in.RotationSchedule, &out.RotationSchedule + *out = new(string) + **out = **in + } if in.RotationStatements != nil { in, out := &in.RotationStatements, &out.RotationStatements *out = make([]*string, len(*in)) @@ -3708,6 +3973,11 @@ func (in *SecretBackendStaticRoleObservation) DeepCopyInto(out *SecretBackendSta } } } + if in.RotationWindow != nil { + in, out := &in.RotationWindow, &out.RotationWindow + *out = new(float64) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -3753,6 +4023,11 @@ func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStat *out = new(float64) **out = **in } + if in.RotationSchedule != nil { + in, out := &in.RotationSchedule, &out.RotationSchedule + *out = new(string) + **out = **in + } if in.RotationStatements != nil { in, out := &in.RotationStatements, &out.RotationStatements *out = make([]*string, len(*in)) @@ -3764,6 +4039,11 @@ func (in *SecretBackendStaticRoleParameters) DeepCopyInto(out *SecretBackendStat } } } + if in.RotationWindow != nil { + in, out := &in.RotationWindow, &out.RotationWindow + *out = new(float64) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -6576,6 +6856,11 @@ func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -6632,6 +6917,11 @@ func (in *SecretsMountMySQLAuroraInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -6673,6 +6963,11 @@ func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQ } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -6729,6 +7024,11 @@ func (in *SecretsMountMySQLAuroraObservation) DeepCopyInto(out *SecretsMountMySQ } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -6770,6 +7070,11 @@ func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQL } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -6831,6 +7136,21 @@ func (in *SecretsMountMySQLAuroraParameters) DeepCopyInto(out *SecretsMountMySQL } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -6872,6 +7192,11 @@ func (in *SecretsMountMySQLInitParameters) DeepCopyInto(out *SecretsMountMySQLIn } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -6974,6 +7299,11 @@ func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7030,6 +7360,11 @@ func (in *SecretsMountMySQLLegacyInitParameters) DeepCopyInto(out *SecretsMountM } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7071,6 +7406,11 @@ func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQ } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7127,6 +7467,11 @@ func (in *SecretsMountMySQLLegacyObservation) DeepCopyInto(out *SecretsMountMySQ } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7168,6 +7513,11 @@ func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQL } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7229,6 +7579,21 @@ func (in *SecretsMountMySQLLegacyParameters) DeepCopyInto(out *SecretsMountMySQL } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7270,6 +7635,11 @@ func (in *SecretsMountMySQLObservation) DeepCopyInto(out *SecretsMountMySQLObser } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7372,6 +7742,11 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7433,6 +7808,11 @@ func (in *SecretsMountMySQLParameters) DeepCopyInto(out *SecretsMountMySQLParame } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.TLSCA != nil { in, out := &in.TLSCA, &out.TLSCA *out = new(string) @@ -7484,6 +7864,11 @@ func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQ } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7540,6 +7925,11 @@ func (in *SecretsMountMySQLRDSInitParameters) DeepCopyInto(out *SecretsMountMySQ } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7581,6 +7971,11 @@ func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRD } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7637,6 +8032,11 @@ func (in *SecretsMountMySQLRDSObservation) DeepCopyInto(out *SecretsMountMySQLRD } } } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -7678,6 +8078,11 @@ func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDS } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -7739,6 +8144,21 @@ func (in *SecretsMountMySQLRDSParameters) DeepCopyInto(out *SecretsMountMySQLRDS } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } + if in.TLSCA != nil { + in, out := &in.TLSCA, &out.TLSCA + *out = new(string) + **out = **in + } + if in.TLSCertificateKeySecretRef != nil { + in, out := &in.TLSCertificateKeySecretRef, &out.TLSCertificateKeySecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -8044,6 +8464,11 @@ func (in *SecretsMountOracleInitParameters) DeepCopyInto(out *SecretsMountOracle (*out)[key] = outVal } } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -8080,6 +8505,11 @@ func (in *SecretsMountOracleInitParameters) DeepCopyInto(out *SecretsMountOracle } } } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -8141,6 +8571,11 @@ func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObs (*out)[key] = outVal } } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -8177,6 +8612,11 @@ func (in *SecretsMountOracleObservation) DeepCopyInto(out *SecretsMountOracleObs } } } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -8238,6 +8678,11 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara (*out)[key] = outVal } } + if in.DisconnectSessions != nil { + in, out := &in.DisconnectSessions, &out.DisconnectSessions + *out = new(bool) + **out = **in + } if in.MaxConnectionLifetime != nil { in, out := &in.MaxConnectionLifetime, &out.MaxConnectionLifetime *out = new(float64) @@ -8279,6 +8724,11 @@ func (in *SecretsMountOracleParameters) DeepCopyInto(out *SecretsMountOraclePara } } } + if in.SplitStatements != nil { + in, out := &in.SplitStatements, &out.SplitStatements + *out = new(bool) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) @@ -8549,6 +8999,11 @@ func (in *SecretsMountPostgresqlInitParameters) DeepCopyInto(out *SecretsMountPo } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -8651,6 +9106,11 @@ func (in *SecretsMountPostgresqlObservation) DeepCopyInto(out *SecretsMountPostg } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -8753,6 +9213,11 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr } } } + if in.AuthType != nil { + in, out := &in.AuthType, &out.AuthType + *out = new(string) + **out = **in + } if in.ConnectionURL != nil { in, out := &in.ConnectionURL, &out.ConnectionURL *out = new(string) @@ -8819,6 +9284,11 @@ func (in *SecretsMountPostgresqlParameters) DeepCopyInto(out *SecretsMountPostgr } } } + if in.ServiceAccountJSONSecretRef != nil { + in, out := &in.ServiceAccountJSONSecretRef, &out.ServiceAccountJSONSecretRef + *out = new(v1.SecretKeySelector) + **out = **in + } if in.Username != nil { in, out := &in.Username, &out.Username *out = new(string) diff --git a/apis/database/v1alpha1/zz_generated_terraformed.go b/apis/database/v1alpha1/zz_generated_terraformed.go index 37b04557..187d5338 100755 --- a/apis/database/v1alpha1/zz_generated_terraformed.go +++ b/apis/database/v1alpha1/zz_generated_terraformed.go @@ -20,7 +20,7 @@ func (mg *SecretBackendConnection) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this SecretBackendConnection func (tr *SecretBackendConnection) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} + return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].service_account_json": "spec.forProvider.mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "spec.forProvider.mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "spec.forProvider.mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "spec.forProvider.mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "spec.forProvider.mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "spec.forProvider.mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "spec.forProvider.mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "spec.forProvider.postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} } // GetObservation of this SecretBackendConnection @@ -272,7 +272,7 @@ func (mg *SecretsMount) GetTerraformResourceType() string { // GetConnectionDetailsMapping for this SecretsMount func (tr *SecretsMount) GetConnectionDetailsMapping() map[string]string { - return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} + return map[string]string{"cassandra[*].password": "spec.forProvider.cassandra[*].passwordSecretRef", "cassandra[*].pem_bundle": "spec.forProvider.cassandra[*].pemBundleSecretRef", "cassandra[*].pem_json": "spec.forProvider.cassandra[*].pemJsonSecretRef", "couchbase[*].base64_pem": "spec.forProvider.couchbase[*].base64PemSecretRef", "couchbase[*].password": "spec.forProvider.couchbase[*].passwordSecretRef", "elasticsearch[*].password": "spec.forProvider.elasticsearch[*].passwordSecretRef", "hana[*].password": "spec.forProvider.hana[*].passwordSecretRef", "influxdb[*].password": "spec.forProvider.influxdb[*].passwordSecretRef", "influxdb[*].pem_bundle": "spec.forProvider.influxdb[*].pemBundleSecretRef", "influxdb[*].pem_json": "spec.forProvider.influxdb[*].pemJsonSecretRef", "mongodb[*].password": "spec.forProvider.mongodb[*].passwordSecretRef", "mongodbatlas[*].private_key": "spec.forProvider.mongodbatlas[*].privateKeySecretRef", "mssql[*].password": "spec.forProvider.mssql[*].passwordSecretRef", "mysql[*].password": "spec.forProvider.mysql[*].passwordSecretRef", "mysql[*].service_account_json": "spec.forProvider.mysql[*].serviceAccountJsonSecretRef", "mysql[*].tls_certificate_key": "spec.forProvider.mysql[*].tlsCertificateKeySecretRef", "mysql_aurora[*].password": "spec.forProvider.mysqlAurora[*].passwordSecretRef", "mysql_aurora[*].service_account_json": "spec.forProvider.mysqlAurora[*].serviceAccountJsonSecretRef", "mysql_aurora[*].tls_certificate_key": "spec.forProvider.mysqlAurora[*].tlsCertificateKeySecretRef", "mysql_legacy[*].password": "spec.forProvider.mysqlLegacy[*].passwordSecretRef", "mysql_legacy[*].service_account_json": "spec.forProvider.mysqlLegacy[*].serviceAccountJsonSecretRef", "mysql_legacy[*].tls_certificate_key": "spec.forProvider.mysqlLegacy[*].tlsCertificateKeySecretRef", "mysql_rds[*].password": "spec.forProvider.mysqlRds[*].passwordSecretRef", "mysql_rds[*].service_account_json": "spec.forProvider.mysqlRds[*].serviceAccountJsonSecretRef", "mysql_rds[*].tls_certificate_key": "spec.forProvider.mysqlRds[*].tlsCertificateKeySecretRef", "oracle[*].password": "spec.forProvider.oracle[*].passwordSecretRef", "postgresql[*].password": "spec.forProvider.postgresql[*].passwordSecretRef", "postgresql[*].service_account_json": "spec.forProvider.postgresql[*].serviceAccountJsonSecretRef", "redis[*].password": "spec.forProvider.redis[*].passwordSecretRef", "redis_elasticache[*].password": "spec.forProvider.redisElasticache[*].passwordSecretRef", "redis_elasticache[*].username": "spec.forProvider.redisElasticache[*].usernameSecretRef", "redshift[*].password": "spec.forProvider.redshift[*].passwordSecretRef", "snowflake[*].password": "spec.forProvider.snowflake[*].passwordSecretRef"} } // GetObservation of this SecretsMount diff --git a/apis/database/v1alpha1/zz_secretbackendconnection_types.go b/apis/database/v1alpha1/zz_secretbackendconnection_types.go index 047e5f80..79bdb9d2 100755 --- a/apis/database/v1alpha1/zz_secretbackendconnection_types.go +++ b/apis/database/v1alpha1/zz_secretbackendconnection_types.go @@ -901,6 +901,10 @@ type MssqlParameters struct { type MySQLAuroraInitParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -923,6 +927,10 @@ type MySQLAuroraInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -934,6 +942,10 @@ type MySQLAuroraInitParameters struct { type MySQLAuroraObservation struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -956,6 +968,10 @@ type MySQLAuroraObservation struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -967,6 +983,11 @@ type MySQLAuroraObservation struct { type MySQLAuroraParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -998,6 +1019,21 @@ type MySQLAuroraParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -1011,6 +1047,10 @@ type MySQLAuroraParameters struct { type MySQLInitParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1048,6 +1088,10 @@ type MySQLInitParameters struct { type MySQLLegacyInitParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1070,6 +1114,10 @@ type MySQLLegacyInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1081,6 +1129,10 @@ type MySQLLegacyInitParameters struct { type MySQLLegacyObservation struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1103,6 +1155,10 @@ type MySQLLegacyObservation struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1114,6 +1170,11 @@ type MySQLLegacyObservation struct { type MySQLLegacyParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1145,6 +1206,21 @@ type MySQLLegacyParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -1158,6 +1234,10 @@ type MySQLLegacyParameters struct { type MySQLObservation struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1195,6 +1275,11 @@ type MySQLObservation struct { type MySQLParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1226,6 +1311,11 @@ type MySQLParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // +kubebuilder:validation:Optional @@ -1249,6 +1339,10 @@ type MySQLParameters struct { type MySQLRDSInitParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1271,6 +1365,10 @@ type MySQLRDSInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1282,6 +1380,10 @@ type MySQLRDSInitParameters struct { type MySQLRDSObservation struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1304,6 +1406,10 @@ type MySQLRDSObservation struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1315,6 +1421,11 @@ type MySQLRDSObservation struct { type MySQLRDSParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1346,6 +1457,21 @@ type MySQLRDSParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -1366,6 +1492,10 @@ type OracleInitParameters struct { // Connection string to use to connect to the database. ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"` + // Enable the built-in session disconnect mechanism. + // Set to true to disconnect any open sessions prior to running the revocation statements. + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -1381,6 +1511,10 @@ type OracleInitParameters struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // Enable spliting statements after semi-colons. + // Set to true in order to split statements after semi-colons. + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1399,6 +1533,10 @@ type OracleObservation struct { // Connection string to use to connect to the database. ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"` + // Enable the built-in session disconnect mechanism. + // Set to true to disconnect any open sessions prior to running the revocation statements. + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -1414,6 +1552,10 @@ type OracleObservation struct { // Maximum number of open connections to the database. MaxOpenConnections *float64 `json:"maxOpenConnections,omitempty" tf:"max_open_connections,omitempty"` + // Enable spliting statements after semi-colons. + // Set to true in order to split statements after semi-colons. + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1433,6 +1575,11 @@ type OracleParameters struct { // +kubebuilder:validation:Optional ConnectionURL *string `json:"connectionUrl,omitempty" tf:"connection_url,omitempty"` + // Enable the built-in session disconnect mechanism. + // Set to true to disconnect any open sessions prior to running the revocation statements. + // +kubebuilder:validation:Optional + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -1456,6 +1603,11 @@ type OracleParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // Enable spliting statements after semi-colons. + // Set to true in order to split statements after semi-colons. + // +kubebuilder:validation:Optional + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -1469,6 +1621,10 @@ type OracleParameters struct { type PostgresqlInitParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1506,6 +1662,10 @@ type PostgresqlInitParameters struct { type PostgresqlObservation struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1543,6 +1703,11 @@ type PostgresqlObservation struct { type PostgresqlParameters struct { + // Enable IAM authentication to a Google Cloud instance when set to gcp_iam + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. See // the Vault // docs @@ -1579,6 +1744,11 @@ type PostgresqlParameters struct { // +kubebuilder:validation:Optional PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"` + // JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional diff --git a/apis/database/v1alpha1/zz_secretbackendrole_types.go b/apis/database/v1alpha1/zz_secretbackendrole_types.go index f0af153e..65caf2ed 100755 --- a/apis/database/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/database/v1alpha1/zz_secretbackendrole_types.go @@ -24,6 +24,17 @@ type SecretBackendRoleInitParameters struct { // Database statements to execute to create and configure a user. CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"` + // – Specifies the configuration + // for the given credential_type. + // Specifies the configuration for the given credential_type. + CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` + + // – Specifies the type of credential that + // will be generated for the role. Options include: password, rsa_private_key, client_certificate. + // See the plugin's API page for credential types supported by individual databases. + // Specifies the type of credential that will be generated for the role. + CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"` + // The unique name of the database connection to use for // the role. // Database connection to use for this role. @@ -77,6 +88,17 @@ type SecretBackendRoleObservation struct { // Database statements to execute to create and configure a user. CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"` + // – Specifies the configuration + // for the given credential_type. + // Specifies the configuration for the given credential_type. + CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` + + // – Specifies the type of credential that + // will be generated for the role. Options include: password, rsa_private_key, client_certificate. + // See the plugin's API page for credential types supported by individual databases. + // Specifies the type of credential that will be generated for the role. + CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"` + // The unique name of the database connection to use for // the role. // Database connection to use for this role. @@ -134,6 +156,19 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional CreationStatements []*string `json:"creationStatements,omitempty" tf:"creation_statements,omitempty"` + // – Specifies the configuration + // for the given credential_type. + // Specifies the configuration for the given credential_type. + // +kubebuilder:validation:Optional + CredentialConfig map[string]*string `json:"credentialConfig,omitempty" tf:"credential_config,omitempty"` + + // – Specifies the type of credential that + // will be generated for the role. Options include: password, rsa_private_key, client_certificate. + // See the plugin's API page for credential types supported by individual databases. + // Specifies the type of credential that will be generated for the role. + // +kubebuilder:validation:Optional + CredentialType *string `json:"credentialType,omitempty" tf:"credential_type,omitempty"` + // The unique name of the database connection to use for // the role. // Database connection to use for this role. diff --git a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go index 97023d7f..3ec6f33b 100755 --- a/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go +++ b/apis/database/v1alpha1/zz_secretbackendstaticrole_types.go @@ -35,13 +35,24 @@ type SecretBackendStaticRoleInitParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of time Vault should wait before rotating the password, in seconds. + // Mutually exclusive with rotation_schedule. // The amount of time Vault should wait before rotating the password, in seconds. RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"` + // A cron-style string that will define the schedule on which rotations should occur. + // Mutually exclusive with rotation_period. + // A cron-style string that will define the schedule on which rotations should occur. + RotationSchedule *string `json:"rotationSchedule,omitempty" tf:"rotation_schedule,omitempty"` + // Database statements to execute to rotate the password for the configured database user. // Database statements to execute to rotate the password for the configured database user. RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"` + // The amount of time, in seconds, in which rotations are allowed to occur starting + // from a given rotation_schedule. + // The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + RotationWindow *float64 `json:"rotationWindow,omitempty" tf:"rotation_window,omitempty"` + // The database username that this static role corresponds to. // The database username that this role corresponds to. Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -71,13 +82,24 @@ type SecretBackendStaticRoleObservation struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of time Vault should wait before rotating the password, in seconds. + // Mutually exclusive with rotation_schedule. // The amount of time Vault should wait before rotating the password, in seconds. RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"` + // A cron-style string that will define the schedule on which rotations should occur. + // Mutually exclusive with rotation_period. + // A cron-style string that will define the schedule on which rotations should occur. + RotationSchedule *string `json:"rotationSchedule,omitempty" tf:"rotation_schedule,omitempty"` + // Database statements to execute to rotate the password for the configured database user. // Database statements to execute to rotate the password for the configured database user. RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"` + // The amount of time, in seconds, in which rotations are allowed to occur starting + // from a given rotation_schedule. + // The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + RotationWindow *float64 `json:"rotationWindow,omitempty" tf:"rotation_window,omitempty"` + // The database username that this static role corresponds to. // The database username that this role corresponds to. Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -109,15 +131,28 @@ type SecretBackendStaticRoleParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of time Vault should wait before rotating the password, in seconds. + // Mutually exclusive with rotation_schedule. // The amount of time Vault should wait before rotating the password, in seconds. // +kubebuilder:validation:Optional RotationPeriod *float64 `json:"rotationPeriod,omitempty" tf:"rotation_period,omitempty"` + // A cron-style string that will define the schedule on which rotations should occur. + // Mutually exclusive with rotation_period. + // A cron-style string that will define the schedule on which rotations should occur. + // +kubebuilder:validation:Optional + RotationSchedule *string `json:"rotationSchedule,omitempty" tf:"rotation_schedule,omitempty"` + // Database statements to execute to rotate the password for the configured database user. // Database statements to execute to rotate the password for the configured database user. // +kubebuilder:validation:Optional RotationStatements []*string `json:"rotationStatements,omitempty" tf:"rotation_statements,omitempty"` + // The amount of time, in seconds, in which rotations are allowed to occur starting + // from a given rotation_schedule. + // The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + // +kubebuilder:validation:Optional + RotationWindow *float64 `json:"rotationWindow,omitempty" tf:"rotation_window,omitempty"` + // The database username that this static role corresponds to. // The database username that this role corresponds to. // +kubebuilder:validation:Optional @@ -163,7 +198,6 @@ type SecretBackendStaticRole struct { // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.dbName) || has(self.initProvider.dbName)",message="dbName is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.rotationPeriod) || has(self.initProvider.rotationPeriod)",message="rotationPeriod is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.username) || has(self.initProvider.username)",message="username is a required parameter" Spec SecretBackendStaticRoleSpec `json:"spec"` Status SecretBackendStaticRoleStatus `json:"status,omitempty"` diff --git a/apis/database/v1alpha1/zz_secretsmount_types.go b/apis/database/v1alpha1/zz_secretsmount_types.go index 339f65b7..6738d19b 100755 --- a/apis/database/v1alpha1/zz_secretsmount_types.go +++ b/apis/database/v1alpha1/zz_secretsmount_types.go @@ -1700,6 +1700,9 @@ type SecretsMountMySQLAuroraInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -1736,6 +1739,10 @@ type SecretsMountMySQLAuroraInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1757,6 +1764,9 @@ type SecretsMountMySQLAuroraObservation struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -1793,6 +1803,10 @@ type SecretsMountMySQLAuroraObservation struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -1815,6 +1829,10 @@ type SecretsMountMySQLAuroraParameters struct { // +kubebuilder:validation:Optional AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -1864,6 +1882,20 @@ type SecretsMountMySQLAuroraParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -1888,6 +1920,9 @@ type SecretsMountMySQLInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -1949,6 +1984,9 @@ type SecretsMountMySQLLegacyInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -1985,6 +2023,10 @@ type SecretsMountMySQLLegacyInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2006,6 +2048,9 @@ type SecretsMountMySQLLegacyObservation struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2042,6 +2087,10 @@ type SecretsMountMySQLLegacyObservation struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2064,6 +2113,10 @@ type SecretsMountMySQLLegacyParameters struct { // +kubebuilder:validation:Optional AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2113,6 +2166,20 @@ type SecretsMountMySQLLegacyParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -2137,6 +2204,9 @@ type SecretsMountMySQLObservation struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2199,6 +2269,10 @@ type SecretsMountMySQLParameters struct { // +kubebuilder:validation:Optional AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2248,6 +2322,10 @@ type SecretsMountMySQLParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. // +kubebuilder:validation:Optional @@ -2282,6 +2360,9 @@ type SecretsMountMySQLRDSInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2318,6 +2399,10 @@ type SecretsMountMySQLRDSInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2339,6 +2424,9 @@ type SecretsMountMySQLRDSObservation struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2375,6 +2463,10 @@ type SecretsMountMySQLRDSObservation struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2397,6 +2489,10 @@ type SecretsMountMySQLRDSParameters struct { // +kubebuilder:validation:Optional AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -2446,6 +2542,20 @@ type SecretsMountMySQLRDSParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + // +kubebuilder:validation:Optional + TLSCA *string `json:"tlsCa,omitempty" tf:"tls_ca,omitempty"` + + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + // +kubebuilder:validation:Optional + TLSCertificateKeySecretRef *v1.SecretKeySelector `json:"tlsCertificateKeySecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -2628,6 +2738,9 @@ type SecretsMountOracleInitParameters struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` + // Set to true to disconnect any open sessions prior to running the revocation statements. + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -2655,6 +2768,9 @@ type SecretsMountOracleInitParameters struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // Set to true in order to split statements after semi-colons. + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2685,6 +2801,9 @@ type SecretsMountOracleObservation struct { // A map of sensitive data to pass to the endpoint. Useful for templated connection strings. Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` + // Set to true to disconnect any open sessions prior to running the revocation statements. + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -2712,6 +2831,9 @@ type SecretsMountOracleObservation struct { // A list of database statements to be executed to rotate the root user's credentials. RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // Set to true in order to split statements after semi-colons. + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL Username *string `json:"username,omitempty" tf:"username,omitempty"` @@ -2745,6 +2867,10 @@ type SecretsMountOracleParameters struct { // +kubebuilder:validation:Optional Data map[string]*string `json:"data,omitempty" tf:"data,omitempty"` + // Set to true to disconnect any open sessions prior to running the revocation statements. + // +kubebuilder:validation:Optional + DisconnectSessions *bool `json:"disconnectSessions,omitempty" tf:"disconnect_sessions,omitempty"` + // The maximum number of seconds to keep // a connection alive for. // Maximum number of seconds a connection may be reused. @@ -2783,6 +2909,10 @@ type SecretsMountOracleParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // Set to true in order to split statements after semi-colons. + // +kubebuilder:validation:Optional + SplitStatements *bool `json:"splitStatements,omitempty" tf:"split_statements,omitempty"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional @@ -2977,6 +3107,9 @@ type SecretsMountPostgresqlInitParameters struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -3038,6 +3171,9 @@ type SecretsMountPostgresqlObservation struct { // A list of roles that are allowed to use this connection. AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -3100,6 +3236,10 @@ type SecretsMountPostgresqlParameters struct { // +kubebuilder:validation:Optional AllowedRoles []*string `json:"allowedRoles,omitempty" tf:"allowed_roles,omitempty"` + // Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + // +kubebuilder:validation:Optional + AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"` + // A URL containing connection information. // See Vault docs // Connection string to use to connect to the database. @@ -3154,6 +3294,10 @@ type SecretsMountPostgresqlParameters struct { // +kubebuilder:validation:Optional RootRotationStatements []*string `json:"rootRotationStatements,omitempty" tf:"root_rotation_statements,omitempty"` + // A JSON encoded credential for use with IAM authorization + // +kubebuilder:validation:Optional + ServiceAccountJSONSecretRef *v1.SecretKeySelector `json:"serviceAccountJsonSecretRef,omitempty" tf:"-"` + // The username to authenticate with. // The root credential username used in the connection URL // +kubebuilder:validation:Optional diff --git a/apis/gcp/v1alpha1/zz_authbackend_types.go b/apis/gcp/v1alpha1/zz_authbackend_types.go index 256c3434..45041aa6 100755 --- a/apis/gcp/v1alpha1/zz_authbackend_types.go +++ b/apis/gcp/v1alpha1/zz_authbackend_types.go @@ -37,9 +37,15 @@ type AuthBackendInitParameters struct { PrivateKeyID *string `json:"privateKeyId,omitempty" tf:"private_key_id,omitempty"` ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + + Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"` } type AuthBackendObservation struct { + + // The accessor of the auth backend + Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"` + ClientEmail *string `json:"clientEmail,omitempty" tf:"client_email,omitempty"` ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"` @@ -65,6 +71,8 @@ type AuthBackendObservation struct { PrivateKeyID *string `json:"privateKeyId,omitempty" tf:"private_key_id,omitempty"` ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + + Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"` } type AuthBackendParameters struct { @@ -105,6 +113,9 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + + // +kubebuilder:validation:Optional + Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"` } type CustomEndpointInitParameters struct { @@ -156,6 +167,69 @@ type CustomEndpointParameters struct { IAM *string `json:"iam,omitempty" tf:"iam,omitempty"` } +type TuneInitParameters struct { + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"` + + AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"` + + AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"` + + DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"` + + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"` + + MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"` + + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"` + + TokenType *string `json:"tokenType,omitempty" tf:"token_type"` +} + +type TuneObservation struct { + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + + AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` + + AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"` + + DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl,omitempty"` + + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + + MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl,omitempty"` + + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` +} + +type TuneParameters struct { + + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"` + + // +kubebuilder:validation:Optional + AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"` + + // +kubebuilder:validation:Optional + AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"` + + // +kubebuilder:validation:Optional + DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"` + + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"` + + // +kubebuilder:validation:Optional + MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"` + + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"` + + // +kubebuilder:validation:Optional + TokenType *string `json:"tokenType,omitempty" tf:"token_type"` +} + // AuthBackendSpec defines the desired state of AuthBackend type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` diff --git a/apis/gcp/v1alpha1/zz_generated.deepcopy.go b/apis/gcp/v1alpha1/zz_generated.deepcopy.go index 877c4df7..0b0ed067 100644 --- a/apis/gcp/v1alpha1/zz_generated.deepcopy.go +++ b/apis/gcp/v1alpha1/zz_generated.deepcopy.go @@ -96,6 +96,13 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.Tune != nil { + in, out := &in.Tune, &out.Tune + *out = make([]TuneInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters. @@ -143,6 +150,11 @@ func (in *AuthBackendList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = *in + if in.Accessor != nil { + in, out := &in.Accessor, &out.Accessor + *out = new(string) + **out = **in + } if in.ClientEmail != nil { in, out := &in.ClientEmail, &out.ClientEmail *out = new(string) @@ -200,6 +212,13 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.Tune != nil { + in, out := &in.Tune, &out.Tune + *out = make([]TuneObservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendObservation. @@ -272,6 +291,13 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(string) **out = **in } + if in.Tune != nil { + in, out := &in.Tune, &out.Tune + *out = make([]TuneParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendParameters. @@ -2279,3 +2305,240 @@ func (in *SecretStaticAccountStatus) DeepCopy() *SecretStaticAccountStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters) { + *out = *in + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACRequestKeys != nil { + in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACResponseKeys != nil { + in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DefaultLeaseTTL != nil { + in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } + if in.MaxLeaseTTL != nil { + in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL + *out = new(string) + **out = **in + } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters. +func (in *TuneInitParameters) DeepCopy() *TuneInitParameters { + if in == nil { + return nil + } + out := new(TuneInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TuneObservation) DeepCopyInto(out *TuneObservation) { + *out = *in + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACRequestKeys != nil { + in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACResponseKeys != nil { + in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DefaultLeaseTTL != nil { + in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } + if in.MaxLeaseTTL != nil { + in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL + *out = new(string) + **out = **in + } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneObservation. +func (in *TuneObservation) DeepCopy() *TuneObservation { + if in == nil { + return nil + } + out := new(TuneObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TuneParameters) DeepCopyInto(out *TuneParameters) { + *out = *in + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACRequestKeys != nil { + in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.AuditNonHMACResponseKeys != nil { + in, out := &in.AuditNonHMACResponseKeys, &out.AuditNonHMACResponseKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DefaultLeaseTTL != nil { + in, out := &in.DefaultLeaseTTL, &out.DefaultLeaseTTL + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } + if in.MaxLeaseTTL != nil { + in, out := &in.MaxLeaseTTL, &out.MaxLeaseTTL + *out = new(string) + **out = **in + } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneParameters. +func (in *TuneParameters) DeepCopy() *TuneParameters { + if in == nil { + return nil + } + out := new(TuneParameters) + in.DeepCopyInto(out) + return out +} diff --git a/apis/gcp/v1alpha1/zz_generated_terraformed.go b/apis/gcp/v1alpha1/zz_generated_terraformed.go index bc58c9f1..b215e2e3 100755 --- a/apis/gcp/v1alpha1/zz_generated_terraformed.go +++ b/apis/gcp/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole @@ -262,7 +262,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretImpersonatedAccount diff --git a/apis/github/v1alpha1/zz_generated_terraformed.go b/apis/github/v1alpha1/zz_generated_terraformed.go index 6816ab07..18db98b6 100755 --- a/apis/github/v1alpha1/zz_generated_terraformed.go +++ b/apis/github/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this Team diff --git a/apis/github/v1alpha1/zz_team_types.go b/apis/github/v1alpha1/zz_team_types.go index 8b56cc46..0de79941 100755 --- a/apis/github/v1alpha1/zz_team_types.go +++ b/apis/github/v1alpha1/zz_team_types.go @@ -17,7 +17,7 @@ type TeamInitParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. - // Auth backend to which team mapping will be congigured. + // Auth backend to which team mapping will be configured. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // The namespace to provision the resource in. @@ -40,7 +40,7 @@ type TeamObservation struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. - // Auth backend to which team mapping will be congigured. + // Auth backend to which team mapping will be configured. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` @@ -65,7 +65,7 @@ type TeamParameters struct { // Path where the github auth backend is mounted. Defaults to github // if not specified. - // Auth backend to which team mapping will be congigured. + // Auth backend to which team mapping will be configured. // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` diff --git a/apis/identity/v1alpha1/zz_generated_terraformed.go b/apis/identity/v1alpha1/zz_generated_terraformed.go index 603bc8b8..e5c18ac8 100755 --- a/apis/identity/v1alpha1/zz_generated_terraformed.go +++ b/apis/identity/v1alpha1/zz_generated_terraformed.go @@ -346,7 +346,7 @@ func (tr *Group) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *Group) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this GroupAlias diff --git a/apis/identity/v1alpha1/zz_mfapingid_types.go b/apis/identity/v1alpha1/zz_mfapingid_types.go index 6c002c32..70b25c82 100755 --- a/apis/identity/v1alpha1/zz_mfapingid_types.go +++ b/apis/identity/v1alpha1/zz_mfapingid_types.go @@ -15,76 +15,96 @@ import ( type MfaPingidInitParameters struct { + // Target namespace. (requires Enterprise) // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"` + // A template string for mapping Identity names to MFA methods. // A template string for mapping Identity names to MFA methods. UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"` } type MfaPingidObservation struct { + // The admin URL, derived from "settings_file_base64" // The admin URL, derived from "settings_file_base64" AdminURL *string `json:"adminUrl,omitempty" tf:"admin_url,omitempty"` + // A unique identifier of the organization, derived from "settings_file_base64" // A unique identifier of the organization, derived from "settings_file_base64" AuthenticatorURL *string `json:"authenticatorUrl,omitempty" tf:"authenticator_url,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The IDP URL, derived from "settings_file_base64" // The IDP URL, derived from "settings_file_base64" IdpURL *string `json:"idpUrl,omitempty" tf:"idp_url,omitempty"` + // Method ID. // Method ID. MethodID *string `json:"methodId,omitempty" tf:"method_id,omitempty"` + // Mount accessor. // Mount accessor. MountAccessor *string `json:"mountAccessor,omitempty" tf:"mount_accessor,omitempty"` // Method name. Name *string `json:"name,omitempty" tf:"name,omitempty"` + // Target namespace. (requires Enterprise) // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Method's namespace ID. // Method's namespace ID. NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"` + // Method's namespace path. // Method's namespace path. NamespacePath *string `json:"namespacePath,omitempty" tf:"namespace_path,omitempty"` + // The name of the PingID client organization, derived from "settings_file_base64" // The name of the PingID client organization, derived from "settings_file_base64" OrgAlias *string `json:"orgAlias,omitempty" tf:"org_alias,omitempty"` + // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"` + // MFA type. // MFA type. Type *string `json:"type,omitempty" tf:"type,omitempty"` + // Resource UUID. // Resource UUID. UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"` + // Use signature value, derived from "settings_file_base64" // Use signature value, derived from "settings_file_base64" UseSignature *bool `json:"useSignature,omitempty" tf:"use_signature,omitempty"` + // A template string for mapping Identity names to MFA methods. // A template string for mapping Identity names to MFA methods. UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"` } type MfaPingidParameters struct { + // Target namespace. (requires Enterprise) // Target namespace. (requires Enterprise) // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. // A base64-encoded third-party settings contents as retrieved from PingID's configuration page. // +kubebuilder:validation:Optional SettingsFileBase64 *string `json:"settingsFileBase64,omitempty" tf:"settings_file_base64,omitempty"` + // A template string for mapping Identity names to MFA methods. // A template string for mapping Identity names to MFA methods. // +kubebuilder:validation:Optional UsernameFormat *string `json:"usernameFormat,omitempty" tf:"username_format,omitempty"` @@ -116,7 +136,7 @@ type MfaPingidStatus struct { // +kubebuilder:object:root=true -// MfaPingid is the Schema for the MfaPingids API. +// MfaPingid is the Schema for the MfaPingids API. Resource for configuring the pingid MFA method. // +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" // +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" diff --git a/apis/jwt/v1alpha1/zz_generated_terraformed.go b/apis/jwt/v1alpha1/zz_generated_terraformed.go index f1698339..cceba0d5 100755 --- a/apis/jwt/v1alpha1/zz_generated_terraformed.go +++ b/apis/jwt/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this AuthBackendRole diff --git a/apis/kmip/v1alpha1/zz_generated_terraformed.go b/apis/kmip/v1alpha1/zz_generated_terraformed.go index dfad9847..b8983457 100755 --- a/apis/kmip/v1alpha1/zz_generated_terraformed.go +++ b/apis/kmip/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretRole diff --git a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go index 072ec7e3..b582c09f 100755 --- a/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go +++ b/apis/kubernetes/v1alpha1/zz_authbackendconfig_types.go @@ -133,8 +133,8 @@ type AuthBackendConfigParameters struct { // +kubebuilder:validation:Optional PemKeys []*string `json:"pemKeys,omitempty" tf:"pem_keys,omitempty"` - // A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. - // A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + // A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. // +kubebuilder:validation:Optional TokenReviewerJwtSecretRef *v1.SecretKeySelector `json:"tokenReviewerJwtSecretRef,omitempty" tf:"-"` } diff --git a/apis/ldap/v1alpha1/zz_authbackend_types.go b/apis/ldap/v1alpha1/zz_authbackend_types.go index 689c7b42..85eabcb4 100755 --- a/apis/ldap/v1alpha1/zz_authbackend_types.go +++ b/apis/ldap/v1alpha1/zz_authbackend_types.go @@ -42,6 +42,8 @@ type AuthBackendInitParameters struct { // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` + MaxPageSize *float64 `json:"maxPageSize,omitempty" tf:"max_page_size,omitempty"` + // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` @@ -131,6 +133,8 @@ type AuthBackendObservation struct { // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` + MaxPageSize *float64 `json:"maxPageSize,omitempty" tf:"max_page_size,omitempty"` + // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` @@ -234,6 +238,9 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` + // +kubebuilder:validation:Optional + MaxPageSize *float64 `json:"maxPageSize,omitempty" tf:"max_page_size,omitempty"` + // Target namespace. (requires Enterprise) // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` diff --git a/apis/ldap/v1alpha1/zz_generated.deepcopy.go b/apis/ldap/v1alpha1/zz_generated.deepcopy.go index e15fad00..3e1fa648 100644 --- a/apis/ldap/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ldap/v1alpha1/zz_generated.deepcopy.go @@ -331,6 +331,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(bool) **out = **in } + if in.MaxPageSize != nil { + in, out := &in.MaxPageSize, &out.MaxPageSize + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -570,6 +575,11 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(bool) **out = **in } + if in.MaxPageSize != nil { + in, out := &in.MaxPageSize, &out.MaxPageSize + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -777,6 +787,11 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(bool) **out = **in } + if in.MaxPageSize != nil { + in, out := &in.MaxPageSize, &out.MaxPageSize + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/ldap/v1alpha1/zz_generated_terraformed.go b/apis/ldap/v1alpha1/zz_generated_terraformed.go index 0af04f21..0fa258bd 100755 --- a/apis/ldap/v1alpha1/zz_generated_terraformed.go +++ b/apis/ldap/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 1 + return 2 } // GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup diff --git a/apis/nomad/v1alpha1/zz_generated_terraformed.go b/apis/nomad/v1alpha1/zz_generated_terraformed.go index be34595b..d431b6a5 100755 --- a/apis/nomad/v1alpha1/zz_generated_terraformed.go +++ b/apis/nomad/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretRole diff --git a/apis/nomad/v1alpha1/zz_secretrole_types.go b/apis/nomad/v1alpha1/zz_secretrole_types.go index 38a04367..a38387e8 100755 --- a/apis/nomad/v1alpha1/zz_secretrole_types.go +++ b/apis/nomad/v1alpha1/zz_secretrole_types.go @@ -15,8 +15,7 @@ import ( type SecretRoleInitParameters struct { - // The unique path this backend should be mounted at. Must - // not begin or end with a /. Defaults to nomad. + // The unique path this backend should be mounted at. // The mount path for the Nomad backend. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -50,8 +49,7 @@ type SecretRoleInitParameters struct { type SecretRoleObservation struct { - // The unique path this backend should be mounted at. Must - // not begin or end with a /. Defaults to nomad. + // The unique path this backend should be mounted at. // The mount path for the Nomad backend. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -87,8 +85,7 @@ type SecretRoleObservation struct { type SecretRoleParameters struct { - // The unique path this backend should be mounted at. Must - // not begin or end with a /. Defaults to nomad. + // The unique path this backend should be mounted at. // The mount path for the Nomad backend. // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` diff --git a/apis/okta/v1alpha1/zz_generated_terraformed.go b/apis/okta/v1alpha1/zz_generated_terraformed.go index 58fff24a..0d480232 100755 --- a/apis/okta/v1alpha1/zz_generated_terraformed.go +++ b/apis/okta/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *AuthBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this AuthBackendGroup diff --git a/apis/pki/v1alpha1/zz_generated.deepcopy.go b/apis/pki/v1alpha1/zz_generated.deepcopy.go index 57a79423..a2e2b165 100644 --- a/apis/pki/v1alpha1/zz_generated.deepcopy.go +++ b/apis/pki/v1alpha1/zz_generated.deepcopy.go @@ -180,6 +180,11 @@ func (in *SecretBackendCertInitParameters) DeepCopyInto(out *SecretBackendCertIn } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.MinSecondsRemaining != nil { in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining *out = new(float64) @@ -232,6 +237,17 @@ func (in *SecretBackendCertInitParameters) DeepCopyInto(out *SecretBackendCertIn } } } + if in.UserIds != nil { + in, out := &in.UserIds, &out.UserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCertInitParameters. @@ -346,6 +362,11 @@ func (in *SecretBackendCertObservation) DeepCopyInto(out *SecretBackendCertObser } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.IssuingCA != nil { in, out := &in.IssuingCA, &out.IssuingCA *out = new(string) @@ -418,6 +439,17 @@ func (in *SecretBackendCertObservation) DeepCopyInto(out *SecretBackendCertObser } } } + if in.UserIds != nil { + in, out := &in.UserIds, &out.UserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCertObservation. @@ -480,6 +512,11 @@ func (in *SecretBackendCertParameters) DeepCopyInto(out *SecretBackendCertParame } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.MinSecondsRemaining != nil { in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining *out = new(float64) @@ -532,6 +569,17 @@ func (in *SecretBackendCertParameters) DeepCopyInto(out *SecretBackendCertParame } } } + if in.UserIds != nil { + in, out := &in.UserIds, &out.UserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendCertParameters. @@ -1453,6 +1501,16 @@ func (in *SecretBackendIntermediateCertRequestInitParameters) DeepCopyInto(out * *out = new(float64) **out = **in } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -1649,6 +1707,21 @@ func (in *SecretBackendIntermediateCertRequestObservation) DeepCopyInto(out *Sec *out = new(float64) **out = **in } + if in.KeyID != nil { + in, out := &in.KeyID, &out.KeyID + *out = new(string) + **out = **in + } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -1808,6 +1881,16 @@ func (in *SecretBackendIntermediateCertRequestParameters) DeepCopyInto(out *Secr *out = new(float64) **out = **in } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -2044,6 +2127,28 @@ func (in *SecretBackendIntermediateSetSignedObservation) DeepCopyInto(out *Secre *out = new(string) **out = **in } + if in.ImportedIssuers != nil { + in, out := &in.ImportedIssuers, &out.ImportedIssuers + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ImportedKeys != nil { + in, out := &in.ImportedKeys, &out.ImportedKeys + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -2186,6 +2291,11 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(bool) **out = **in } + if in.AllowWildcardCertificates != nil { + in, out := &in.AllowWildcardCertificates, &out.AllowWildcardCertificates + *out = new(bool) + **out = **in + } if in.AllowedDomains != nil { in, out := &in.AllowedDomains, &out.AllowedDomains *out = make([]*string, len(*in)) @@ -2235,6 +2345,22 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.AllowedURISansTemplate != nil { + in, out := &in.AllowedURISansTemplate, &out.AllowedURISansTemplate + *out = new(bool) + **out = **in + } + if in.AllowedUserIds != nil { + in, out := &in.AllowedUserIds, &out.AllowedUserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Backend != nil { in, out := &in.Backend, &out.Backend *out = new(string) @@ -2287,11 +2413,27 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.ExtKeyUsageOids != nil { + in, out := &in.ExtKeyUsageOids, &out.ExtKeyUsageOids + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.GenerateLease != nil { in, out := &in.GenerateLease, &out.GenerateLease *out = new(bool) **out = **in } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.KeyBits != nil { in, out := &in.KeyBits, &out.KeyBits *out = new(float64) @@ -2524,6 +2666,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(bool) **out = **in } + if in.AllowWildcardCertificates != nil { + in, out := &in.AllowWildcardCertificates, &out.AllowWildcardCertificates + *out = new(bool) + **out = **in + } if in.AllowedDomains != nil { in, out := &in.AllowedDomains, &out.AllowedDomains *out = make([]*string, len(*in)) @@ -2573,6 +2720,22 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.AllowedURISansTemplate != nil { + in, out := &in.AllowedURISansTemplate, &out.AllowedURISansTemplate + *out = new(bool) + **out = **in + } + if in.AllowedUserIds != nil { + in, out := &in.AllowedUserIds, &out.AllowedUserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Backend != nil { in, out := &in.Backend, &out.Backend *out = new(string) @@ -2625,6 +2788,17 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.ExtKeyUsageOids != nil { + in, out := &in.ExtKeyUsageOids, &out.ExtKeyUsageOids + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.GenerateLease != nil { in, out := &in.GenerateLease, &out.GenerateLease *out = new(bool) @@ -2635,6 +2809,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(string) **out = **in } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.KeyBits != nil { in, out := &in.KeyBits, &out.KeyBits *out = new(float64) @@ -2835,6 +3014,11 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(bool) **out = **in } + if in.AllowWildcardCertificates != nil { + in, out := &in.AllowWildcardCertificates, &out.AllowWildcardCertificates + *out = new(bool) + **out = **in + } if in.AllowedDomains != nil { in, out := &in.AllowedDomains, &out.AllowedDomains *out = make([]*string, len(*in)) @@ -2884,6 +3068,22 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.AllowedURISansTemplate != nil { + in, out := &in.AllowedURISansTemplate, &out.AllowedURISansTemplate + *out = new(bool) + **out = **in + } + if in.AllowedUserIds != nil { + in, out := &in.AllowedUserIds, &out.AllowedUserIds + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Backend != nil { in, out := &in.Backend, &out.Backend *out = new(string) @@ -2936,11 +3136,27 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.ExtKeyUsageOids != nil { + in, out := &in.ExtKeyUsageOids, &out.ExtKeyUsageOids + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.GenerateLease != nil { in, out := &in.GenerateLease, &out.GenerateLease *out = new(bool) **out = **in } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.KeyBits != nil { in, out := &in.KeyBits, &out.KeyBits *out = new(float64) @@ -3220,11 +3436,26 @@ func (in *SecretBackendRootCertInitParameters) DeepCopyInto(out *SecretBackendRo } } } + if in.IssuerName != nil { + in, out := &in.IssuerName, &out.IssuerName + *out = new(string) + **out = **in + } if in.KeyBits != nil { in, out := &in.KeyBits, &out.KeyBits *out = new(float64) **out = **in } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -3432,6 +3663,16 @@ func (in *SecretBackendRootCertObservation) DeepCopyInto(out *SecretBackendRootC } } } + if in.IssuerID != nil { + in, out := &in.IssuerID, &out.IssuerID + *out = new(string) + **out = **in + } + if in.IssuerName != nil { + in, out := &in.IssuerName, &out.IssuerName + *out = new(string) + **out = **in + } if in.IssuingCA != nil { in, out := &in.IssuingCA, &out.IssuingCA *out = new(string) @@ -3442,6 +3683,21 @@ func (in *SecretBackendRootCertObservation) DeepCopyInto(out *SecretBackendRootC *out = new(float64) **out = **in } + if in.KeyID != nil { + in, out := &in.KeyID, &out.KeyID + *out = new(string) + **out = **in + } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -3617,11 +3873,26 @@ func (in *SecretBackendRootCertParameters) DeepCopyInto(out *SecretBackendRootCe } } } + if in.IssuerName != nil { + in, out := &in.IssuerName, &out.IssuerName + *out = new(string) + **out = **in + } if in.KeyBits != nil { in, out := &in.KeyBits, &out.KeyBits *out = new(float64) **out = **in } + if in.KeyName != nil { + in, out := &in.KeyName, &out.KeyName + *out = new(string) + **out = **in + } + if in.KeyRef != nil { + in, out := &in.KeyRef, &out.KeyRef + *out = new(string) + **out = **in + } if in.KeyType != nil { in, out := &in.KeyType, &out.KeyType *out = new(string) @@ -3854,6 +4125,11 @@ func (in *SecretBackendRootSignIntermediateInitParameters) DeepCopyInto(out *Sec } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.Locality != nil { in, out := &in.Locality, &out.Locality *out = new(string) @@ -4067,6 +4343,11 @@ func (in *SecretBackendRootSignIntermediateObservation) DeepCopyInto(out *Secret } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.IssuingCA != nil { in, out := &in.IssuingCA, &out.IssuingCA *out = new(string) @@ -4237,6 +4518,11 @@ func (in *SecretBackendRootSignIntermediateParameters) DeepCopyInto(out *SecretB } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.Locality != nil { in, out := &in.Locality, &out.Locality *out = new(string) @@ -4454,6 +4740,11 @@ func (in *SecretBackendSignInitParameters) DeepCopyInto(out *SecretBackendSignIn } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.MinSecondsRemaining != nil { in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining *out = new(float64) @@ -4621,6 +4912,11 @@ func (in *SecretBackendSignObservation) DeepCopyInto(out *SecretBackendSignObser } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.IssuingCA != nil { in, out := &in.IssuingCA, &out.IssuingCA *out = new(string) @@ -4750,6 +5046,11 @@ func (in *SecretBackendSignParameters) DeepCopyInto(out *SecretBackendSignParame } } } + if in.IssuerRef != nil { + in, out := &in.IssuerRef, &out.IssuerRef + *out = new(string) + **out = **in + } if in.MinSecondsRemaining != nil { in, out := &in.MinSecondsRemaining, &out.MinSecondsRemaining *out = new(float64) diff --git a/apis/pki/v1alpha1/zz_secretbackendcert_types.go b/apis/pki/v1alpha1/zz_secretbackendcert_types.go index aeb31e2c..48b0d4bf 100755 --- a/apis/pki/v1alpha1/zz_secretbackendcert_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendcert_types.go @@ -43,6 +43,9 @@ type SecretBackendCertInitParameters struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) // Generate a new certificate when the expiration is within this number of seconds MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"` @@ -77,6 +80,10 @@ type SecretBackendCertInitParameters struct { // List of alternative URIs // List of alternative URIs. URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"` + + // List of Subject User IDs + // List of Subject User IDs. + UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"` } type SecretBackendCertObservation struct { @@ -123,6 +130,9 @@ type SecretBackendCertObservation struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The issuing CA // The issuing CA. IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"` @@ -173,6 +183,10 @@ type SecretBackendCertObservation struct { // List of alternative URIs // List of alternative URIs. URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"` + + // List of Subject User IDs + // List of Subject User IDs. + UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"` } type SecretBackendCertParameters struct { @@ -212,6 +226,10 @@ type SecretBackendCertParameters struct { // +kubebuilder:validation:Optional IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + // +kubebuilder:validation:Optional + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) // Generate a new certificate when the expiration is within this number of seconds // +kubebuilder:validation:Optional @@ -254,6 +272,11 @@ type SecretBackendCertParameters struct { // List of alternative URIs. // +kubebuilder:validation:Optional URISans []*string `json:"uriSans,omitempty" tf:"uri_sans,omitempty"` + + // List of Subject User IDs + // List of Subject User IDs. + // +kubebuilder:validation:Optional + UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"` } // SecretBackendCertSpec defines the desired state of SecretBackendCert diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go index b1cef114..335dfa83 100755 --- a/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatecertrequest_types.go @@ -54,6 +54,16 @@ type SecretBackendIntermediateCertRequestInitParameters struct { // The number of bits to use. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` @@ -109,7 +119,7 @@ type SecretBackendIntermediateCertRequestInitParameters struct { // Type of intermediate to create. Must be either "exported" or "internal" // or "kms" - // Type of intermediate to create. Must be either "exported" or "internal". + // Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" Type *string `json:"type,omitempty" tf:"type,omitempty"` // List of alternative URIs @@ -164,6 +174,20 @@ type SecretBackendIntermediateCertRequestObservation struct { // The number of bits to use. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // The ID of the generated key. + // The ID of the generated key. + KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"` + + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` @@ -223,7 +247,7 @@ type SecretBackendIntermediateCertRequestObservation struct { // Type of intermediate to create. Must be either "exported" or "internal" // or "kms" - // Type of intermediate to create. Must be either "exported" or "internal". + // Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" Type *string `json:"type,omitempty" tf:"type,omitempty"` // List of alternative URIs @@ -281,6 +305,18 @@ type SecretBackendIntermediateCertRequestParameters struct { // +kubebuilder:validation:Optional KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + // +kubebuilder:validation:Optional + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + // +kubebuilder:validation:Optional + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. // +kubebuilder:validation:Optional @@ -348,7 +384,7 @@ type SecretBackendIntermediateCertRequestParameters struct { // Type of intermediate to create. Must be either "exported" or "internal" // or "kms" - // Type of intermediate to create. Must be either "exported" or "internal". + // Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" // +kubebuilder:validation:Optional Type *string `json:"type,omitempty" tf:"type,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go index 8981580f..edd899e3 100755 --- a/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendintermediatesetsigned_types.go @@ -47,6 +47,15 @@ type SecretBackendIntermediateSetSignedObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The imported issuers indicating which issuers were created as part of + // this request. + // The imported issuers. + ImportedIssuers []*string `json:"importedIssuers,omitempty" tf:"imported_issuers,omitempty"` + + // The imported keys indicating which keys were created as part of this request. + // The imported keys. + ImportedKeys []*string `json:"importedKeys,omitempty" tf:"imported_keys,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. diff --git a/apis/pki/v1alpha1/zz_secretbackendrole_types.go b/apis/pki/v1alpha1/zz_secretbackendrole_types.go index 9865acb2..9d5cbf6a 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrole_types.go @@ -87,6 +87,10 @@ type SecretBackendRoleInitParameters struct { // Flag to allow certificates matching subdomains. AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"` + // Flag to allow wildcard certificates. + // Flag to allow wildcard certificates + AllowWildcardCertificates *bool `json:"allowWildcardCertificates,omitempty" tf:"allow_wildcard_certificates,omitempty"` + // List of allowed domains for certificates // The domains of the role. AllowedDomains []*string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"` @@ -107,6 +111,14 @@ type SecretBackendRoleInitParameters struct { // Defines allowed URI SANs AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` + // Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + // Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + AllowedURISansTemplate *bool `json:"allowedUriSansTemplate,omitempty" tf:"allowed_uri_sans_template,omitempty"` + + // Defines allowed User IDs + // The allowed User ID's. + AllowedUserIds []*string `json:"allowedUserIds,omitempty" tf:"allowed_user_ids,omitempty"` + // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -139,10 +151,21 @@ type SecretBackendRoleInitParameters struct { // Specify the allowed extended key usage constraint on issued certificates. ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"` + // Specify the allowed extended key usage OIDs constraint on issued certificates + // A list of extended key usage OIDs. + ExtKeyUsageOids []*string `json:"extKeyUsageOids,omitempty" tf:"ext_key_usage_oids,omitempty"` + // Flag to generate leases with certificates // Flag to generate leases with certificates. GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"` + // Specifies the default issuer of this request. May + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The number of bits of generated keys // The number of bits of generated keys. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` @@ -152,7 +175,9 @@ type SecretBackendRoleInitParameters struct { // The generated key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` - // Specify the allowed key usage constraint on issued certificates + // Specify the allowed key usage constraint on issued + // certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + // To specify no default key usage constraints, set this to an empty list []. // Specify the allowed key usage constraint on issued certificates. KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"` @@ -258,6 +283,10 @@ type SecretBackendRoleObservation struct { // Flag to allow certificates matching subdomains. AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"` + // Flag to allow wildcard certificates. + // Flag to allow wildcard certificates + AllowWildcardCertificates *bool `json:"allowWildcardCertificates,omitempty" tf:"allow_wildcard_certificates,omitempty"` + // List of allowed domains for certificates // The domains of the role. AllowedDomains []*string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"` @@ -278,6 +307,14 @@ type SecretBackendRoleObservation struct { // Defines allowed URI SANs AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` + // Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + // Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + AllowedURISansTemplate *bool `json:"allowedUriSansTemplate,omitempty" tf:"allowed_uri_sans_template,omitempty"` + + // Defines allowed User IDs + // The allowed User ID's. + AllowedUserIds []*string `json:"allowedUserIds,omitempty" tf:"allowed_user_ids,omitempty"` + // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` @@ -310,12 +347,23 @@ type SecretBackendRoleObservation struct { // Specify the allowed extended key usage constraint on issued certificates. ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"` + // Specify the allowed extended key usage OIDs constraint on issued certificates + // A list of extended key usage OIDs. + ExtKeyUsageOids []*string `json:"extKeyUsageOids,omitempty" tf:"ext_key_usage_oids,omitempty"` + // Flag to generate leases with certificates // Flag to generate leases with certificates. GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` + // Specifies the default issuer of this request. May + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The number of bits of generated keys // The number of bits of generated keys. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` @@ -325,7 +373,9 @@ type SecretBackendRoleObservation struct { // The generated key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` - // Specify the allowed key usage constraint on issued certificates + // Specify the allowed key usage constraint on issued + // certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + // To specify no default key usage constraints, set this to an empty list []. // Specify the allowed key usage constraint on issued certificates. KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"` @@ -437,6 +487,11 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowSubdomains *bool `json:"allowSubdomains,omitempty" tf:"allow_subdomains,omitempty"` + // Flag to allow wildcard certificates. + // Flag to allow wildcard certificates + // +kubebuilder:validation:Optional + AllowWildcardCertificates *bool `json:"allowWildcardCertificates,omitempty" tf:"allow_wildcard_certificates,omitempty"` + // List of allowed domains for certificates // The domains of the role. // +kubebuilder:validation:Optional @@ -462,6 +517,16 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` + // Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. + // Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + // +kubebuilder:validation:Optional + AllowedURISansTemplate *bool `json:"allowedUriSansTemplate,omitempty" tf:"allowed_uri_sans_template,omitempty"` + + // Defines allowed User IDs + // The allowed User ID's. + // +kubebuilder:validation:Optional + AllowedUserIds []*string `json:"allowedUserIds,omitempty" tf:"allowed_user_ids,omitempty"` + // The path the PKI secret backend is mounted at, with no leading or trailing /s. // The path of the PKI secret backend the resource belongs to. // +kubebuilder:validation:Optional @@ -502,11 +567,24 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional ExtKeyUsage []*string `json:"extKeyUsage,omitempty" tf:"ext_key_usage,omitempty"` + // Specify the allowed extended key usage OIDs constraint on issued certificates + // A list of extended key usage OIDs. + // +kubebuilder:validation:Optional + ExtKeyUsageOids []*string `json:"extKeyUsageOids,omitempty" tf:"ext_key_usage_oids,omitempty"` + // Flag to generate leases with certificates // Flag to generate leases with certificates. // +kubebuilder:validation:Optional GenerateLease *bool `json:"generateLease,omitempty" tf:"generate_lease,omitempty"` + // Specifies the default issuer of this request. May + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + // +kubebuilder:validation:Optional + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The number of bits of generated keys // The number of bits of generated keys. // +kubebuilder:validation:Optional @@ -518,7 +596,9 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` - // Specify the allowed key usage constraint on issued certificates + // Specify the allowed key usage constraint on issued + // certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + // To specify no default key usage constraints, set this to an empty list []. // Specify the allowed key usage constraint on issued certificates. // +kubebuilder:validation:Optional KeyUsage []*string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go index a09cb376..41447e4e 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go @@ -43,10 +43,25 @@ type SecretBackendRootCertInitParameters struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Provides a name to the specified issuer. The name must be unique + // across all issuers and not be the reserved value default + // Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + IssuerName *string `json:"issuerName,omitempty" tf:"issuer_name,omitempty"` + // The number of bits to use // The number of bits to use. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` @@ -114,7 +129,7 @@ type SecretBackendRootCertInitParameters struct { // Type of intermediate to create. Must be either "exported", "internal" // or "kms" - // Type of root to create. Must be either "exported" or "internal". + // Type of root to create. Must be either "existing", "exported", "internal" or "kms" Type *string `json:"type,omitempty" tf:"type,omitempty"` // List of alternative URIs @@ -158,6 +173,15 @@ type SecretBackendRootCertObservation struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // The ID of the generated issuer. + // The ID of the generated issuer. + IssuerID *string `json:"issuerId,omitempty" tf:"issuer_id,omitempty"` + + // Provides a name to the specified issuer. The name must be unique + // across all issuers and not be the reserved value default + // Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + IssuerName *string `json:"issuerName,omitempty" tf:"issuer_name,omitempty"` + // The issuing CA certificate. // The issuing CA. IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"` @@ -166,6 +190,20 @@ type SecretBackendRootCertObservation struct { // The number of bits to use. KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // The ID of the generated key. + // The ID of the generated key. + KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"` + + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` @@ -241,7 +279,7 @@ type SecretBackendRootCertObservation struct { // Type of intermediate to create. Must be either "exported", "internal" // or "kms" - // Type of root to create. Must be either "exported" or "internal". + // Type of root to create. Must be either "existing", "exported", "internal" or "kms" Type *string `json:"type,omitempty" tf:"type,omitempty"` // List of alternative URIs @@ -286,11 +324,29 @@ type SecretBackendRootCertParameters struct { // +kubebuilder:validation:Optional IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Provides a name to the specified issuer. The name must be unique + // across all issuers and not be the reserved value default + // Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + // +kubebuilder:validation:Optional + IssuerName *string `json:"issuerName,omitempty" tf:"issuer_name,omitempty"` + // The number of bits to use // The number of bits to use. // +kubebuilder:validation:Optional KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + // When a new key is created with this request, optionally specifies + // the name for this. The global ref default may not be used as a name. + // When a new key is created with this request, optionally specifies the name for this. + // +kubebuilder:validation:Optional + KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"` + + // Specifies the key (either default, by name, or by identifier) to use + // for generating this request. Only suitable for type=existing requests. + // Specifies the key to use for generating this request. + // +kubebuilder:validation:Optional + KeyRef *string `json:"keyRef,omitempty" tf:"key_ref,omitempty"` + // The desired key type // The desired key type. // +kubebuilder:validation:Optional @@ -373,7 +429,7 @@ type SecretBackendRootCertParameters struct { // Type of intermediate to create. Must be either "exported", "internal" // or "kms" - // Type of root to create. Must be either "exported" or "internal". + // Type of root to create. Must be either "existing", "exported", "internal" or "kms" // +kubebuilder:validation:Optional Type *string `json:"type,omitempty" tf:"type,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go index 72f6d718..ac51d0d9 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go @@ -39,6 +39,9 @@ type SecretBackendRootSignIntermediateInitParameters struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The locality. Locality *string `json:"locality,omitempty" tf:"locality,omitempty"` @@ -119,6 +122,9 @@ type SecretBackendRootSignIntermediateObservation struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The issuing CA certificate. IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"` @@ -205,6 +211,10 @@ type SecretBackendRootSignIntermediateParameters struct { // +kubebuilder:validation:Optional IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. + // +kubebuilder:validation:Optional + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The locality. // +kubebuilder:validation:Optional Locality *string `json:"locality,omitempty" tf:"locality,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendsign_types.go b/apis/pki/v1alpha1/zz_secretbackendsign_types.go index a32bcbcc..23e388b0 100755 --- a/apis/pki/v1alpha1/zz_secretbackendsign_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendsign_types.go @@ -47,6 +47,13 @@ type SecretBackendSignInitParameters struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. Can + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) // Generate a new certificate when the expiration is within this number of seconds MinSecondsRemaining *float64 `json:"minSecondsRemaining,omitempty" tf:"min_seconds_remaining,omitempty"` @@ -123,6 +130,13 @@ type SecretBackendSignObservation struct { // List of alternative IPs. IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. Can + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // The issuing CA // The issuing CA. IssuingCA *string `json:"issuingCa,omitempty" tf:"issuing_ca,omitempty"` @@ -209,6 +223,14 @@ type SecretBackendSignParameters struct { // +kubebuilder:validation:Optional IPSans []*string `json:"ipSans,omitempty" tf:"ip_sans,omitempty"` + // Specifies the default issuer of this request. Can + // be the value default, a name, or an issuer ID. Use ACLs to prevent access to + // the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + // overriding the role's issuer_ref value. + // Specifies the default issuer of this request. + // +kubebuilder:validation:Optional + IssuerRef *string `json:"issuerRef,omitempty" tf:"issuer_ref,omitempty"` + // Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) // Generate a new certificate when the expiration is within this number of seconds // +kubebuilder:validation:Optional diff --git a/apis/quota/v1alpha1/zz_generated.deepcopy.go b/apis/quota/v1alpha1/zz_generated.deepcopy.go index cd30d7be..9acce5f3 100644 --- a/apis/quota/v1alpha1/zz_generated.deepcopy.go +++ b/apis/quota/v1alpha1/zz_generated.deepcopy.go @@ -63,6 +63,11 @@ func (in *LeaseCountInitParameters) DeepCopyInto(out *LeaseCountInitParameters) *out = new(string) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaseCountInitParameters. @@ -135,6 +140,11 @@ func (in *LeaseCountObservation) DeepCopyInto(out *LeaseCountObservation) { *out = new(string) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaseCountObservation. @@ -170,6 +180,11 @@ func (in *LeaseCountParameters) DeepCopyInto(out *LeaseCountParameters) { *out = new(string) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LeaseCountParameters. @@ -277,6 +292,11 @@ func (in *RateLimitInitParameters) DeepCopyInto(out *RateLimitInitParameters) { *out = new(float64) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitInitParameters. @@ -359,6 +379,11 @@ func (in *RateLimitObservation) DeepCopyInto(out *RateLimitObservation) { *out = new(float64) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitObservation. @@ -404,6 +429,11 @@ func (in *RateLimitParameters) DeepCopyInto(out *RateLimitParameters) { *out = new(float64) **out = **in } + if in.Role != nil { + in, out := &in.Role, &out.Role + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimitParameters. diff --git a/apis/quota/v1alpha1/zz_leasecount_types.go b/apis/quota/v1alpha1/zz_leasecount_types.go index e7cf0b48..f1db68b4 100755 --- a/apis/quota/v1alpha1/zz_leasecount_types.go +++ b/apis/quota/v1alpha1/zz_leasecount_types.go @@ -39,6 +39,10 @@ type LeaseCountInitParameters struct { // a namespace specific mount quota. Note, namespaces are supported in Enterprise only. // Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` } type LeaseCountObservation struct { @@ -68,6 +72,10 @@ type LeaseCountObservation struct { // a namespace specific mount quota. Note, namespaces are supported in Enterprise only. // Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` } type LeaseCountParameters struct { @@ -100,6 +108,11 @@ type LeaseCountParameters struct { // Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // +kubebuilder:validation:Optional + Role *string `json:"role,omitempty" tf:"role,omitempty"` } // LeaseCountSpec defines the desired state of LeaseCount diff --git a/apis/quota/v1alpha1/zz_ratelimit_types.go b/apis/quota/v1alpha1/zz_ratelimit_types.go index ebc9e6af..b7076e11 100755 --- a/apis/quota/v1alpha1/zz_ratelimit_types.go +++ b/apis/quota/v1alpha1/zz_ratelimit_types.go @@ -48,6 +48,10 @@ type RateLimitInitParameters struct { // rule. The rate must be positive. // The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` } type RateLimitObservation struct { @@ -87,6 +91,10 @@ type RateLimitObservation struct { // rule. The rate must be positive. // The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + Role *string `json:"role,omitempty" tf:"role,omitempty"` } type RateLimitParameters struct { @@ -130,6 +138,11 @@ type RateLimitParameters struct { // The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. // +kubebuilder:validation:Optional Rate *float64 `json:"rate,omitempty" tf:"rate,omitempty"` + + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + // +kubebuilder:validation:Optional + Role *string `json:"role,omitempty" tf:"role,omitempty"` } // RateLimitSpec defines the desired state of RateLimit diff --git a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go b/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go index 0845bc70..71dea3ab 100755 --- a/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go +++ b/apis/rabbitmq/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole diff --git a/apis/ssh/v1alpha1/zz_generated.deepcopy.go b/apis/ssh/v1alpha1/zz_generated.deepcopy.go index f7103f94..da88a3e9 100644 --- a/apis/ssh/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ssh/v1alpha1/zz_generated.deepcopy.go @@ -386,6 +386,11 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.AllowedDomainsTemplate != nil { + in, out := &in.AllowedDomainsTemplate, &out.AllowedDomainsTemplate + *out = new(bool) + **out = **in + } if in.AllowedExtensions != nil { in, out := &in.AllowedExtensions, &out.AllowedExtensions *out = new(string) @@ -498,6 +503,11 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(string) **out = **in } + if in.NotBeforeDuration != nil { + in, out := &in.NotBeforeDuration, &out.NotBeforeDuration + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) @@ -590,6 +600,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(string) **out = **in } + if in.AllowedDomainsTemplate != nil { + in, out := &in.AllowedDomainsTemplate, &out.AllowedDomainsTemplate + *out = new(bool) + **out = **in + } if in.AllowedExtensions != nil { in, out := &in.AllowedExtensions, &out.AllowedExtensions *out = new(string) @@ -707,6 +722,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(string) **out = **in } + if in.NotBeforeDuration != nil { + in, out := &in.NotBeforeDuration, &out.NotBeforeDuration + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) @@ -767,6 +787,11 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.AllowedDomainsTemplate != nil { + in, out := &in.AllowedDomainsTemplate, &out.AllowedDomainsTemplate + *out = new(bool) + **out = **in + } if in.AllowedExtensions != nil { in, out := &in.AllowedExtensions, &out.AllowedExtensions *out = new(string) @@ -879,6 +904,11 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(string) **out = **in } + if in.NotBeforeDuration != nil { + in, out := &in.NotBeforeDuration, &out.NotBeforeDuration + *out = new(string) + **out = **in + } if in.TTL != nil { in, out := &in.TTL, &out.TTL *out = new(string) diff --git a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go index 89fce815..3245b47e 100755 --- a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go @@ -95,6 +95,10 @@ type SecretBackendRoleInitParameters struct { // The list of domains for which a client can request a host certificate. AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"` + // Specifies if allowed_domains can be declared using + // identity template policies. Non-templated domains are also permitted. + AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"` + // Specifies a comma-separated list of extensions that certificates can have when signed. AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"` @@ -153,6 +157,11 @@ type SecretBackendRoleInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Specifies the duration by which to backdate the ValidAfter property. + // Uses duration format strings. + // Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"` + // Specifies the Time To Live value. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` } @@ -183,6 +192,10 @@ type SecretBackendRoleObservation struct { // The list of domains for which a client can request a host certificate. AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"` + // Specifies if allowed_domains can be declared using + // identity template policies. Non-templated domains are also permitted. + AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"` + // Specifies a comma-separated list of extensions that certificates can have when signed. AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"` @@ -243,6 +256,11 @@ type SecretBackendRoleObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Specifies the duration by which to backdate the ValidAfter property. + // Uses duration format strings. + // Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"` + // Specifies the Time To Live value. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` } @@ -281,6 +299,11 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowedDomains *string `json:"allowedDomains,omitempty" tf:"allowed_domains,omitempty"` + // Specifies if allowed_domains can be declared using + // identity template policies. Non-templated domains are also permitted. + // +kubebuilder:validation:Optional + AllowedDomainsTemplate *bool `json:"allowedDomainsTemplate,omitempty" tf:"allowed_domains_template,omitempty"` + // Specifies a comma-separated list of extensions that certificates can have when signed. // +kubebuilder:validation:Optional AllowedExtensions *string `json:"allowedExtensions,omitempty" tf:"allowed_extensions,omitempty"` @@ -355,6 +378,12 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Specifies the duration by which to backdate the ValidAfter property. + // Uses duration format strings. + // Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + // +kubebuilder:validation:Optional + NotBeforeDuration *string `json:"notBeforeDuration,omitempty" tf:"not_before_duration,omitempty"` + // Specifies the Time To Live value. // +kubebuilder:validation:Optional TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` diff --git a/apis/terraform/v1alpha1/zz_generated_terraformed.go b/apis/terraform/v1alpha1/zz_generated_terraformed.go index 24d6af24..e0332b9f 100755 --- a/apis/terraform/v1alpha1/zz_generated_terraformed.go +++ b/apis/terraform/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *CloudSecretBackend) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *CloudSecretBackend) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this CloudSecretCreds diff --git a/apis/transit/v1alpha1/zz_generated.deepcopy.go b/apis/transit/v1alpha1/zz_generated.deepcopy.go index 1851f266..b3925ed3 100644 --- a/apis/transit/v1alpha1/zz_generated.deepcopy.go +++ b/apis/transit/v1alpha1/zz_generated.deepcopy.go @@ -83,6 +83,11 @@ func (in *SecretBackendKeyInitParameters) DeepCopyInto(out *SecretBackendKeyInit *out = new(bool) **out = **in } + if in.KeySize != nil { + in, out := &in.KeySize, &out.KeySize + *out = new(float64) + **out = **in + } if in.MinDecryptionVersion != nil { in, out := &in.MinDecryptionVersion, &out.MinDecryptionVersion *out = new(float64) @@ -200,6 +205,11 @@ func (in *SecretBackendKeyObservation) DeepCopyInto(out *SecretBackendKeyObserva *out = new(string) **out = **in } + if in.KeySize != nil { + in, out := &in.KeySize, &out.KeySize + *out = new(float64) + **out = **in + } if in.Keys != nil { in, out := &in.Keys, &out.Keys *out = make([]map[string]*string, len(*in)) @@ -331,6 +341,11 @@ func (in *SecretBackendKeyParameters) DeepCopyInto(out *SecretBackendKeyParamete *out = new(bool) **out = **in } + if in.KeySize != nil { + in, out := &in.KeySize, &out.KeySize + *out = new(float64) + **out = **in + } if in.MinDecryptionVersion != nil { in, out := &in.MinDecryptionVersion, &out.MinDecryptionVersion *out = new(float64) diff --git a/apis/transit/v1alpha1/zz_secretbackendkey_types.go b/apis/transit/v1alpha1/zz_secretbackendkey_types.go index 0bddced2..d489b35b 100755 --- a/apis/transit/v1alpha1/zz_secretbackendkey_types.go +++ b/apis/transit/v1alpha1/zz_secretbackendkey_types.go @@ -23,9 +23,9 @@ type SecretBackendKeyInitParameters struct { // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of time the key should live before being automatically rotated. + // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"` // The path the transit secret backend is mounted at, with no leading or trailing /s. @@ -48,6 +48,10 @@ type SecretBackendKeyInitParameters struct { // Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. Exportable *bool `json:"exportable,omitempty" tf:"exportable,omitempty"` + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"` + // Minimum key version to use for decryption. // Minimum key version to use for decryption. MinDecryptionVersion *float64 `json:"minDecryptionVersion,omitempty" tf:"min_decryption_version,omitempty"` @@ -67,8 +71,8 @@ type SecretBackendKeyInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096. - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096 + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 Type *string `json:"type,omitempty" tf:"type,omitempty"` } @@ -82,9 +86,9 @@ type SecretBackendKeyObservation struct { // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of time the key should live before being automatically rotated. + // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"` // The path the transit secret backend is mounted at, with no leading or trailing /s. @@ -109,6 +113,10 @@ type SecretBackendKeyObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"` + // List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. // List of key versions in the keyring. Keys []map[string]*string `json:"keys,omitempty" tf:"keys,omitempty"` @@ -156,8 +164,8 @@ type SecretBackendKeyObservation struct { // Whether or not the key supports signing, based on key type. SupportsSigning *bool `json:"supportsSigning,omitempty" tf:"supports_signing,omitempty"` - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096. - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096 + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 Type *string `json:"type,omitempty" tf:"type,omitempty"` } @@ -173,9 +181,9 @@ type SecretBackendKeyParameters struct { // +kubebuilder:validation:Optional AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of time the key should live before being automatically rotated. + // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. // +kubebuilder:validation:Optional AutoRotatePeriod *float64 `json:"autoRotatePeriod,omitempty" tf:"auto_rotate_period,omitempty"` @@ -204,6 +212,11 @@ type SecretBackendKeyParameters struct { // +kubebuilder:validation:Optional Exportable *bool `json:"exportable,omitempty" tf:"exportable,omitempty"` + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. + // The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + // +kubebuilder:validation:Optional + KeySize *float64 `json:"keySize,omitempty" tf:"key_size,omitempty"` + // Minimum key version to use for decryption. // Minimum key version to use for decryption. // +kubebuilder:validation:Optional @@ -227,8 +240,8 @@ type SecretBackendKeyParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096. - // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096 + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. + // Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 // +kubebuilder:validation:Optional Type *string `json:"type,omitempty" tf:"type,omitempty"` } diff --git a/apis/vault/v1alpha1/zz_generated.deepcopy.go b/apis/vault/v1alpha1/zz_generated.deepcopy.go index 7d9c3343..82ee91e9 100644 --- a/apis/vault/v1alpha1/zz_generated.deepcopy.go +++ b/apis/vault/v1alpha1/zz_generated.deepcopy.go @@ -735,6 +735,21 @@ func (in *Namespace) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NamespaceInitParameters) DeepCopyInto(out *NamespaceInitParameters) { *out = *in + if in.CustomMetadata != nil { + in, out := &in.CustomMetadata, &out.CustomMetadata + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -797,6 +812,21 @@ func (in *NamespaceList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NamespaceObservation) DeepCopyInto(out *NamespaceObservation) { *out = *in + if in.CustomMetadata != nil { + in, out := &in.CustomMetadata, &out.CustomMetadata + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -837,6 +867,21 @@ func (in *NamespaceObservation) DeepCopy() *NamespaceObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NamespaceParameters) DeepCopyInto(out *NamespaceParameters) { *out = *in + if in.CustomMetadata != nil { + in, out := &in.CustomMetadata, &out.CustomMetadata + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/vault/v1alpha1/zz_namespace_types.go b/apis/vault/v1alpha1/zz_namespace_types.go index be659567..1aabaf4e 100755 --- a/apis/vault/v1alpha1/zz_namespace_types.go +++ b/apis/vault/v1alpha1/zz_namespace_types.go @@ -15,6 +15,11 @@ import ( type NamespaceInitParameters struct { + // Custom metadata describing this namespace. Value type + // is map[string]string. Requires Vault version 1.12+. + // Custom metadata describing this namespace. Value type is map[string]string. + CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -22,18 +27,24 @@ type NamespaceInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // The path of the namespace. Must not have a trailing / + // The path of the namespace. Must not have a trailing /. // Namespace path. Path *string `json:"path,omitempty" tf:"path,omitempty"` // The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + // The path is relative to the provider's namespace argument. // The fully qualified namespace path. PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"` } type NamespaceObservation struct { - // ID of the namespace. + // Custom metadata describing this namespace. Value type + // is map[string]string. Requires Vault version 1.12+. + // Custom metadata describing this namespace. Value type is map[string]string. + CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` + + // The fully qualified path to the namespace, including the provider namespace and a trailing slash. ID *string `json:"id,omitempty" tf:"id,omitempty"` // The namespace to provision the resource in. @@ -43,21 +54,28 @@ type NamespaceObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // ID of the namespace. + // Vault server's internal ID of the namespace. // Namespace ID. NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"` - // The path of the namespace. Must not have a trailing / + // The path of the namespace. Must not have a trailing /. // Namespace path. Path *string `json:"path,omitempty" tf:"path,omitempty"` // The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + // The path is relative to the provider's namespace argument. // The fully qualified namespace path. PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"` } type NamespaceParameters struct { + // Custom metadata describing this namespace. Value type + // is map[string]string. Requires Vault version 1.12+. + // Custom metadata describing this namespace. Value type is map[string]string. + // +kubebuilder:validation:Optional + CustomMetadata map[string]*string `json:"customMetadata,omitempty" tf:"custom_metadata,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -66,12 +84,13 @@ type NamespaceParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // The path of the namespace. Must not have a trailing / + // The path of the namespace. Must not have a trailing /. // Namespace path. // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` // The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + // The path is relative to the provider's namespace argument. // The fully qualified namespace path. // +kubebuilder:validation:Optional PathFq *string `json:"pathFq,omitempty" tf:"path_fq,omitempty"` diff --git a/apis/vault/v1alpha1/zz_token_types.go b/apis/vault/v1alpha1/zz_token_types.go index 4d01ecdc..b9c17885 100755 --- a/apis/vault/v1alpha1/zz_token_types.go +++ b/apis/vault/v1alpha1/zz_token_types.go @@ -19,7 +19,7 @@ type TokenInitParameters struct { // The display name of the token. DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"` - // The explicit max TTL of this token + // The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The explicit max TTL of the token. ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"` @@ -46,7 +46,7 @@ type TokenInitParameters struct { // The number of allowed uses of the token. NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"` - // The period of this token + // The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The period of the token. Period *string `json:"period,omitempty" tf:"period,omitempty"` @@ -54,7 +54,7 @@ type TokenInitParameters struct { // List of policies. Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` - // The renew increment + // The renew increment. This is specified in seconds // The renew increment. RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"` @@ -70,11 +70,11 @@ type TokenInitParameters struct { // The token role name. RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the token. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the wrapped token. WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"` } @@ -85,7 +85,7 @@ type TokenObservation struct { // The display name of the token. DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"` - // The explicit max TTL of this token + // The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The explicit max TTL of the token. ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"` @@ -122,7 +122,7 @@ type TokenObservation struct { // The number of allowed uses of the token. NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"` - // The period of this token + // The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The period of the token. Period *string `json:"period,omitempty" tf:"period,omitempty"` @@ -130,7 +130,7 @@ type TokenObservation struct { // List of policies. Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` - // The renew increment + // The renew increment. This is specified in seconds // The renew increment. RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"` @@ -146,11 +146,11 @@ type TokenObservation struct { // The token role name. RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the token. TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the wrapped token. WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"` } @@ -162,7 +162,7 @@ type TokenParameters struct { // +kubebuilder:validation:Optional DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"` - // The explicit max TTL of this token + // The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The explicit max TTL of the token. // +kubebuilder:validation:Optional ExplicitMaxTTL *string `json:"explicitMaxTtl,omitempty" tf:"explicit_max_ttl,omitempty"` @@ -195,7 +195,7 @@ type TokenParameters struct { // +kubebuilder:validation:Optional NumUses *float64 `json:"numUses,omitempty" tf:"num_uses,omitempty"` - // The period of this token + // The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The period of the token. // +kubebuilder:validation:Optional Period *string `json:"period,omitempty" tf:"period,omitempty"` @@ -205,7 +205,7 @@ type TokenParameters struct { // +kubebuilder:validation:Optional Policies []*string `json:"policies,omitempty" tf:"policies,omitempty"` - // The renew increment + // The renew increment. This is specified in seconds // The renew increment. // +kubebuilder:validation:Optional RenewIncrement *float64 `json:"renewIncrement,omitempty" tf:"renew_increment,omitempty"` @@ -225,12 +225,12 @@ type TokenParameters struct { // +kubebuilder:validation:Optional RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the token. // +kubebuilder:validation:Optional TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` - // The TTL period of this token + // The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" // The TTL period of the wrapped token. // +kubebuilder:validation:Optional WrappingTTL *string `json:"wrappingTtl,omitempty" tf:"wrapping_ttl,omitempty"` diff --git a/config/provider-metadata.yaml b/config/provider-metadata.yaml index 7c77a246..50f98979 100644 --- a/config/provider-metadata.yaml +++ b/config/provider-metadata.yaml @@ -19,6 +19,11 @@ resources: exclude_cn_from_sans: '- (Optional) Flag to exclude CN from SANs' format: '- (Optional) The format of data' ip_sans: '- (Optional) List of alternative IPs' + issuer_ref: |- + - (Optional) Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. issuing_ca: '- The issuing CA certificate in the format specified.' locality: '- (Optional) The locality' max_path_length: '- (Optional) The maximum path length to encode in the generated certificate' @@ -568,25 +573,49 @@ resources: "token_ttl": 300 } argumentDocs: - allowed_common_names: '- (Optional) Allowed the common names for authenticated client certificates' - allowed_dns_sans: '- (Optional) Allowed alternative dns names for authenticated client certificates' - allowed_email_sans: '- (Optional) Allowed emails for authenticated client certificates' - allowed_names: '- (Optional) Allowed subject names for authenticated client certificates' + allowed_common_names: '- (Optional array: []) Allowed the common names for authenticated client certificates' + allowed_dns_sans: '- (Optional array: []) Allowed alternative dns names for authenticated client certificates' + allowed_email_sans: '- (Optional array: []) Allowed emails for authenticated client certificates' + allowed_names: '- (Optional string) DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates' allowed_organization_units: ', please update accordingly' allowed_organizational_units: |- - - (Optional) Allowed organization units for authenticated client certificates. + - (Optional array: []) Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named - allowed_uri_sans: '- (Optional) Allowed URIs for authenticated client certificates' - backend: '- (Optional) Path to the mounted Cert auth backend' - certificate: '- (Required) CA certificate used to validate client certificates' - display_name: '- (Optional) The name to display on tokens issued under this role.' - name: '- (Required) Name of the role' + allowed_uri_sans: '- (Optional array: []) Allowed URIs for authenticated client certificates' + backend: '- (Optional string: "cert") Path to the mounted Cert auth backend' + certificate: '- (Required string) CA certificate used to validate client certificates' + display_name: '- (Optional string: "") The name to display on tokens issued under this role.' + name: '- (Required string) Name of the role' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - required_extensions: '- (Optional) TLS extensions required on client certificates' + ocsp_ca_certificates: |- + (Optional string: "") Any additional CA certificates + needed to verify OCSP responses. Provided as base64 encoded PEM data. + Requires Vault version 1.13+. + ocsp_enabled: |- + (Optional bool: false) - If enabled, validate certificates' + revocation status using OCSP. Requires Vault version 1.13+. + ocsp_fail_open: |- + (Optional bool: false) - If true and an OCSP response cannot + be fetched or is of an unknown status, the login will proceed as if the + certificate has not been revoked. + Requires Vault version 1.13+. + ocsp_query_all_servers: |- + (Optional bool: false) - If set to true, rather than + accepting the first successful OCSP response, query all servers and consider + the certificate valid only if all servers agree. + Requires Vault version 1.13+. + ocsp_servers_override: |- + (Optional array: []): A comma-separated list of OCSP + server addresses. If unset, the OCSP server is determined from the + AuthorityInformationAccess extension on the certificate being inspected. + Requires Vault version 1.13+. + required_extensions: |- + - (Optional array: []) TLS extensions required on + client certificates token_bound_cidrs: |- - (Optional) List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks @@ -661,7 +690,7 @@ resources: user: |- - (Optional) Associate Okta users with groups or policies within Vault. See below for more details. - username: '- (Required Optional) Name of the user within Okta' + username: '- (Required) Name of the user within Okta' importStatements: [] vault_auth_backend_group resource: subCategory: "" @@ -692,7 +721,7 @@ resources: Available only for Vault Enterprise. path: '- (Required) The path where the Okta auth backend is mounted' policies: '- (Optional) List of Vault policies to associate with this user' - username: '- (Required Optional) Name of the user within Okta' + username: '- (Required) Name of the user within Okta' importStatements: [] vault_aws_auth_backend_cert: subCategory: "" @@ -783,6 +812,12 @@ resources: sts_region: |- - (Optional) Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region. + use_sts_region_from_client: |- + - (Optional) Available in Vault v1.15+. If set, + overrides both sts_endpoint and sts_region to instead use the region + specified in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from different + regions and want flexibility in which regional STS API is used. importStatements: [] vault_aws_auth_backend_config_identity: subCategory: "" @@ -1021,6 +1056,7 @@ resources: auth_type: |- - (Optional) The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam. + backend: '- (Optional) Path to the mounted aws auth backend.' bound_account_ids: |- - (Optional) If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the @@ -1283,6 +1319,13 @@ resources: "access_key": "AKIA.....", "secret_key": "AWS secret key" } + - name: aws + manifest: |- + { + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "role_arn": "\u003cAWS_ROLE_ARN\u003e" + } argumentDocs: access_key: |- - (Optional) The AWS Access Key ID this backend should use to @@ -1295,6 +1338,10 @@ resources: - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration iam_endpoint: '- (Optional) Specifies a custom HTTP IAM endpoint to use.' + identity_token_audience: '- (Optional) The audience claim value. Requires Vault 1.16+.' + identity_token_key: '- (Optional) The key to use for signing identity tokens. Requires Vault 1.16+.' + identity_token_ttl: '- (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.16+.' + local: '- (Optional) Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.' max_lease_ttl_seconds: |- - (Optional) The maximum TTL that can be requested for credentials issued by this backend. @@ -1307,6 +1354,7 @@ resources: - (Optional) The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws. region: '- (Optional) The AWS region for API calls. Defaults to us-east-1.' + role_arn: '- (Optional) Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.' secret_key: |- - (Optional) The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. @@ -1395,6 +1443,43 @@ resources: - (Optional) The path for the user name. Valid only when credential_type is iam_user. Default is /. importStatements: [] + vault_aws_secret_backend_static_role: + subCategory: "" + description: Creates a static role for the AWS secret backend for Vault. + name: vault_aws_secret_backend_static_role + title: vault_aws_secret_backend_static_role resource + examples: + - name: role + manifest: |- + { + "backend": "${vault_aws_secret_backend.aws.path}", + "name": "test", + "rotation_period": "3600", + "username": "my-test-user" + } + references: + backend: vault_aws_secret_backend.aws.path + dependencies: + vault_aws_secret_backend.aws: |- + { + "description": "Obtain AWS credentials.", + "path": "my-aws" + } + argumentDocs: + backend: |- + - (Optional) The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to aws + name: |- + - (Required) The name to identify this role within the backend. + Must be unique within the backend. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + rotation_period: '- (Required) How often Vault should rotate the password of the user entry.' + username: '- (Required) The username of the existing AWS IAM to manage password rotation for.' + importStatements: [] vault_azure_auth_backend_config: subCategory: "" description: Configures the Azure Auth Backend in Vault. @@ -1606,6 +1691,11 @@ resources: "backend": "${vault_azure_secret_backend.azure.path}", "max_ttl": 600, "role": "generated_role", + "sign_in_audience": "AzureADMyOrg", + "tags": [ + "team:engineering", + "environment:development" + ], "ttl": 300 } references: @@ -1639,11 +1729,11 @@ resources: } argumentDocs: application_object_id: |- - - Application Object ID for an existing service principal that will - be used instead of creating dynamic service principals. If present, azure_roles will be ignored. - azure_groups: '- List of Azure groups to be assigned to the generated service principal.' - azure_roles: '- List of Azure roles to be assigned to the generated service principal.' - backend: '- Path to the mounted Azure auth backend' + - (Optional) Application Object ID for an existing service principal that will + be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. + azure_groups: '- (Optional) List of Azure groups to be assigned to the generated service principal.' + azure_roles: '- (Optional) List of Azure roles to be assigned to the generated service principal.' + backend: '- (Optional) Path to the mounted Azure auth backend' max_ttl: |- – (Optional) Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. @@ -1652,7 +1742,14 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + permanently_delete: |- + - (Optional) Indicates whether the applications and service principals created by Vault will be permanently + deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. role: '- (Required) Name of the Azure role' + sign_in_audience: |- + - (Optional) Specifies the security principal types that are allowed to sign in to the application. + Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. + tags: '- (Optional) - A list of Azure tags to attach to an application. Requires Vault 1.16+.' ttl: |- – (Optional) Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. @@ -1804,6 +1901,7 @@ resources: allowed_roles: |- - (Optional) A list of roles that are allowed to use this connection. + auth_type: '- (Optional) Enable IAM authentication to a Google Cloud instance when set to gcp_iam' backend: '- (Required) The unique name of the Vault mount to configure.' base64_pem: '- (Optional) Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.' bucket_name: '- (Optional) Required for Couchbase versions prior to 6.5.0. This is only used to verify vault''s connection to the server.' @@ -1828,6 +1926,7 @@ resources: couchbase: '- (Optional) A nested block containing configuration options for Couchbase connections.' data: '- (Optional) A map of sensitive data to pass to the endpoint. Useful for templated connection strings.' disable_escaping: '- (Optional) Disable special character escaping in username and password.' + disconnect_sessions: '- (Optional) Enable the built-in session disconnect mechanism.' elasticsearch: '- (Optional) A nested block containing configuration options for Elasticsearch connections.' hana: '- (Optional) A nested block containing configuration options for SAP HanaDB connections.' host: '- (Required) The host to connect to.' @@ -1878,7 +1977,9 @@ resources: redis_elasticache: '- (Optional) A nested block containing configuration options for Redis ElastiCache connections.' region: '- (Optional) The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead.' root_rotation_statements: '- (Optional) A list of database statements to be executed to rotate the root user''s credentials.' + service_account_json: '- (Optional) JSON encoding of an IAM access key. Requires auth_type to be gcp_iam.' snowflake: '- (Optional) A nested block containing configuration options for Snowflake connections.' + split_statements: '- (Optional) Enable spliting statements after semi-colons.' tls: '- (Optional) Whether to use TLS when connecting to Cassandra.' tls_ca: '- (Optional) x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.' tls_certificate_key: '- (Optional) x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.' @@ -1931,15 +2032,37 @@ resources: } argumentDocs: backend: '- (Required) The unique name of the Vault mount to configure.' + ca_cert: (Optional) - The PEM-encoded CA certificate. + ca_private_key: (Optional) - The PEM-encoded private key for the given ca_cert. + common_name_template: |- + (Optional) - A username template + to be used for the client certificate common name. creation_statements: |- - (Required) The database statements to execute when creating a user. + credential_config: |- + (Optional) – Specifies the configuration + for the given credential_type. + credential_type: |- + (Optional) – Specifies the type of credential that + will be generated for the role. Options include: password, rsa_private_key, client_certificate. + See the plugin's API page for credential types supported by individual databases. db_name: |- - (Required) The unique name of the database connection to use for the role. default_ttl: |- - (Optional) The default number of seconds for leases for this role. + format: |- + (Optional) - The output format of the generated private key + credential. The private key will be returned from the API in PEM encoding. Options + include: pkcs8. + key_bits: |- + (Optional) - The bit size of the RSA key to generate. Options include: + 2048, 3072, 4096. + key_type: |- + (Required) - Specifies the desired key type. Options include: + rsa, ed25519, ec. max_ttl: |- - (Optional) The maximum number of seconds for leases for this role. @@ -1949,6 +2072,10 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + password_policy: |- + (Optional) - The policy + used for password generation. If not provided, defaults to the password policy of the + database configuration. renew_statements: |- - (Optional) The database statements to execute when renewing a user. @@ -1958,6 +2085,9 @@ resources: rollback_statements: |- - (Optional) The database statements to execute when rolling back creation due to an error. + signature_bits: |- + (Optional) - The number of bits to use in the signature algorithm. Options include: + 256 (default), 384, 512. importStatements: [] vault_database_secret_backend_static_role: subCategory: "" @@ -1965,12 +2095,12 @@ resources: name: vault_database_secret_backend_static_role title: vault_database_secret_backend_static_role resource examples: - - name: static_role + - name: period_role manifest: |- { "backend": "${vault_mount.db.path}", "db_name": "${vault_database_secret_backend_connection.postgres.name}", - "name": "my-static-role", + "name": "my-period-role", "rotation_period": "3600", "rotation_statements": [ "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';" @@ -1999,6 +2129,41 @@ resources: "path": "postgres", "type": "database" } + - name: schedule_role + manifest: |- + { + "backend": "${vault_mount.db.path}", + "db_name": "${vault_database_secret_backend_connection.postgres.name}", + "name": "my-schedule-role", + "rotation_schedule": "0 0 * * SAT", + "rotation_statements": [ + "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';" + ], + "rotation_window": "172800", + "username": "example" + } + references: + backend: vault_mount.db.path + db_name: vault_database_secret_backend_connection.postgres.name + dependencies: + vault_database_secret_backend_connection.postgres: |- + { + "allowed_roles": [ + "*" + ], + "backend": "${vault_mount.db.path}", + "name": "postgres", + "postgresql": [ + { + "connection_url": "postgres://username:password@host:port/database" + } + ] + } + vault_mount.db: |- + { + "path": "postgres", + "type": "database" + } argumentDocs: backend: '- (Required) The unique name of the Vault mount to configure.' db_name: '- (Required) The unique name of the database connection to use for the static role.' @@ -2008,8 +2173,16 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - rotation_period: '- (Required) The amount of time Vault should wait before rotating the password, in seconds.' + rotation_period: |- + - The amount of time Vault should wait before rotating the password, in seconds. + Mutually exclusive with rotation_schedule. + rotation_schedule: |- + - A cron-style string that will define the schedule on which rotations should occur. + Mutually exclusive with rotation_period. rotation_statements: '- (Optional) Database statements to execute to rotate the password for the configured database user.' + rotation_window: |- + - (Optional) The amount of time, in seconds, in which rotations are allowed to occur starting + from a given rotation_schedule. username: '- (Required) The database username that this static role corresponds to.' importStatements: [] vault_database_secrets_mount: @@ -2235,17 +2408,25 @@ resources: name: vault_gcp_auth_backend_role title: vault_gcp_auth_backend_role resource examples: - - name: gcp + - name: test manifest: |- { + "add_group_aliases": true, "backend": "${vault_auth_backend.gcp.path}", + "bound_projects": [ + "test" + ], "bound_service_accounts": [ - "database-server@foo-bar-baz.iam.gserviceaccount.com" + "test" ], - "project_id": "foo-bar-baz", + "role": "test", + "token_max_ttl": 600, "token_policies": [ - "database-server" - ] + "policy_a", + "policy_b" + ], + "token_ttl": 300, + "type": "iam" } references: backend: vault_auth_backend.gcp.path @@ -3423,11 +3604,17 @@ resources: username_format: '- (Optional) A template string for mapping Identity names to MFA methods.' uuid: '- (Optional) Resource UUID.' importStatements: [] - vault_identity_mfa_pingid resource: + vault_identity_mfa_pingid: subCategory: "" description: Resource for configuring the pingid MFA method. - name: vault_identity_mfa_pingid resource + name: vault_identity_mfa_pingid title: vault_identity_mfa_pingid resource + examples: + - name: example + manifest: |- + { + "settings_file_base64": "CnVzZV9iYXNlNjR[...]HBtCg==" + } argumentDocs: admin_url: '- (Optional) The admin URL, derived from "settings_file_base64"' authenticator_url: '- (Optional) A unique identifier of the organization, derived from "settings_file_base64"' @@ -4270,7 +4457,7 @@ resources: The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. pem_keys: '- (Optional) List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.' - token_reviewer_jwt: '- (Optional) A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.' + token_reviewer_jwt: '- (Optional) A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.' importStatements: [] vault_kubernetes_auth_backend_role: subCategory: "" @@ -4694,6 +4881,230 @@ resources: options: '- (Optional) An object that holds option settings.' path: '- Full path where the KV-V2 secret will be written.' importStatements: [] + vault_ldap_secret_backend: + subCategory: "" + description: Creates a LDAP secret backend for Vault. + name: vault_ldap_secret_backend + title: vault_ldap_secret_backend resource + examples: + - name: config + manifest: |- + { + "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net", + "bindpass": "SuperSecretPassw0rd", + "insecure_tls": "true", + "path": "my-custom-ldap", + "url": "ldaps://localhost", + "userdn": "CN=Users,DC=corp,DC=example,DC=net" + } + argumentDocs: + binddn: '- (Required) Distinguished name of object to bind when performing user and group search.' + bindpass: '- (Required) Password to use along with binddn when performing user search.' + certificate: |- + - (Optional) CA certificate to use when verifying LDAP server certificate, must be + x509 PEM encoded. + client_tls_cert: '- (Optional) Client certificate to provide to the LDAP server, must be x509 PEM encoded.' + client_tls_key: '- (Optional) Client certificate key to provide to the LDAP server, must be x509 PEM encoded.' + connection_timeout: |- + - (Optional) Timeout, in seconds, when attempting to connect to the LDAP server before trying + the next URL in the configuration. + default_lease_ttl_seconds: '- (Optional) Default lease duration for secrets in seconds.' + description: '- (Optional) Human-friendly description of the mount for the Active Directory backend.' + insecure_tls: |- + - (Optional) Skip LDAP server SSL Certificate verification. This is not recommended for production. + Defaults to false. + length: |- + - (Optional) Deprecated use password_policy. The desired length of passwords that Vault generates. + Mutually exclusive with + local: |- + - (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by + replication.Tolerance duration to use when checking the last rotation time. + max_lease_ttl_seconds: '- (Optional) Maximum possible lease duration for secrets in seconds.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + password_policy: on vault-1.11+ + path: |- + - (Optional) The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ldap. + request_timeout: |- + - (Optional) Timeout, in seconds, for the connection when making requests against the server + before returning back an error. + schema: '- (Optional) The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.' + starttls: '- (Optional) Issue a StartTLS command after establishing unencrypted connection.' + upndomain: '- (Optional) Enables userPrincipalDomain login with [username]@UPNDomain.' + url: |- + - (Required) LDAP URL to connect to. Multiple URLs can be specified by concatenating + them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. + userattr: '- (Optional) Attribute used when searching users. Defaults to cn.' + userdn: '- (Optional) LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.' + importStatements: [] + vault_ldap_secret_backend_dynamic_role: + subCategory: "" + description: Creates a dynamic role for the LDAP secret backend for Vault. + name: vault_ldap_secret_backend_dynamic_role + title: vault_ldap_secret_backend_dynamic_role resource + examples: + - name: role + manifest: |- + { + "creation_ldif": "dn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{.Password | utf16le | base64}}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n", + "deletion_ldif": "dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n rollback_ldif = \u003c\u003cEOT\ndn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n", + "mount": "${vault_ldap_secret_backend.config.path}", + "role_name": "alice" + } + references: + mount: vault_ldap_secret_backend.config.path + dependencies: + vault_ldap_secret_backend.config: |- + { + "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net", + "bindpass": "SuperSecretPassw0rd", + "path": "my-custom-ldap", + "url": "ldaps://localhost", + "userdn": "CN=Users,DC=corp,DC=example,DC=net" + } + argumentDocs: + creation_ldif: |- + - (Required) A templatized LDIF string used to create a user + account. This may contain multiple LDIF entries. The creation_ldif can also + be used to add the user account to an existing group. All LDIF entries are + performed in order. If Vault encounters an error while executing the + creation_ldif it will stop at the first error and not execute any remaining + LDIF entries. If an error occurs and rollback_ldif is specified, the LDIF + entries in rollback_ldif will be executed. See rollback_ldif for more + details. This field may optionally be provided as a base64 encoded string. + default_ttl: '- (Optional) Specifies the TTL for the leases associated with this role.' + deletion_ldif: |- + - (Required) A templatized LDIF string used to delete the + user account once its TTL has expired. This may contain multiple LDIF + entries. All LDIF entries are performed in order. If Vault encounters an + error while executing an entry in the deletion_ldif it will attempt to + continue executing any remaining entries. This field may optionally be + provided as a base64 encoded string. + max_ttl: '- (Optional) Specifies the maximum TTL for the leases associated with this role.' + mount: |- + - (Optional) The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ldap. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + role_name: '- (Required) Name of the role.' + rollback_ldif: |- + - (Optional) A templatized LDIF string used to attempt to + rollback any changes in the event that execution of the creation_ldif results + in an error. This may contain multiple LDIF entries. All LDIF entries are + performed in order. If Vault encounters an error while executing an entry in + the rollback_ldif it will attempt to continue executing any remaining + entries. This field may optionally be provided as a base64 encoded string. + username_template: |- + - (Optional) A template used to generate a dynamic + username. This will be used to fill in the .Username field within the + creation_ldif string. + importStatements: [] + vault_ldap_secret_backend_library_set: + subCategory: "" + description: Creates a library on the LDAP Secret Backend for Vault. + name: vault_ldap_secret_backend_library_set + title: vault_ldap_secret_backend_library_set resource + examples: + - name: qa + manifest: |- + { + "disable_check_in_enforcement": true, + "max_ttl": 120, + "mount": "${vault_ldap_secret_backend.config.path}", + "name": "qa", + "service_account_names": [ + "Bob", + "Mary" + ], + "ttl": 60 + } + references: + mount: vault_ldap_secret_backend.config.path + dependencies: + vault_ldap_secret_backend.config: |- + { + "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net", + "bindpass": "SuperSecretPassw0rd", + "insecure_tls": "true", + "path": "ldap", + "url": "ldaps://localhost", + "userdn": "CN=Users,DC=corp,DC=example,DC=net" + } + argumentDocs: + disable_check_in_enforcement: |- + - (Optional) Disable enforcing that service + accounts must be checked in by the entity or client token that checked them + out. Defaults to false. + max_ttl: |- + - (Optional) The maximum password time-to-live in seconds. Defaults + to the configuration max_ttl if not provided. + name: |- + - (Required) The name to identify this set of service accounts. + Must be unique within the backend. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + path: |- + - (Required) The path the LDAP secret backend is mounted at, + with no leading or trailing /s. + service_account_names: '- (Required) Specifies the slice of service accounts mapped to this set.' + ttl: |- + - (Optional) The password time-to-live in seconds. Defaults to the configuration + ttl if not provided. + importStatements: [] + vault_ldap_secret_backend_static_role: + subCategory: "" + description: Creates a static role for the LDAP secret backend for Vault. + name: vault_ldap_secret_backend_static_role + title: vault_ldap_secret_backend_static_role resource + examples: + - name: role + manifest: |- + { + "dn": "cn=alice,ou=Users,DC=corp,DC=example,DC=net", + "mount": "${vault_ldap_secret_backend.config.path}", + "role_name": "alice", + "rotation_period": 60, + "username": "alice" + } + references: + mount: vault_ldap_secret_backend.config.path + dependencies: + vault_ldap_secret_backend.config: |- + { + "binddn": "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net", + "bindpass": "SuperSecretPassw0rd", + "insecure_tls": "true", + "path": "my-custom-ldap", + "url": "ldaps://localhost", + "userdn": "CN=Users,DC=corp,DC=example,DC=net" + } + argumentDocs: + dn: |- + - (Optional) Distinguished name (DN) of the existing LDAP entry to manage + password rotation for. If given, it will take precedence over username for the LDAP + search performed during password rotation. Cannot be modified after creation. + mount: |- + - (Optional) The unique path this backend should be mounted at. Must + not begin or end with a /. Defaults to ldap. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + role_name: '- (Required) Name of the role.' + rotation_period: '- (Required) How often Vault should rotate the password of the user entry.' + username: '- (Required) The username of the existing LDAP entry to manage password rotation for.' + importStatements: [] vault_managed_keys: subCategory: "" description: Configures Managed Keys in Vault @@ -5068,6 +5479,10 @@ resources: manifest: |- { "description": "This is an example KV Version 2 secret engine mount", + "options": { + "type": "kv-v2", + "version": "2" + }, "path": "version2-example", "type": "kv-v2" } @@ -5130,14 +5545,14 @@ resources: vault_generic_secret.children: |- { "data_json": "${jsonencode(\n {\n \"ns\" = each.key\n }\n )}", - "for_each": "${local.child_namespaces}", - "namespace": "${vault_mount.children[each.key].namespace}", - "path": "${vault_mount.children[each.key].path}/secret" + "for_each": "${vault_mount.children}", + "namespace": "${each.value.namespace}", + "path": "${each.value.path}/secret" } vault_mount.children: |- { - "for_each": "${local.child_namespaces}", - "namespace": "${vault_namespace.children[each.key].path_fq}", + "for_each": "${vault_namespace.children}", + "namespace": "${each.value.path_fq}", "options": { "version": "1" }, @@ -5147,41 +5562,55 @@ resources: - name: children manifest: |- { - "for_each": "${local.child_namespaces}", + "for_each": "${var.child_namespaces}", "namespace": "${vault_namespace.parent.path}", "path": "${each.key}" } references: - for_each: local.child_namespaces + for_each: var.child_namespaces namespace: vault_namespace.parent.path path: each.key dependencies: vault_generic_secret.children: |- { "data_json": "${jsonencode(\n {\n \"ns\" = each.key\n }\n )}", - "for_each": "${local.child_namespaces}", - "namespace": "${vault_mount.children[each.key].namespace}", - "path": "${vault_mount.children[each.key].path}/secret" + "for_each": "${vault_mount.children}", + "namespace": "${each.value.namespace}", + "path": "${each.value.path}/secret" } vault_mount.children: |- { - "for_each": "${local.child_namespaces}", - "namespace": "${vault_namespace.children[each.key].path_fq}", + "for_each": "${vault_namespace.children}", + "namespace": "${each.value.path_fq}", "options": { "version": "1" }, "path": "secrets", "type": "kv" } + - name: example2 + manifest: |- + { + "path": "example2", + "provider": "${vault.example}" + } + references: + provider: vault.example argumentDocs: - id: '- ID of the namespace.' + custom_metadata: |- + - (Optional) Custom metadata describing this namespace. Value type + is map[string]string. Requires Vault version 1.12+. + id: '- The fully qualified path to the namespace, including the provider namespace and a trailing slash.' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path: '- (Required) The path of the namespace. Must not have a trailing /' - path_fq: '- The fully qualified path to the namespace. Useful when provisioning resources in a child namespace.' + namespace_id: '- Vault server''s internal ID of the namespace.' + path: '- (Required) The path of the namespace. Must not have a trailing /.' + path_fq: |- + - The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. + The path is relative to the provider's namespace argument. importStatements: [] vault_nomad_secret_backend: subCategory: "" @@ -5263,9 +5692,7 @@ resources: "token": "ae20ceaa-..." } argumentDocs: - backend: |- - - (Optional) The unique path this backend should be mounted at. Must - not begin or end with a /. Defaults to nomad. + backend: '- (Required) The unique path this backend should be mounted at.' global: |- - (Optional) Specifies if the generated token should be global. Defaults to false. @@ -5352,6 +5779,7 @@ resources: serial_number: '- The serial number' ttl: '- (Optional) Time to live' uri_sans: '- (Optional) List of alternative URIs' + user_ids: '- (Optional) List of Subject User IDs' importStatements: [] vault_pki_secret_backend_config_ca: subCategory: "" @@ -5379,6 +5807,60 @@ resources: Available only for Vault Enterprise. pem_bundle: '- (Required) The key and certificate PEM bundle' importStatements: [] + vault_pki_secret_backend_config_issuers: + subCategory: "" + description: Allows setting the value of the default issuer. + name: vault_pki_secret_backend_config_issuers + title: vault_pki_secret_backend_config_issuers resource + examples: + - name: config + manifest: |- + { + "backend": "${vault_mount.pki.path}", + "default": "${vault_pki_secret_backend_issuer.example.issuer_id}", + "default_follows_latest_issuer": true + } + references: + backend: vault_mount.pki.path + default: vault_pki_secret_backend_issuer.example.issuer_id + dependencies: + vault_mount.pki: |- + { + "default_lease_ttl_seconds": 3600, + "max_lease_ttl_seconds": 86400, + "path": "pki", + "type": "pki" + } + vault_pki_secret_backend_issuer.example: |- + { + "backend": "${vault_pki_secret_backend_root_cert.root.backend}", + "issuer_name": "example-issuer", + "issuer_ref": "${vault_pki_secret_backend_root_cert.root.issuer_id}" + } + vault_pki_secret_backend_root_cert.root: |- + { + "backend": "${vault_mount.pki.path}", + "common_name": "test", + "ttl": "86400", + "type": "internal" + } + argumentDocs: + backend: |- + - (Required) The path the PKI secret backend is mounted at, with no + leading or trailing /s. + default: |- + - (Required) Specifies the default issuer using the issuer ID. + NOTE: It is recommended to only set the default issuer using the ID. + While Vault does allow passing in the issuer name, this can lead to possible drifts in the Terraform state. + default_follows_latest_issuer: |- + - (Optional) Specifies whether a root creation + or an issuer import operation updates the default issuer to the newly added issuer. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + importStatements: [] vault_pki_secret_backend_config_urls: subCategory: "" description: Sets the config URL's on an PKI Secret Backend for Vault. @@ -5495,6 +5977,13 @@ resources: format: '- (Optional) The format of data' ip_sans: '- (Optional) List of alternative IPs' key_bits: '- (Optional) The number of bits to use' + key_id: '- The ID of the generated key.' + key_name: |- + - (Optional) When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + key_ref: |- + - (Optional) Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. key_type: '- (Optional) The desired key type' locality: '- (Optional) The locality' managed_key_id: |- @@ -5597,11 +6086,125 @@ resources: - (Required) Specifies the PEM encoded certificate. May optionally append additional CA certificates to populate the whole chain, which will then enable returning the full chain from issue and sign operations. + imported_issuers: |- + - The imported issuers indicating which issuers were created as part of + this request. + imported_keys: '- The imported keys indicating which keys were created as part of this request.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + importStatements: [] + vault_pki_secret_backend_issuer: + subCategory: "" + description: Manages the lifecycle of an existing issuer on a PKI Secret Backend. + name: vault_pki_secret_backend_issuer + title: vault_pki_secret_backend_issuer resource + examples: + - name: example + manifest: |- + { + "backend": "${vault_pki_secret_backend_root_cert.root.backend}", + "issuer_name": "example-issuer", + "issuer_ref": "${vault_pki_secret_backend_root_cert.root.issuer_id}" + } + references: + backend: vault_pki_secret_backend_root_cert.root.backend + issuer_ref: vault_pki_secret_backend_root_cert.root.issuer_id + dependencies: + vault_mount.pki: |- + { + "default_lease_ttl_seconds": 3600, + "max_lease_ttl_seconds": 86400, + "path": "pki", + "type": "pki" + } + vault_pki_secret_backend_root_cert.root: |- + { + "backend": "${vault_mount.pki.path}", + "common_name": "test", + "ttl": "86400", + "type": "internal" + } + argumentDocs: + backend: |- + - (Required) The path the PKI secret backend is mounted at, with no + leading or trailing /s. + crl_distribution_points: |- + - (Optional) Specifies the URL values for the CRL + Distribution Points field. + enable_aia_url_templating: |- + - (Optional) Specifies that the AIA URL values should + be templated. + issuer_id: '- ID of the issuer.' + issuer_name: '- (Optional) Name of the issuer.' + issuer_ref: '- (Required) Reference to an existing issuer.' + issuing_certificates: |- + - (Optional) Specifies the URL values for the Issuing + Certificate field. + leaf_not_after_behavior: |- + - (Optional) Behavior of a leaf's NotAfter field during + issuance. + manual_chain: |- + - (Optional) Chain of issuer references to build this issuer's + computed CAChain field from, when non-empty. namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + ocsp_servers: '- (Optional) Specifies the URL values for the OCSP Servers field.' + revocation_signature_algorithm: |- + - (Optional) Which signature algorithm to use + when building CRLs. + usage: '- (Optional) Allowed usages for this issuer.' + importStatements: [] + vault_pki_secret_backend_key: + subCategory: "" + description: Creates a key on a PKI Secret Backend for Vault. + name: vault_pki_secret_backend_key + title: vault_pki_secret_backend_key resource + examples: + - name: key + manifest: |- + { + "key_bits": "2048", + "key_name": "example-key", + "key_type": "rsa", + "mount": "${vault_mount.pki.path}", + "type": "exported" + } + references: + mount: vault_mount.pki.path + dependencies: + vault_mount.pki: |- + { + "default_lease_ttl_seconds": 3600, + "max_lease_ttl_seconds": 86400, + "path": "pki", + "type": "pki" + } + argumentDocs: + backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' + key_bits: |- + - (Optional) Specifies the number of bits to use for the generated keys. + Allowed values are 0 (universal default); with key_type=rsa, allowed values are: + 2048 (default), 3072, or 4096; with key_type=ec, allowed values are: 224, 256 (default), + 384, or 521; ignored with key_type=ed25519. + key_id: '- ID of the generated key.' + key_name: |- + - (Optional) When a new key is created with this request, optionally specifies the name for this. + The global ref default may not be used as a name. + key_type: '- (Optional) Specifies the desired key type; must be rsa, ed25519 or ec.' + managed_key_id: '- (Optional) The managed key''s UUID.' + managed_key_name: '- (Optional) The managed key''s configured name.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + type: '- (Required) Specifies the type of the key to create. Can be exported,internal or kms.' importStatements: [] vault_pki_secret_backend_role: subCategory: "" @@ -5676,11 +6279,14 @@ resources: allow_ip_sans: '- (Optional) Flag to allow IP SANs' allow_localhost: '- (Optional) Flag to allow certificates for localhost' allow_subdomains: '- (Optional) Flag to allow certificates matching subdomains' + allow_wildcard_certificates: '- (Optional) Flag to allow wildcard certificates.' allowed_domains: '- (Optional) List of allowed domains for certificates' allowed_domains_template: '- (Optional) Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}.' allowed_other_sans: '- (Optional) Defines allowed custom SANs' allowed_serial_numbers: '- (Optional) An array of allowed serial numbers to put in Subject' allowed_uri_sans: '- (Optional) Defines allowed URI SANs' + allowed_uri_sans_template: '- (Optional) Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}.' + allowed_user_ids: '- (Optional) Defines allowed User IDs' backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' basic_constraints_valid_for_non_ca: '- (Optional) Flag to mark basic constraints valid when issuing non-CA certificates' client_flag: '- (Optional) Flag to specify certificates for client use' @@ -5689,12 +6295,21 @@ resources: email_protection_flag: '- (Optional) Flag to specify certificates for email protection use' enforce_hostnames: '- (Optional) Flag to allow only valid host names' ext_key_usage: '- (Optional) Specify the allowed extended key usage constraint on issued certificates' + ext_key_usage_oids: '- (Optional) Specify the allowed extended key usage OIDs constraint on issued certificates' generate_lease: '- (Optional) Flag to generate leases with certificates' + issuer_ref: |- + - (Optional) Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. key_bits: '- (Optional) The number of bits of generated keys' key_type: |- - (Optional) The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa - key_usage: '- (Optional) Specify the allowed key usage constraint on issued certificates' + key_usage: |- + - (Optional) Specify the allowed key usage constraint on issued + certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). + To specify no default key usage constraints, set this to an empty list []. locality: '- (Optional) The locality of generated certificates' max_ttl: '- (Optional, integer) The maximum lease TTL, in seconds, for the role.' name: '- (Required) The name to identify this role within the backend. Must be unique within the backend.' @@ -5756,8 +6371,19 @@ resources: exclude_cn_from_sans: '- (Optional) Flag to exclude CN from SANs' format: '- (Optional) The format of data' ip_sans: '- (Optional) List of alternative IPs' + issuer_id: '- The ID of the generated issuer.' + issuer_name: |- + - (Optional) Provides a name to the specified issuer. The name must be unique + across all issuers and not be the reserved value default issuing_ca: '- The issuing CA certificate.' key_bits: '- (Optional) The number of bits to use' + key_id: '- The ID of the generated key.' + key_name: |- + - (Optional) When a new key is created with this request, optionally specifies + the name for this. The global ref default may not be used as a name. + key_ref: |- + - (Optional) Specifies the key (either default, by name, or by identifier) to use + for generating this request. Only suitable for type=existing requests. key_type: '- (Optional) The desired key type' locality: '- (Optional) The locality' managed_key_id: |- @@ -5820,6 +6446,11 @@ resources: expiration: '- The expiration date of the certificate in unix epoch format' format: '- (Optional) The format of data' ip_sans: '- (Optional) List of alternative IPs' + issuer_ref: |- + - (Optional) Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent access to + the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users + overriding the role's issuer_ref value. issuing_ca: '- The issuing CA' min_seconds_remaining: '- (Optional) Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)' name: '- (Required) Name of the role to create the certificate against' @@ -5886,6 +6517,7 @@ resources: Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. + role: '- (Optional) If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.' importStatements: [] vault_quota_rate_limit: subCategory: "" @@ -5921,6 +6553,7 @@ resources: rate: |- - (Required) The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. + role: '- (Optional) If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.' importStatements: [] vault_rabbitmq_secret_backend: subCategory: "" @@ -6205,6 +6838,433 @@ resources: Available only for Vault Enterprise. policy: '- (Required) String containing a Sentinel policy' importStatements: [] + vault_saml_auth_backend: + subCategory: "" + description: Manages SAML Auth mounts in Vault. + name: vault_saml_auth_backend + title: vault_saml_auth_backend resource + examples: + - name: test + manifest: |- + { + "acs_urls": [ + "https://my.vault.primary/v1/auth/saml/callback" + ], + "default_role": "admin", + "entity_id": "https://my.vault/v1/auth/saml", + "idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata", + "path": "saml" + } + argumentDocs: + acs_urls: |- + - (Optional) The well-formatted URLs of your Assertion Consumer Service (ACS) + that should receive a response from the identity provider. + default_role: '- (Optional) The role to use if no role is provided during login.' + disable_remount: |- + - (Optional) If set to true, opts out of mount migration on path updates. + See here for more info on Mount Migration + entity_id: '- (Optional) The entity ID of the SAML authentication service provider.' + idp_cert: |- + (Optional) The PEM encoded certificate of the identity provider. Mutually exclusive + with idp_metadata_url. + idp_entity_id: |- + (Optional) The entity ID of the identity provider. Mutually exclusive with + idp_metadata_url. + idp_metadata_url: '- (Optional) The metadata URL of the identity provider.' + idp_sso_url: |- + (Optional) The SSO URL of the identity provider. Mutually exclusive with + idp_metadata_url. + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + path: |- + - (Optional) Path where the auth backend will be mounted. Defaults to auth/saml + if not specified. + verbose_logging: |- + - (Optional) If set to true, logs additional, potentially sensitive + information during the SAML exchange according to the current logging level. Not + recommended for production. + importStatements: [] + vault_saml_auth_backend_role: + subCategory: "" + description: Manages SAML auth backend roles in Vault. + name: vault_saml_auth_backend_role + title: vault_saml_auth_backend_role resource + examples: + - name: example + manifest: |- + { + "bound_attributes": { + "group": "admin" + }, + "bound_subjects": [ + "*example.com" + ], + "groups_attribute": "groups", + "name": "my-role", + "path": "${vault_saml_auth_backend.example.path}", + "token_policies": [ + "writer" + ], + "token_ttl": 86400 + } + references: + path: vault_saml_auth_backend.example.path + dependencies: + vault_saml_auth_backend.example: |- + { + "acs_urls": [ + "https://my.vault.primary/v1/auth/saml/callback" + ], + "default_role": "default-role", + "entity_id": "https://my.vault/v1/auth/saml", + "idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata", + "path": "saml" + } + argumentDocs: + bound_attributes: |- + - (Optional) Mapping of attribute names to values that are expected to + exist in the SAML assertion. + bound_attributes_type: |- + - (Optional) The type of matching assertion to perform on + bound_attributes_type. + bound_subjects: '- (Optional) List of subjects being asserted for SAML authentication.' + bound_subjects_type: '- (Optional) The type of matching assertion to perform on bound_subjects.' + groups_attribute: |- + - (Optional) The attribute to use to identify the set of groups to which the + user belongs. + name: '- (Required) Unique name of the role.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + path: '- (Required) Path where the auth backend is mounted.' + token_bound_cidrs: |- + - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + token_explicit_max_ttl: |- + - (Optional) If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + token_max_ttl: |- + - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_no_default_policy: |- + - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + token_num_uses: |- + - (Optional) The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + token_period: |- + - (Optional) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + token_policies: |- + - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + token_ttl: |- + - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_type: |- + - (Optional) The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. + importStatements: [] + vault_secrets_sync_association: + subCategory: "" + description: Triggers a sync operation in Vault and links a secret to an existing destination + name: vault_secrets_sync_association + title: vault_secrets_sync_association resource + examples: + - name: gh_token + manifest: |- + { + "mount": "${vault_mount.kvv2.path}", + "name": "${vault_secrets_sync_gh_destination.gh.name}", + "secret_name": "${vault_kv_secret_v2.token.name}", + "type": "${vault_secrets_sync_gh_destination.gh.type}" + } + references: + mount: vault_mount.kvv2.path + name: vault_secrets_sync_gh_destination.gh.name + secret_name: vault_kv_secret_v2.token.name + type: vault_secrets_sync_gh_destination.gh.type + dependencies: + vault_kv_secret_v2.token: |- + { + "data_json": "${jsonencode(\n {\n dev = \"B!gS3cr3t\",\n prod = \"S3cureP4$$\"\n }\n )}", + "mount": "${vault_mount.kvv2.path}", + "name": "token" + } + vault_mount.kvv2: |- + { + "description": "KV Version 2 secret engine mount", + "options": { + "version": "2" + }, + "path": "kvv2", + "type": "kv" + } + vault_secrets_sync_gh_destination.gh: |- + { + "access_token": "${var.access_token}", + "name": "gh-dest", + "repository_name": "repo-name-example", + "repository_owner": "${var.repo_owner}", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" + } + argumentDocs: + mount: '- (Required) Specifies the mount where the secret is located.' + name: '- (Required) Specifies the name of the destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + secret_name: '- (Required) Specifies the name of the secret to synchronize.' + sync_status: '- Specifies the status of the association (for eg. SYNCED).' + type: '- (Required) Specifies the destination type.' + updated_at: '- Duration string specifying when the secret was last updated.' + importStatements: [] + vault_secrets_sync_aws_destination: + subCategory: "" + description: Creates an AWS destination to synchronize secrets in Vault + name: vault_secrets_sync_aws_destination + title: vault_secrets_sync_aws_destination resource + examples: + - name: aws + manifest: |- + { + "access_key_id": "${var.access_key_id}", + "custom_tags": { + "foo": "bar" + }, + "name": "aws-dest", + "region": "us-east-1", + "secret_access_key": "${var.secret_access_key}", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" + } + references: + access_key_id: var.access_key_id + secret_access_key: var.secret_access_key + argumentDocs: + access_key_id: |- + - (Optional) Access key id to authenticate against the AWS secrets manager. + Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment + variable. + custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + name: '- (Required) Unique name of the AWS destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + region: |- + - (Optional) Region where to manage the secrets manager entries. + Can be omitted and directly provided to Vault using the AWS_REGION environment + variable. + secret_access_key: |- + - (Optional) Secret access key to authenticate against the AWS secrets manager. + Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment + variable. + secret_name_template: |- + - (Optional) Template describing how to generate external secret names. + Supports a subset of the Go Template syntax. + type: '- The type of the secrets destination (aws-sm).' + importStatements: [] + vault_secrets_sync_azure_destination: + subCategory: "" + description: Creates a Azure destination to synchronize secrets in Vault + name: vault_secrets_sync_azure_destination + title: vault_secrets_sync_azure_destination resource + examples: + - name: az + manifest: |- + { + "client_id": "${var.client_id}", + "client_secret": "${var.client_secret}", + "custom_tags": { + "foo": "bar" + }, + "key_vault_uri": "${var.key_vault_uri}", + "name": "az-dest", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}", + "tenant_id": "${var.tenant_id}" + } + references: + client_id: var.client_id + client_secret: var.client_secret + key_vault_uri: var.key_vault_uri + tenant_id: var.tenant_id + argumentDocs: + client_id: |- + - (Optional) Client ID of an Azure app registration. + Can be omitted and directly provided to Vault using the AZURE_CLIENT_ID environment + variable. + client_secret: |- + - (Optional) Client Secret of an Azure app registration. + Can be omitted and directly provided to Vault using the AZURE_CLIENT_SECRET environment + variable. + cloud: '- (Optional) Specifies a cloud for the client. The default is Azure Public Cloud.' + custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + key_vault_uri: |- + - (Optional) URI of an existing Azure Key Vault instance. + Can be omitted and directly provided to Vault using the KEY_VAULT_URI environment + variable. + name: '- (Required) Unique name of the Azure destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + secret_name_template: |- + - (Optional) Template describing how to generate external secret names. + Supports a subset of the Go Template syntax. + tenant_id: |- + - (Optional) ID of the target Azure tenant. + Can be omitted and directly provided to Vault using the AZURE_TENANT_ID environment + variable. + type: '- The type of the secrets destination (azure-kv).' + importStatements: [] + vault_secrets_sync_config: + subCategory: "" + description: Configures the secret sync global config. + name: vault_secrets_sync_config + title: vault_secrets_sync_config resource + examples: + - name: global_config + manifest: |- + { + "disabled": true, + "queue_capacity": 500000 + } + argumentDocs: + disabled: '- (Optional) Disables the syncing process between Vault and external destinations. Defaults to false.' + namespace: |- + - (Optional) The namespace to provision the resource in. + This resource can only be configured in the root namespace. + Available only for Vault Enterprise. + queue_capacity: '- (Optional) Maximum number of pending sync operations allowed on the queue. Defaults to 1000000.' + importStatements: [] + vault_secrets_sync_gcp_destination: + subCategory: "" + description: Creates a GCP destination to synchronize secrets in Vault + name: vault_secrets_sync_gcp_destination + title: vault_secrets_sync_gcp_destination resource + examples: + - name: gcp + manifest: |- + { + "credentials": "${file(var.credentials_file)}", + "custom_tags": { + "foo": "bar" + }, + "name": "gcp-dest", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" + } + argumentDocs: + credentials: |- + - (Optional) JSON-encoded credentials to use to connect to GCP. + Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment + variable. + custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + name: '- (Required) Unique name of the GCP destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + secret_name_template: |- + - (Optional) Template describing how to generate external secret names. + Supports a subset of the Go Template syntax. + type: '- The type of the secrets destination (gcp-sm).' + importStatements: [] + vault_secrets_sync_gh_destination: + subCategory: "" + description: Creates a GitHub destination to synchronize secrets in Vault + name: vault_secrets_sync_gh_destination + title: vault_secrets_sync_gh_destination resource + examples: + - name: gh + manifest: |- + { + "access_token": "${var.access_token}", + "name": "gh-dest", + "repository_name": "repo-name-example", + "repository_owner": "${var.repo_owner}", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" + } + references: + access_token: var.access_token + repository_owner: var.repo_owner + argumentDocs: + access_token: |- + - (Optional) Fine-grained or personal access token. + Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment + variable. + name: '- (Required) Unique name of the GitHub destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + repository_name: |- + - (Optional) Name of the repository. + Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment + variable. + repository_owner: |- + - (Optional) GitHub organization or username that owns the repository. + Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment + variable. + secret_name_template: |- + - (Optional) Template describing how to generate external secret names. + Supports a subset of the Go Template syntax. + type: '- The type of the secrets destination (gh).' + importStatements: [] + vault_secrets_sync_vercel_destination: + subCategory: "" + description: Creates a GitHub destination to synchronize secrets in Vault + name: vault_secrets_sync_vercel_destination + title: vault_secrets_sync_vercel_destination resource + examples: + - name: vercel + manifest: |- + { + "access_token": "${var.access_token}", + "deployment_environments": [ + "development", + "preview", + "production" + ], + "name": "vercel-dest", + "project_id": "${var.project_id}", + "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" + } + references: + access_token: var.access_token + project_id: var.project_id + argumentDocs: + access_token: |- + - (Required) Vercel API access token with the permissions to manage environment + variables. + deployment_environments: |- + - (Required) Deployment environments where the environment variables + are available. Accepts development, preview and production. + name: '- (Required) Unique name of the GitHub destination.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + project_id: '- (Required) Project ID where to manage environment variables.' + secret_name_template: |- + - (Optional) Template describing how to generate external secret names. + Supports a subset of the Go Template syntax. + team_id: '- (Optional) Team ID where to manage environment variables.' + type: '- The type of the secrets destination (vercel-project).' + importStatements: [] vault_ssh_secret_backend_ca: subCategory: "" description: Managing CA information in an SSH secret backend in Vault @@ -6281,6 +7341,9 @@ resources: allow_user_key_ids: '- (Optional) Specifies if users can override the key ID for a signed certificate with the key_id field.' allowed_critical_options: '- (Optional) Specifies a comma-separated list of critical options that certificates can have when signed.' allowed_domains: '- (Optional) The list of domains for which a client can request a host certificate.' + allowed_domains_template: |- + - (Optional) Specifies if allowed_domains can be declared using + identity template policies. Non-templated domains are also permitted. allowed_extensions: '- (Optional) Specifies a comma-separated list of extensions that certificates can have when signed.' allowed_user_key_config: |- - (Optional) Set of configuration blocks to define allowed @@ -6312,6 +7375,9 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + not_before_duration: |- + - (Optional) Specifies the duration by which to backdate the ValidAfter property. + Uses duration format strings. ttl: '- (Optional) Specifies the Time To Live value.' type: |- - (Required) The SSH public key type. @@ -6466,7 +7532,7 @@ resources: argumentDocs: client_token: '- String containing the client token if stored in present file' display_name: '- (Optional) String containing the token display name' - explicit_max_ttl: '- (Optional) The explicit max TTL of this token' + explicit_max_ttl: '- (Optional) The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m"' lease_duration: '- String containing the token lease duration if present in state file' lease_started: '- String containing the token lease started time if present in state file' metadata: '- (Optional) Metadata to be set on this token' @@ -6478,13 +7544,13 @@ resources: no_default_policy: '- (Optional) Flag to not attach the default policy to this token' no_parent: '- (Optional) Flag to create a token without parent' num_uses: '- (Optional) The number of allowed uses of this token' - period: '- (Optional) The period of this token' + period: '- (Optional) The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m"' policies: '- (Optional) List of policies to attach to this token' - renew_increment: '- (Optional) The renew increment' + renew_increment: '- (Optional) The renew increment. This is specified in seconds' renew_min_lease: '- (Optional) The minimal lease to renew this token' renewable: '- (Optional) Flag to allow to renew this token' role_name: '- (Optional) The token role name' - ttl: '- (Optional) The TTL period of this token' + ttl: '- (Optional) The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m"' importStatements: [] vault_token_auth_backend_role: subCategory: "" @@ -6748,7 +7814,7 @@ resources: allow_plaintext_backup: '- (Optional) Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.' auto_rotate_interval: '- Replaced by auto_rotate_period.' auto_rotate_period: |- - - (Optional) Amount of time the key should live before being automatically rotated. + - (Optional) Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. backend: '- (Required) The path the transit secret backend is mounted at, with no leading or trailing /s.' convergent_encryption: '- (Optional) Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.' @@ -6757,6 +7823,7 @@ resources: derived: '- (Optional) Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.' ed25519: ', ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:' exportable: '- (Optional) Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.' + key_size: '- (Optional) The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.' keys: '- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.' latest_version: '- Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key''s information can be referenced from keys by selecting element 0' min_available_version: '- Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.' @@ -6773,7 +7840,7 @@ resources: supports_derivation: '- Whether or not the key supports derivation, based on key type.' supports_encryption: '- Whether or not the key supports encryption, based on key type.' supports_signing: '- Whether or not the key supports signing, based on key type.' - type: '- (Optional) Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.' + type: '- (Optional) Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.' importStatements: [] vault_transit_secret_cache_config: subCategory: "" diff --git a/config/schema.json b/config/schema.json index 4db0fee1..23b07562 100644 --- a/config/schema.json +++ b/config/schema.json @@ -1 +1 @@ -{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain"},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":0,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"formatter":{"type":"string","description":"Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organization_units":{"type":["set","string"],"description_kind":"plain","deprecated":true,"optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":0,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","deprecated":true,"optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","required":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":0,"block":{"attributes":{"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":0,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","deprecated":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":0,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.","description_kind":"plain","required":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":0,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"exported\" or \"internal\".","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"exported\" or \"internal\".","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":0,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_user_key_lengths":{"type":["map","number"],"description_kind":"plain","deprecated":true,"optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":0,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_interval":{"type":"number","description":"Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"auto_rotate_period":{"type":"number","description":"Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the environment configured in the Vault backend.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":0,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} +{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"set_namespace_from_token":{"type":"bool","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true,"sensitive":true},"path":{"type":"string","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_token_file":{"nesting_mode":"list","block":{"attributes":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token","description_kind":"plain","required":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using ","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain","deprecated":true},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":1,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"formatter":{"type":"string","description":"Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true},"use_sts_region_from_client":{"type":"bool","description":"If set, will override sts_region and use the region from the client request's header","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":1,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path where the AWS secrets backend is mounted.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing AWS IAM user to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":1,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permanently_delete":{"type":"bool","description":"Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"sign_in_audience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount","description_kind":"plain","optional":true},"tags":{"type":["list","string"],"description":"Comma-separated strings of Azure tags to attach to an application.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organization_units":{"type":["set","string"],"description_kind":"plain","deprecated":true,"optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_ca_certificates":{"type":"string","description":"Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.","description_kind":"plain","optional":true},"ocsp_enabled":{"type":"bool","description":"If enabled, validate certificates' revocation status using OCSP.","description_kind":"plain","optional":true,"computed":true},"ocsp_fail_open":{"type":"bool","description":"If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.","description_kind":"plain","optional":true,"computed":true},"ocsp_query_all_servers":{"type":"bool","description":"If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.","description_kind":"plain","optional":true,"computed":true},"ocsp_servers_override":{"type":["set","string"],"description":"A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","deprecated":true,"optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"credential_config":{"type":["map","string"],"description":"Specifies the configuration for the given credential_type.","description_kind":"plain","optional":true},"credential_type":{"type":"string","description":"Specifies the type of credential that will be generated for the role.","description_kind":"plain","optional":true,"computed":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","optional":true},"rotation_schedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.","description_kind":"plain","optional":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"rotation_window":{"type":"number","description":"The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":1,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be configured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","deprecated":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":1,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.","description_kind":"plain","required":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":2,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"max_page_size":{"type":"number","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ldap_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"connection_timeout":{"type":"number","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true,"computed":true},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf.","description_kind":"plain","optional":true,"computed":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_dynamic_role":{"version":0,"block":{"attributes":{"creation_ldif":{"type":"string","description":"A templatized LDIF string used to create a user account. May contain multiple entries.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Specifies the TTL for the leases associated with this role.","description_kind":"plain","optional":true},"deletion_ldif":{"type":"string","description":"A templatized LDIF string used to delete the user account once its TTL has expired. This may contain multiple LDIF entries.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Specifies the maximum TTL for the leases associated with this role.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rollback_ldif":{"type":"string","description":"A templatized LDIF string used to attempt to rollback any changes in the event that execution of the creation_ldif results in an error. This may contain multiple LDIF entries.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"A template used to generate a dynamic username. This will be used to fill in the .Username field within the creation_ldif string.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_library_set":{"version":0,"block":{"attributes":{"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time a check-out last with renewal before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The maximum amount of time a single check-out lasts before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_static_role":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Custom metadata describing this namespace. Value type is map[string]string.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"user_ids":{"type":["list","string"],"description":"List of Subject User IDs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"default":{"type":"string","description":"Specifies the default issuer by ID.","description_kind":"plain","optional":true},"default_follows_latest_issuer":{"type":"bool","description":"Specifies whether a root creation or an issuer import operation updates the default issuer to the newly added issuer.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"imported_issuers":{"type":["list","string"],"description":"The imported issuers.","description_kind":"plain","computed":true},"imported_keys":{"type":["list","string"],"description":"The imported keys.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_aia_url_templating":{"type":"bool","description":"Specifies that the AIA URL values should be templated.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's 'NotAfter' field during issuance.","description_kind":"plain","optional":true,"computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true},"revocation_signature_algorithm":{"type":"string","description":"Which signature algorithm to use when building CRLs.","description_kind":"plain","optional":true,"computed":true},"usage":{"type":"string","description":"Comma-separated list of allowed usages for this issuer.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the number of bits to use for the generated keys.","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type; must be 'rsa', 'ed25519' or 'ec'.","description_kind":"plain","optional":true,"computed":true},"managed_key_id":{"type":"string","description":"The managed key's UUID.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The managed key's configured name.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"Specifies the type of the key to create.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allow_wildcard_certificates":{"type":"bool","description":"Flag to allow wildcard certificates","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"allowed_uri_sans_template":{"type":"bool","description":"Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true,"computed":true},"allowed_user_ids":{"type":["list","string"],"description":"The allowed User ID's.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"ext_key_usage_oids":{"type":["list","string"],"description":"A list of extended key usage OIDs.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_id":{"type":"string","description":"The ID of the generated issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'.","description_kind":"plain","optional":true,"computed":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":1,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_saml_auth_backend":{"version":0,"block":{"attributes":{"acs_urls":{"type":["list","string"],"description":"The well-formatted URLs of your Assertion Consumer Service (ACS) that should receive a response from the identity provider.","description_kind":"plain","required":true},"default_role":{"type":"string","description":"The role to use if no role is provided during login.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"entity_id":{"type":"string","description":"The entity ID of the SAML authentication service provider.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_cert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive with 'idp_metadata_url'","description_kind":"plain","optional":true},"idp_entity_id":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"idp_metadata_url":{"type":"string","description":"The metadata URL of the identity provider.","description_kind":"plain","optional":true},"idp_sso_url":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"verbose_logging":{"type":"bool","description":"Log additional, potentially sensitive information during the SAML exchange according to the current logging level. Not recommended for production.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_saml_auth_backend_role":{"version":0,"block":{"attributes":{"bound_attributes":{"type":["map","string"],"description":"Mapping of attribute names to values that are expected to exist in the SAML assertion.","description_kind":"plain","optional":true},"bound_attributes_type":{"type":"string","description":"The type of matching assertion to perform on bound_attributes.","description_kind":"plain","optional":true,"computed":true},"bound_subjects":{"type":["list","string"],"description":"The subject being asserted for SAML authentication.","description_kind":"plain","optional":true},"bound_subjects_type":{"type":"string","description":"The type of matching assertion to perform on bound_subjects.","description_kind":"plain","optional":true,"computed":true},"groups_attribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the user belongs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where SAML Auth engine is mounted.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_association":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Specifies the mount where the secret is located.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name":{"type":"string","description":"Specifies the name of the secret to synchronize.","description_kind":"plain","required":true},"sync_status":{"type":"string","description":"Specifies the status of the association.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Type of sync destination.","description_kind":"plain","required":true},"updated_at":{"type":"string","description":"Duration string stating when the secret was last updated.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_aws_destination":{"version":0,"block":{"attributes":{"access_key_id":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the AWS destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.","description_kind":"plain","optional":true},"secret_access_key":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true,"sensitive":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_azure_destination":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"Client ID of an Azure app registration.","description_kind":"plain","optional":true},"client_secret":{"type":"string","description":"Client Secret of an Azure app registration.","description_kind":"plain","optional":true,"sensitive":true},"cloud":{"type":"string","description":"Specifies a cloud for the client.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_vault_uri":{"type":"string","description":"URI of an existing Azure Key Vault instance.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the Azure destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"ID of the target Azure tenant.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_config":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Disables the syncing process between Vault and external destinations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"queue_capacity":{"type":"number","description":"Maximum number of pending sync operations allowed on the queue.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_gcp_destination":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.","description_kind":"plain","optional":true,"sensitive":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the GCP destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_gh_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Fine-grained or personal access token.","description_kind":"plain","optional":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the github destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"repository_name":{"type":"string","description":"Name of the repository.","description_kind":"plain","optional":true},"repository_owner":{"type":"string","description":"GitHub organization or username that owns the repository.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_vercel_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Vercel API access token with the permissions to manage environment variables.","description_kind":"plain","required":true,"sensitive":true},"deployment_environments":{"type":["list","string"],"description":"Deployment environments where the environment variables are available. Accepts 'development', 'preview' \u0026 'production'.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the Vercel destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"Project ID where to manage environment variables.","description_kind":"plain","required":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"team_id":{"type":"string","description":"Team ID the project belongs to.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_user_key_lengths":{"type":["map","number"],"description_kind":"plain","deprecated":true,"optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_interval":{"type":"number","description":"Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"auto_rotate_period":{"type":"number","description":"Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_size":{"type":"number","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512.","description_kind":"plain","optional":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain","deprecated":true}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_auth_backends":{"version":0,"block":{"attributes":{"accessors":{"type":["list","string"],"description":"The accessors of the auth backends.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"The auth backend mount points.","description_kind":"plain","computed":true},"type":{"type":"string","description":"The type of the auth backend.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_static_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the environment configured in the Vault backend.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_dynamic_credentials":{"version":0,"block":{"attributes":{"distinguished_names":{"type":["list","string"],"description":"List of the distinguished names (DN) created.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the dynamic role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the dynamic role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_static_credentials":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this static role's password.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","computed":true},"ttl":{"type":"number","description":"Duration in seconds after which the issued credential should expire.","description_kind":"plain","computed":true},"username":{"type":"string","description":"Name of the static role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Name of the issuer.","description_kind":"plain","computed":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"key_id":{"type":"string","description":"ID of the key used by the issuer.","description_kind":"plain","computed":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during issuance.","description_kind":"plain","computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"usage":{"type":"string","description":"Allowed usages for this issuer.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of issuer strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key info data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used by issuers under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the key used.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","computed":true},"key_ref":{"type":"string","description":"Reference to an existing key.","description_kind":"plain","required":true},"key_type":{"type":"string","description":"Type of the key.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_keys":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of key strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} diff --git a/examples-generated/approle/authbackendlogin.yaml b/examples-generated/approle/authbackendlogin.yaml index b499ae6b..bb748b30 100644 --- a/examples-generated/approle/authbackendlogin.yaml +++ b/examples-generated/approle/authbackendlogin.yaml @@ -10,7 +10,10 @@ spec: forProvider: backend: cert roleId: ${vault_approle_auth_backend_role.example.role_id} - secretId: ${vault_approle_auth_backend_role_secret_id.id.secret_id} + secretIdSecretRef: + key: attribute.secret_id + name: example-approle-auth-backend-role-secret-id + namespace: upbound-system --- diff --git a/examples-generated/azure/secretbackendrole.yaml b/examples-generated/azure/secretbackendrole.yaml index a2890637..123eefdc 100644 --- a/examples-generated/azure/secretbackendrole.yaml +++ b/examples-generated/azure/secretbackendrole.yaml @@ -14,6 +14,10 @@ spec: backend: ${vault_azure_secret_backend.azure.path} maxTtl: 600 role: generated_role + signInAudience: AzureADMyOrg + tags: + - team:engineering + - environment:development ttl: 300 --- diff --git a/examples-generated/database/secretbackendstaticrole.yaml b/examples-generated/database/secretbackendstaticrole.yaml index 7adcafcc..20d71b98 100644 --- a/examples-generated/database/secretbackendstaticrole.yaml +++ b/examples-generated/database/secretbackendstaticrole.yaml @@ -4,13 +4,13 @@ metadata: annotations: meta.upbound.io/example-id: database/v1alpha1/secretbackendstaticrole labels: - testing.upbound.io/example-name: static_role - name: static-role + testing.upbound.io/example-name: period_role + name: period-role spec: forProvider: backend: dummy dbName: postgres - name: my-static-role + name: my-period-role rotationPeriod: "3600" rotationStatements: - ALTER USER "{{name}}" WITH PASSWORD '{{password}}'; diff --git a/examples-generated/gcp/authbackendrole.yaml b/examples-generated/gcp/authbackendrole.yaml index 9924d3f7..09889693 100644 --- a/examples-generated/gcp/authbackendrole.yaml +++ b/examples-generated/gcp/authbackendrole.yaml @@ -4,16 +4,23 @@ metadata: annotations: meta.upbound.io/example-id: gcp/v1alpha1/authbackendrole labels: - testing.upbound.io/example-name: gcp - name: gcp + testing.upbound.io/example-name: test + name: test spec: forProvider: + addGroupAliases: true backend: cert + boundProjects: + - test boundServiceAccounts: - - database-server@foo-bar-baz.iam.gserviceaccount.com - project_id: foo-bar-baz + - test + role: test + tokenMaxTtl: 600 tokenPolicies: - - database-server + - policy_a + - policy_b + tokenTtl: 300 + type: iam --- diff --git a/examples-generated/identity/mfapingid.yaml b/examples-generated/identity/mfapingid.yaml new file mode 100644 index 00000000..0663d2fc --- /dev/null +++ b/examples-generated/identity/mfapingid.yaml @@ -0,0 +1,11 @@ +apiVersion: identity.vault.upbound.io/v1alpha1 +kind: MfaPingid +metadata: + annotations: + meta.upbound.io/example-id: identity/v1alpha1/mfapingid + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + settingsFileBase64: CnVzZV9iYXNlNjR[...]HBtCg== diff --git a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml index 62f03599..8398ac77 100644 --- a/package/crds/approle.vault.upbound.io_authbackendlogins.yaml +++ b/package/crds/approle.vault.upbound.io_authbackendlogins.yaml @@ -82,11 +82,25 @@ spec: description: The ID of the role to log in with. The RoleID to log in with. type: string - secretId: + secretIdSecretRef: description: The secret ID of the role to log in with. Required unless bind_secret_id is set to false on the role. The SecretID to log in with. - type: string + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -116,11 +130,6 @@ spec: description: The ID of the role to log in with. The RoleID to log in with. type: string - secretId: - description: The secret ID of the role to log in with. Required - unless bind_secret_id is set to false on the role. The SecretID - to log in with. - type: string type: object managementPolicies: default: @@ -337,9 +346,6 @@ spec: description: The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. type: string - clientToken: - description: The Vault token created. The token. - type: string id: type: string leaseDuration: @@ -377,11 +383,6 @@ spec: description: The ID of the role to log in with. The RoleID to log in with. type: string - secretId: - description: The secret ID of the role to log in with. Required - unless bind_secret_id is set to false on the role. The SecretID - to log in with. - type: string type: object conditions: description: Conditions of the resource. diff --git a/package/crds/aws.vault.upbound.io_authbackendclients.yaml b/package/crds/aws.vault.upbound.io_authbackendclients.yaml index c782758a..ed4cf37c 100644 --- a/package/crds/aws.vault.upbound.io_authbackendclients.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendclients.yaml @@ -143,6 +143,15 @@ spec: Region to override the default region for making AWS STS API calls. type: string + useStsRegionFromClient: + description: Available in Vault v1.15+. If set, overrides both + sts_endpoint and sts_region to instead use the region specified + in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from + different regions and want flexibility in which regional STS + API is used. If set, will override sts_region and use the region + from the client request's header + type: boolean type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -197,6 +206,15 @@ spec: Region to override the default region for making AWS STS API calls. type: string + useStsRegionFromClient: + description: Available in Vault v1.15+. If set, overrides both + sts_endpoint and sts_region to instead use the region specified + in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from + different regions and want flexibility in which regional STS + API is used. If set, will override sts_region and use the region + from the client request's header + type: boolean type: object managementPolicies: default: @@ -442,6 +460,15 @@ spec: Region to override the default region for making AWS STS API calls. type: string + useStsRegionFromClient: + description: Available in Vault v1.15+. If set, overrides both + sts_endpoint and sts_region to instead use the region specified + in the client request headers for IAM-based authentication. + This can be useful when you have client requests coming from + different regions and want flexibility in which regional STS + API is used. If set, will override sts_region and use the region + from the client request's header + type: boolean type: object conditions: description: Conditions of the resource. diff --git a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml index 642f5be8..a56d67a0 100644 --- a/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendconfigidentities.yaml @@ -99,6 +99,13 @@ spec: items: type: string type: array + namespace: + description: The namespace to provision the resource in. The value + should not contain leading or trailing forward slashes. The + namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. Target namespace. (requires + Enterprise) + type: string type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -144,6 +151,13 @@ spec: items: type: string type: array + namespace: + description: The namespace to provision the resource in. The value + should not contain leading or trailing forward slashes. The + namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. Target namespace. (requires + Enterprise) + type: string type: object managementPolicies: default: @@ -381,6 +395,13 @@ spec: type: array id: type: string + namespace: + description: The namespace to provision the resource in. The value + should not contain leading or trailing forward slashes. The + namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. Target namespace. (requires + Enterprise) + type: string type: object conditions: description: Conditions of the resource. diff --git a/package/crds/aws.vault.upbound.io_authbackendroles.yaml b/package/crds/aws.vault.upbound.io_authbackendroles.yaml index f2f93f89..ed51fecf 100644 --- a/package/crds/aws.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendroles.yaml @@ -79,7 +79,8 @@ spec: this role. type: string backend: - description: Unique name of the auth backend to configure. + description: Path to the mounted aws auth backend. Unique name + of the auth backend to configure. type: string boundAccountIds: description: If set, defines a constraint on the EC2 instances @@ -305,7 +306,8 @@ spec: this role. type: string backend: - description: Unique name of the auth backend to configure. + description: Path to the mounted aws auth backend. Unique name + of the auth backend to configure. type: string boundAccountIds: description: If set, defines a constraint on the EC2 instances @@ -725,7 +727,8 @@ spec: this role. type: string backend: - description: Unique name of the auth backend to configure. + description: Path to the mounted aws auth backend. Unique name + of the auth backend to configure. type: string boundAccountIds: description: If set, defines a constraint on the EC2 instances diff --git a/package/crds/aws.vault.upbound.io_secretbackends.yaml b/package/crds/aws.vault.upbound.io_secretbackends.yaml index 70285d2a..9f8cbdca 100644 --- a/package/crds/aws.vault.upbound.io_secretbackends.yaml +++ b/package/crds/aws.vault.upbound.io_secretbackends.yaml @@ -105,6 +105,24 @@ spec: description: Specifies a custom HTTP IAM endpoint to use. Specifies a custom HTTP IAM endpoint to use. type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.16+. The + audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.16+. The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.16+. The TTL of generated identity tokens in + seconds. + type: number + local: + description: Specifies whether the secrets mount will be marked + as local. Local mounts are not replicated to performance replicas. + Specifies if the secret backend is local only + type: boolean maxLeaseTtlSeconds: description: The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for @@ -126,6 +144,11 @@ spec: description: The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.16+. Role ARN to assume for plugin identity + token federation. + type: string secretKeySecretRef: description: The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, @@ -189,6 +212,24 @@ spec: description: Specifies a custom HTTP IAM endpoint to use. Specifies a custom HTTP IAM endpoint to use. type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.16+. The + audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.16+. The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.16+. The TTL of generated identity tokens in + seconds. + type: number + local: + description: Specifies whether the secrets mount will be marked + as local. Local mounts are not replicated to performance replicas. + Specifies if the secret backend is local only + type: boolean maxLeaseTtlSeconds: description: The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for @@ -210,6 +251,11 @@ spec: description: The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.16+. Role ARN to assume for plugin identity + token federation. + type: string stsEndpoint: description: Specifies a custom HTTP STS endpoint to use. Specifies a custom HTTP STS endpoint to use. @@ -443,6 +489,24 @@ spec: type: string id: type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.16+. The + audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.16+. The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.16+. The TTL of generated identity tokens in + seconds. + type: number + local: + description: Specifies whether the secrets mount will be marked + as local. Local mounts are not replicated to performance replicas. + Specifies if the secret backend is local only + type: boolean maxLeaseTtlSeconds: description: The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for @@ -464,6 +528,11 @@ spec: description: The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.16+. Role ARN to assume for plugin identity + token federation. + type: string stsEndpoint: description: Specifies a custom HTTP STS endpoint to use. Specifies a custom HTTP STS endpoint to use. diff --git a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml index dad05f8e..744f2308 100644 --- a/package/crds/azure.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/azure.vault.upbound.io_secretbackendroles.yaml @@ -70,9 +70,9 @@ spec: applicationObjectId: description: Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. - If present, azure_roles will be ignored. Application Object - ID for an existing service principal that will be used instead - of creating dynamic service principals. + If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that + will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -117,9 +117,32 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + permanentlyDelete: + description: Indicates whether the applications and service principals + created by Vault will be permanently deleted when the corresponding + leases expire. Defaults to false. For Vault v1.12+. Indicates + whether the applications and service principals created by Vault + will be permanently deleted when the corresponding leases expire. + type: boolean role: description: Name of the Azure role Name of the role to create type: string + signInAudience: + description: 'Specifies the security principal types that are + allowed to sign in to the application. Valid values are: AzureADMyOrg, + AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. + Requires Vault 1.16+. Specifies the security principal types + that are allowed to sign in to the application. Valid values + are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, + PersonalMicrosoftAccount' + type: string + tags: + description: '- A list of Azure tags to attach to an application. + Requires Vault 1.16+. Comma-separated strings of Azure tags + to attach to an application.' + items: + type: string + type: array ttl: description: – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") @@ -144,9 +167,9 @@ spec: applicationObjectId: description: Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. - If present, azure_roles will be ignored. Application Object - ID for an existing service principal that will be used instead - of creating dynamic service principals. + If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that + will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -191,9 +214,32 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + permanentlyDelete: + description: Indicates whether the applications and service principals + created by Vault will be permanently deleted when the corresponding + leases expire. Defaults to false. For Vault v1.12+. Indicates + whether the applications and service principals created by Vault + will be permanently deleted when the corresponding leases expire. + type: boolean role: description: Name of the Azure role Name of the role to create type: string + signInAudience: + description: 'Specifies the security principal types that are + allowed to sign in to the application. Valid values are: AzureADMyOrg, + AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. + Requires Vault 1.16+. Specifies the security principal types + that are allowed to sign in to the application. Valid values + are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, + PersonalMicrosoftAccount' + type: string + tags: + description: '- A list of Azure tags to attach to an application. + Requires Vault 1.16+. Comma-separated strings of Azure tags + to attach to an application.' + items: + type: string + type: array ttl: description: – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") @@ -412,9 +458,9 @@ spec: applicationObjectId: description: Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. - If present, azure_roles will be ignored. Application Object - ID for an existing service principal that will be used instead - of creating dynamic service principals. + If present, azure_roles and permanently_delete will be ignored. + Application Object ID for an existing service principal that + will be used instead of creating dynamic service principals. type: string azureGroups: description: List of Azure groups to be assigned to the generated @@ -463,9 +509,32 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + permanentlyDelete: + description: Indicates whether the applications and service principals + created by Vault will be permanently deleted when the corresponding + leases expire. Defaults to false. For Vault v1.12+. Indicates + whether the applications and service principals created by Vault + will be permanently deleted when the corresponding leases expire. + type: boolean role: description: Name of the Azure role Name of the role to create type: string + signInAudience: + description: 'Specifies the security principal types that are + allowed to sign in to the application. Valid values are: AzureADMyOrg, + AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. + Requires Vault 1.16+. Specifies the security principal types + that are allowed to sign in to the application. Valid values + are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, + PersonalMicrosoftAccount' + type: string + tags: + description: '- A list of Azure tags to attach to an application. + Requires Vault 1.16+. Comma-separated strings of Azure tags + to attach to an application.' + items: + type: string + type: array ttl: description: – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") diff --git a/package/crds/cert.vault.upbound.io_authbackendroles.yaml b/package/crds/cert.vault.upbound.io_authbackendroles.yaml index b46d047d..90933629 100644 --- a/package/crds/cert.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/cert.vault.upbound.io_authbackendroles.yaml @@ -106,6 +106,31 @@ spec: namespace: description: Target namespace. (requires Enterprise) type: string + ocspCaCertificates: + description: Any additional CA certificates needed to verify OCSP + responses. Provided as base64 encoded PEM data. + type: string + ocspEnabled: + description: If enabled, validate certificates' revocation status + using OCSP. + type: boolean + ocspFailOpen: + description: If true and an OCSP response cannot be fetched or + is of an unknown status, the login will proceed as if the certificate + has not been revoked. + type: boolean + ocspQueryAllServers: + description: If set to true, rather than accepting the first successful + OCSP response, query all servers and consider the certificate + valid only if all servers agree. + type: boolean + ocspServersOverride: + description: A comma-separated list of OCSP server addresses. + If unset, the OCSP server is determined from the AuthorityInformationAccess + extension on the certificate being inspected. + items: + type: string + type: array requiredExtensions: items: type: string @@ -197,6 +222,31 @@ spec: namespace: description: Target namespace. (requires Enterprise) type: string + ocspCaCertificates: + description: Any additional CA certificates needed to verify OCSP + responses. Provided as base64 encoded PEM data. + type: string + ocspEnabled: + description: If enabled, validate certificates' revocation status + using OCSP. + type: boolean + ocspFailOpen: + description: If true and an OCSP response cannot be fetched or + is of an unknown status, the login will proceed as if the certificate + has not been revoked. + type: boolean + ocspQueryAllServers: + description: If set to true, rather than accepting the first successful + OCSP response, query all servers and consider the certificate + valid only if all servers agree. + type: boolean + ocspServersOverride: + description: A comma-separated list of OCSP server addresses. + If unset, the OCSP server is determined from the AuthorityInformationAccess + extension on the certificate being inspected. + items: + type: string + type: array requiredExtensions: items: type: string @@ -488,6 +538,31 @@ spec: namespace: description: Target namespace. (requires Enterprise) type: string + ocspCaCertificates: + description: Any additional CA certificates needed to verify OCSP + responses. Provided as base64 encoded PEM data. + type: string + ocspEnabled: + description: If enabled, validate certificates' revocation status + using OCSP. + type: boolean + ocspFailOpen: + description: If true and an OCSP response cannot be fetched or + is of an unknown status, the login will proceed as if the certificate + has not been revoked. + type: boolean + ocspQueryAllServers: + description: If set to true, rather than accepting the first successful + OCSP response, query all servers and consider the certificate + valid only if all servers agree. + type: boolean + ocspServersOverride: + description: A comma-separated list of OCSP server addresses. + If unset, the OCSP server is determined from the AuthorityInformationAccess + extension on the certificate being inspected. + items: + type: string + type: array requiredExtensions: items: type: string diff --git a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml index 91bcf6d0..92085066 100644 --- a/package/crds/database.vault.upbound.io_secretbackendconnections.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendconnections.yaml @@ -651,6 +651,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -687,6 +692,25 @@ spec: - name - namespace type: object + serviceAccountJsonSecretRef: + description: JSON encoding of an IAM access key. Requires + auth_type to be gcp_iam. A JSON encoded credential for + use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: description: x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 @@ -730,6 +754,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -766,6 +795,52 @@ spec: - name - namespace type: object + serviceAccountJsonSecretRef: + description: JSON encoding of an IAM access key. Requires + auth_type to be gcp_iam. A JSON encoded credential for + use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -782,6 +857,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -818,6 +898,52 @@ spec: - name - namespace type: object + serviceAccountJsonSecretRef: + description: JSON encoding of an IAM access key. Requires + auth_type to be gcp_iam. A JSON encoded credential for + use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -834,6 +960,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -870,6 +1001,52 @@ spec: - name - namespace type: object + serviceAccountJsonSecretRef: + description: JSON encoding of an IAM access key. Requires + auth_type to be gcp_iam. A JSON encoded credential for + use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -902,6 +1079,11 @@ spec: the Vault docs for an example. Connection string to use to connect to the database. type: string + disconnectSessions: + description: Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running + the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -933,6 +1115,10 @@ spec: - name - namespace type: object + splitStatements: + description: Enable spliting statements after semi-colons. + Set to true in order to split statements after semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -954,6 +1140,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -995,6 +1186,25 @@ spec: - name - namespace type: object + serviceAccountJsonSecretRef: + description: JSON encoding of an IAM access key. Requires + auth_type to be gcp_iam. A JSON encoded credential for + use with IAM authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1583,6 +1793,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -1623,6 +1838,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -1641,6 +1861,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1657,6 +1883,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -1675,6 +1906,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1691,6 +1928,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -1709,6 +1951,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1741,6 +1989,11 @@ spec: the Vault docs for an example. Connection string to use to connect to the database. type: string + disconnectSessions: + description: Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running + the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -1754,6 +2007,10 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + splitStatements: + description: Enable spliting statements after semi-colons. + Set to true in order to split statements after semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1775,6 +2032,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -2493,6 +2755,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -2533,6 +2800,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -2551,6 +2823,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2567,6 +2845,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -2585,6 +2868,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2601,6 +2890,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use @@ -2619,6 +2913,12 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2651,6 +2951,11 @@ spec: the Vault docs for an example. Connection string to use to connect to the database. type: string + disconnectSessions: + description: Enable the built-in session disconnect mechanism. + Set to true to disconnect any open sessions prior to running + the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -2664,6 +2969,10 @@ spec: description: The maximum number of open connections to use. Maximum number of open connections to the database. type: number + splitStatements: + description: Enable spliting statements after semi-colons. + Set to true in order to split statements after semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2685,6 +2994,11 @@ spec: plugin. items: properties: + authType: + description: Enable IAM authentication to a Google Cloud + instance when set to gcp_iam Specify alternative authorization + type. (Only 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See the Vault docs for an example. Connection string to use diff --git a/package/crds/database.vault.upbound.io_secretbackendroles.yaml b/package/crds/database.vault.upbound.io_secretbackendroles.yaml index a5a54819..c0823eaf 100644 --- a/package/crds/database.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendroles.yaml @@ -78,6 +78,19 @@ spec: items: type: string type: array + credentialConfig: + additionalProperties: + type: string + description: – Specifies the configuration for the given credential_type. + Specifies the configuration for the given credential_type. + type: object + credentialType: + description: '– Specifies the type of credential that will be + generated for the role. Options include: password, rsa_private_key, + client_certificate. See the plugin''s API page for credential + types supported by individual databases. Specifies the type + of credential that will be generated for the role.' + type: string dbName: description: The unique name of the database connection to use for the role. Database connection to use for this role. @@ -145,6 +158,19 @@ spec: items: type: string type: array + credentialConfig: + additionalProperties: + type: string + description: – Specifies the configuration for the given credential_type. + Specifies the configuration for the given credential_type. + type: object + credentialType: + description: '– Specifies the type of credential that will be + generated for the role. Options include: password, rsa_private_key, + client_certificate. See the plugin''s API page for credential + types supported by individual databases. Specifies the type + of credential that will be generated for the role.' + type: string dbName: description: The unique name of the database connection to use for the role. Database connection to use for this role. @@ -418,6 +444,19 @@ spec: items: type: string type: array + credentialConfig: + additionalProperties: + type: string + description: – Specifies the configuration for the given credential_type. + Specifies the configuration for the given credential_type. + type: object + credentialType: + description: '– Specifies the type of credential that will be + generated for the role. Options include: password, rsa_private_key, + client_certificate. See the plugin''s API page for credential + types supported by individual databases. Specifies the type + of credential that will be generated for the role.' + type: string dbName: description: The unique name of the database connection to use for the role. Database connection to use for this role. diff --git a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml index 8d2629cf..6ee62efc 100644 --- a/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml +++ b/package/crds/database.vault.upbound.io_secretbackendstaticroles.yaml @@ -89,9 +89,16 @@ spec: type: string rotationPeriod: description: The amount of time Vault should wait before rotating - the password, in seconds. The amount of time Vault should wait - before rotating the password, in seconds. + the password, in seconds. Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, + in seconds. type: number + rotationSchedule: + description: A cron-style string that will define the schedule + on which rotations should occur. Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations + should occur. + type: string rotationStatements: description: Database statements to execute to rotate the password for the configured database user. Database statements to execute @@ -99,6 +106,12 @@ spec: items: type: string type: array + rotationWindow: + description: The amount of time, in seconds, in which rotations + are allowed to occur starting from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed + to occur starting from a given rotation_schedule. + type: number username: description: The database username that this static role corresponds to. The database username that this role corresponds to. @@ -138,9 +151,16 @@ spec: type: string rotationPeriod: description: The amount of time Vault should wait before rotating - the password, in seconds. The amount of time Vault should wait - before rotating the password, in seconds. + the password, in seconds. Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, + in seconds. type: number + rotationSchedule: + description: A cron-style string that will define the schedule + on which rotations should occur. Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations + should occur. + type: string rotationStatements: description: Database statements to execute to rotate the password for the configured database user. Database statements to execute @@ -148,6 +168,12 @@ spec: items: type: string type: array + rotationWindow: + description: The amount of time, in seconds, in which rotations + are allowed to occur starting from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed + to occur starting from a given rotation_schedule. + type: number username: description: The database username that this static role corresponds to. The database username that this role corresponds to. @@ -363,10 +389,6 @@ spec: rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)' - - message: rotationPeriod is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.rotationPeriod) - || has(self.initProvider.rotationPeriod)' - message: username is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.username) @@ -400,9 +422,16 @@ spec: type: string rotationPeriod: description: The amount of time Vault should wait before rotating - the password, in seconds. The amount of time Vault should wait - before rotating the password, in seconds. + the password, in seconds. Mutually exclusive with rotation_schedule. + The amount of time Vault should wait before rotating the password, + in seconds. type: number + rotationSchedule: + description: A cron-style string that will define the schedule + on which rotations should occur. Mutually exclusive with rotation_period. + A cron-style string that will define the schedule on which rotations + should occur. + type: string rotationStatements: description: Database statements to execute to rotate the password for the configured database user. Database statements to execute @@ -410,6 +439,12 @@ spec: items: type: string type: array + rotationWindow: + description: The amount of time, in seconds, in which rotations + are allowed to occur starting from a given rotation_schedule. + The amount of time in seconds in which the rotations are allowed + to occur starting from a given rotation_schedule. + type: number username: description: The database username that this static role corresponds to. The database username that this role corresponds to. diff --git a/package/crds/database.vault.upbound.io_secretsmounts.yaml b/package/crds/database.vault.upbound.io_secretsmounts.yaml index 0a3e3ac2..702dc155 100644 --- a/package/crds/database.vault.upbound.io_secretsmounts.yaml +++ b/package/crds/database.vault.upbound.io_secretsmounts.yaml @@ -983,6 +983,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -1044,6 +1048,24 @@ spec: items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object tlsCa: description: x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 @@ -1099,6 +1121,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -1160,6 +1186,51 @@ spec: items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1188,6 +1259,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -1249,6 +1324,51 @@ spec: items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1277,6 +1397,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -1338,6 +1462,51 @@ spec: items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string + tlsCertificateKeySecretRef: + description: x509 certificate for connecting to the database. + This must be a PEM encoded version of the private key + and the certificate combined. x509 certificate for connecting + to the database. This must be a PEM encoded version of + the private key and the certificate combined. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1389,6 +1558,10 @@ spec: data to pass to the endpoint. Useful for templated connection strings. type: object + disconnectSessions: + description: Set to true to disconnect any open sessions + prior to running the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -1437,6 +1610,10 @@ spec: items: type: string type: array + splitStatements: + description: Set to true in order to split statements after + semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -1469,6 +1646,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -1535,6 +1716,24 @@ spec: items: type: string type: array + serviceAccountJsonSecretRef: + description: A JSON encoded credential for use with IAM + authorization + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2604,6 +2803,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -2681,6 +2884,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -2724,6 +2931,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2752,6 +2965,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -2795,6 +3012,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2823,6 +3046,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -2866,6 +3093,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2917,6 +3150,10 @@ spec: data to pass to the endpoint. Useful for templated connection strings. type: object + disconnectSessions: + description: Set to true to disconnect any open sessions + prior to running the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -2947,6 +3184,10 @@ spec: items: type: string type: array + splitStatements: + description: Set to true in order to split statements after + semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -2979,6 +3220,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -4206,6 +4451,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -4283,6 +4532,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -4326,6 +4579,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -4354,6 +4613,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -4397,6 +4660,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -4425,6 +4694,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the @@ -4468,6 +4741,12 @@ spec: items: type: string type: array + tlsCa: + description: x509 CA file for validating the certificate + presented by the MySQL server. Must be PEM encoded. x509 + CA file for validating the certificate presented by the + MySQL server. Must be PEM encoded. + type: string username: description: The username to authenticate with. The root credential username used in the connection URL @@ -4519,6 +4798,10 @@ spec: data to pass to the endpoint. Useful for templated connection strings. type: object + disconnectSessions: + description: Set to true to disconnect any open sessions + prior to running the revocation statements. + type: boolean maxConnectionLifetime: description: The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may @@ -4549,6 +4832,10 @@ spec: items: type: string type: array + splitStatements: + description: Set to true in order to split statements after + semi-colons. + type: boolean username: description: The username to authenticate with. The root credential username used in the connection URL @@ -4581,6 +4868,10 @@ spec: items: type: string type: array + authType: + description: Specify alternative authorization type. (Only + 'gcp_iam' is valid currently) + type: string connectionUrl: description: A URL containing connection information. See Vault docs Connection string to use to connect to the diff --git a/package/crds/gcp.vault.upbound.io_authbackends.yaml b/package/crds/gcp.vault.upbound.io_authbackends.yaml index 46236f13..3b94a222 100644 --- a/package/crds/gcp.vault.upbound.io_authbackends.yaml +++ b/package/crds/gcp.vault.upbound.io_authbackends.yaml @@ -128,6 +128,35 @@ spec: type: string projectId: type: string + tune: + items: + properties: + allowedResponseHeaders: + items: + type: string + type: array + auditNonHmacRequestKeys: + items: + type: string + type: array + auditNonHmacResponseKeys: + items: + type: string + type: array + defaultLeaseTtl: + type: string + listingVisibility: + type: string + maxLeaseTtl: + type: string + passthroughRequestHeaders: + items: + type: string + type: array + tokenType: + type: string + type: object + type: array type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -186,6 +215,35 @@ spec: type: string projectId: type: string + tune: + items: + properties: + allowedResponseHeaders: + items: + type: string + type: array + auditNonHmacRequestKeys: + items: + type: string + type: array + auditNonHmacResponseKeys: + items: + type: string + type: array + defaultLeaseTtl: + type: string + listingVisibility: + type: string + maxLeaseTtl: + type: string + passthroughRequestHeaders: + items: + type: string + type: array + tokenType: + type: string + type: object + type: array type: object managementPolicies: default: @@ -389,6 +447,9 @@ spec: properties: atProvider: properties: + accessor: + description: The accessor of the auth backend + type: string clientEmail: type: string clientId: @@ -435,6 +496,35 @@ spec: type: string projectId: type: string + tune: + items: + properties: + allowedResponseHeaders: + items: + type: string + type: array + auditNonHmacRequestKeys: + items: + type: string + type: array + auditNonHmacResponseKeys: + items: + type: string + type: array + defaultLeaseTtl: + type: string + listingVisibility: + type: string + maxLeaseTtl: + type: string + passthroughRequestHeaders: + items: + type: string + type: array + tokenType: + type: string + type: object + type: array type: object conditions: description: Conditions of the resource. diff --git a/package/crds/github.vault.upbound.io_teams.yaml b/package/crds/github.vault.upbound.io_teams.yaml index f4d80ae6..eeda5d22 100644 --- a/package/crds/github.vault.upbound.io_teams.yaml +++ b/package/crds/github.vault.upbound.io_teams.yaml @@ -70,7 +70,7 @@ spec: backend: description: Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping - will be congigured. + will be configured. type: string namespace: description: The namespace to provision the resource in. The value @@ -106,7 +106,7 @@ spec: backend: description: Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping - will be congigured. + will be configured. type: string namespace: description: The namespace to provision the resource in. The value @@ -336,7 +336,7 @@ spec: backend: description: Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping - will be congigured. + will be configured. type: string id: type: string diff --git a/package/crds/identity.vault.upbound.io_mfapingids.yaml b/package/crds/identity.vault.upbound.io_mfapingids.yaml index fb622938..4c4b70b0 100644 --- a/package/crds/identity.vault.upbound.io_mfapingids.yaml +++ b/package/crds/identity.vault.upbound.io_mfapingids.yaml @@ -34,7 +34,8 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: MfaPingid is the Schema for the MfaPingids API. + description: MfaPingid is the Schema for the MfaPingids API. Resource for + configuring the pingid MFA method. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -67,14 +68,18 @@ spec: forProvider: properties: namespace: - description: Target namespace. (requires Enterprise) + description: Target namespace. (requires Enterprise) Target namespace. + (requires Enterprise) type: string settingsFileBase64: description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. + retrieved from PingID's configuration page. A base64-encoded + third-party settings contents as retrieved from PingID's configuration + page. type: string usernameFormat: description: A template string for mapping Identity names to MFA + methods. A template string for mapping Identity names to MFA methods. type: string type: object @@ -92,14 +97,18 @@ spec: them, like an autoscaler. properties: namespace: - description: Target namespace. (requires Enterprise) + description: Target namespace. (requires Enterprise) Target namespace. + (requires Enterprise) type: string settingsFileBase64: description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. + retrieved from PingID's configuration page. A base64-encoded + third-party settings contents as retrieved from PingID's configuration + page. type: string usernameFormat: description: A template string for mapping Identity names to MFA + methods. A template string for mapping Identity names to MFA methods. type: string type: object @@ -312,54 +321,63 @@ spec: properties: adminUrl: description: The admin URL, derived from "settings_file_base64" + The admin URL, derived from "settings_file_base64" type: string authenticatorUrl: description: A unique identifier of the organization, derived - from "settings_file_base64" + from "settings_file_base64" A unique identifier of the organization, + derived from "settings_file_base64" type: string id: type: string idpUrl: description: The IDP URL, derived from "settings_file_base64" + The IDP URL, derived from "settings_file_base64" type: string methodId: - description: Method ID. + description: Method ID. Method ID. type: string mountAccessor: - description: Mount accessor. + description: Mount accessor. Mount accessor. type: string name: description: Method name. type: string namespace: - description: Target namespace. (requires Enterprise) + description: Target namespace. (requires Enterprise) Target namespace. + (requires Enterprise) type: string namespaceId: - description: Method's namespace ID. + description: Method's namespace ID. Method's namespace ID. type: string namespacePath: - description: Method's namespace path. + description: Method's namespace path. Method's namespace path. type: string orgAlias: description: The name of the PingID client organization, derived - from "settings_file_base64" + from "settings_file_base64" The name of the PingID client organization, + derived from "settings_file_base64" type: string settingsFileBase64: description: A base64-encoded third-party settings contents as - retrieved from PingID's configuration page. + retrieved from PingID's configuration page. A base64-encoded + third-party settings contents as retrieved from PingID's configuration + page. type: string type: - description: MFA type. + description: MFA type. MFA type. type: string useSignature: description: Use signature value, derived from "settings_file_base64" + Use signature value, derived from "settings_file_base64" type: boolean usernameFormat: description: A template string for mapping Identity names to MFA + methods. A template string for mapping Identity names to MFA methods. type: string uuid: - description: Resource UUID. + description: Resource UUID. Resource UUID. type: string type: object conditions: diff --git a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml index 6b4363fe..95d0f4a1 100644 --- a/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml +++ b/package/crds/kubernetes.vault.upbound.io_authbackendconfigs.yaml @@ -120,12 +120,13 @@ spec: type: string type: array tokenReviewerJwtSecretRef: - description: A service account JWT used to access the TokenReview - API to validate other JWTs during login. If not set the JWT - used for login will be used to access the API. A service account - JWT used to access the TokenReview API to validate other JWTs - during login. If not set the JWT used for login will be used - to access the API. + description: A service account JWT (or other token) used as a + bearer token to access the TokenReview API to validate other + JWTs during login. If not set the JWT used for login will be + used to access the API. A service account JWT (or other token) + used as a bearer token to access the TokenReview API to validate + other JWTs during login. If not set the JWT used for login will + be used to access the API. properties: key: description: The key to select. diff --git a/package/crds/ldap.vault.upbound.io_authbackends.yaml b/package/crds/ldap.vault.upbound.io_authbackends.yaml index 8868af9f..9eb95415 100644 --- a/package/crds/ldap.vault.upbound.io_authbackends.yaml +++ b/package/crds/ldap.vault.upbound.io_authbackends.yaml @@ -130,6 +130,8 @@ spec: local: description: Specifies if the auth method is local only type: boolean + maxPageSize: + type: number namespace: description: Target namespace. (requires Enterprise) type: string @@ -233,6 +235,8 @@ spec: local: description: Specifies if the auth method is local only type: boolean + maxPageSize: + type: number namespace: description: Target namespace. (requires Enterprise) type: string @@ -535,6 +539,8 @@ spec: local: description: Specifies if the auth method is local only type: boolean + maxPageSize: + type: number namespace: description: Target namespace. (requires Enterprise) type: string diff --git a/package/crds/nomad.vault.upbound.io_secretroles.yaml b/package/crds/nomad.vault.upbound.io_secretroles.yaml index 294dc296..4a3c9fe5 100644 --- a/package/crds/nomad.vault.upbound.io_secretroles.yaml +++ b/package/crds/nomad.vault.upbound.io_secretroles.yaml @@ -69,8 +69,7 @@ spec: properties: backend: description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + The mount path for the Nomad backend. type: string global: description: Specifies if the generated token should be global. @@ -117,8 +116,7 @@ spec: properties: backend: description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + The mount path for the Nomad backend. type: string global: description: Specifies if the generated token should be global. @@ -363,8 +361,7 @@ spec: properties: backend: description: The unique path this backend should be mounted at. - Must not begin or end with a /. Defaults to nomad. The mount - path for the Nomad backend. + The mount path for the Nomad backend. type: string global: description: Specifies if the generated token should be global. diff --git a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml index 2d386a9a..f2c26dc7 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendcerts.yaml @@ -98,6 +98,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string minSecondsRemaining: description: Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate @@ -135,6 +138,11 @@ spec: items: type: string type: array + userIds: + description: List of Subject User IDs List of Subject User IDs. + items: + type: string + type: array type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -180,6 +188,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string minSecondsRemaining: description: Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate @@ -217,6 +228,11 @@ spec: items: type: string type: array + userIds: + description: List of Subject User IDs List of Subject User IDs. + items: + type: string + type: array type: object managementPolicies: default: @@ -476,6 +492,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string issuingCa: description: The issuing CA The issuing CA. type: string @@ -530,6 +549,11 @@ spec: items: type: string type: array + userIds: + description: List of Subject User IDs List of Subject User IDs. + items: + type: string + type: array type: object conditions: description: Conditions of the resource. diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml index c9bd0119..521c6b8c 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatecertrequests.yaml @@ -107,6 +107,18 @@ spec: keyBits: description: The number of bits to use The number of bits to use. type: number + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -158,7 +170,7 @@ spec: type: description: Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must - be either "exported" or "internal". + be either "existing", "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. @@ -218,6 +230,18 @@ spec: keyBits: description: The number of bits to use The number of bits to use. type: number + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -269,7 +293,7 @@ spec: type: description: Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must - be either "exported" or "internal". + be either "existing", "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. @@ -537,6 +561,22 @@ spec: keyBits: description: The number of bits to use The number of bits to use. type: number + keyId: + description: The ID of the generated key. The ID of the generated + key. + type: string + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -591,7 +631,7 @@ spec: type: description: Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must - be either "exported" or "internal". + be either "existing", "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. diff --git a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml index e3710db6..f1601985 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendintermediatesetsigneds.yaml @@ -341,6 +341,18 @@ spec: type: string id: type: string + importedIssuers: + description: The imported issuers indicating which issuers were + created as part of this request. The imported issuers. + items: + type: string + type: array + importedKeys: + description: The imported keys indicating which keys were created + as part of this request. The imported keys. + items: + type: string + type: array namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The diff --git a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml index 43e72deb..da60b776 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendroles.yaml @@ -89,6 +89,10 @@ spec: description: Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. type: boolean + allowWildcardCertificates: + description: Flag to allow wildcard certificates. Flag to allow + wildcard certificates + type: boolean allowedDomains: description: List of allowed domains for certificates The domains of the role. @@ -119,6 +123,18 @@ spec: items: type: string type: array + allowedUriSansTemplate: + description: Flag, if set, allowed_uri_sans can be specified using + identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies + a template expression (e.g. {{identity.entity.aliases..name}}) + type: boolean + allowedUserIds: + description: Defines allowed User IDs The allowed User ID's. + items: + type: string + type: array backend: description: The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend @@ -158,10 +174,23 @@ spec: items: type: string type: array + extKeyUsageOids: + description: Specify the allowed extended key usage OIDs constraint + on issued certificates A list of extended key usage OIDs. + items: + type: string + type: array generateLease: description: Flag to generate leases with certificates Flag to generate leases with certificates. type: boolean + issuerRef: + description: Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string keyBits: description: The number of bits of generated keys The number of bits of generated keys. @@ -172,8 +201,10 @@ spec: type: string keyUsage: description: Specify the allowed key usage constraint on issued - certificates Specify the allowed key usage constraint on issued - certificates. + certificates. Defaults to ["DigitalSignature", "KeyAgreement", + "KeyEncipherment"]). To specify no default key usage constraints, + set this to an empty list []. Specify the allowed key usage + constraint on issued certificates. items: type: string type: array @@ -319,6 +350,10 @@ spec: description: Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. type: boolean + allowWildcardCertificates: + description: Flag to allow wildcard certificates. Flag to allow + wildcard certificates + type: boolean allowedDomains: description: List of allowed domains for certificates The domains of the role. @@ -349,6 +384,18 @@ spec: items: type: string type: array + allowedUriSansTemplate: + description: Flag, if set, allowed_uri_sans can be specified using + identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies + a template expression (e.g. {{identity.entity.aliases..name}}) + type: boolean + allowedUserIds: + description: Defines allowed User IDs The allowed User ID's. + items: + type: string + type: array backend: description: The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend @@ -388,10 +435,23 @@ spec: items: type: string type: array + extKeyUsageOids: + description: Specify the allowed extended key usage OIDs constraint + on issued certificates A list of extended key usage OIDs. + items: + type: string + type: array generateLease: description: Flag to generate leases with certificates Flag to generate leases with certificates. type: boolean + issuerRef: + description: Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string keyBits: description: The number of bits of generated keys The number of bits of generated keys. @@ -402,8 +462,10 @@ spec: type: string keyUsage: description: Specify the allowed key usage constraint on issued - certificates Specify the allowed key usage constraint on issued - certificates. + certificates. Defaults to ["DigitalSignature", "KeyAgreement", + "KeyEncipherment"]). To specify no default key usage constraints, + set this to an empty list []. Specify the allowed key usage + constraint on issued certificates. items: type: string type: array @@ -747,6 +809,10 @@ spec: description: Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. type: boolean + allowWildcardCertificates: + description: Flag to allow wildcard certificates. Flag to allow + wildcard certificates + type: boolean allowedDomains: description: List of allowed domains for certificates The domains of the role. @@ -777,6 +843,18 @@ spec: items: type: string type: array + allowedUriSansTemplate: + description: Flag, if set, allowed_uri_sans can be specified using + identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies + a template expression (e.g. {{identity.entity.aliases..name}}) + type: boolean + allowedUserIds: + description: Defines allowed User IDs The allowed User ID's. + items: + type: string + type: array backend: description: The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend @@ -816,12 +894,25 @@ spec: items: type: string type: array + extKeyUsageOids: + description: Specify the allowed extended key usage OIDs constraint + on issued certificates A list of extended key usage OIDs. + items: + type: string + type: array generateLease: description: Flag to generate leases with certificates Flag to generate leases with certificates. type: boolean id: type: string + issuerRef: + description: Specifies the default issuer of this request. May + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string keyBits: description: The number of bits of generated keys The number of bits of generated keys. @@ -832,8 +923,10 @@ spec: type: string keyUsage: description: Specify the allowed key usage constraint on issued - certificates Specify the allowed key usage constraint on issued - certificates. + certificates. Defaults to ["DigitalSignature", "KeyAgreement", + "KeyEncipherment"]). To specify no default key usage constraints, + set this to an empty list []. Specify the allowed key usage + constraint on issued certificates. items: type: string type: array diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml index 977a84b3..2782170f 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml @@ -94,9 +94,27 @@ spec: items: type: string type: array + issuerName: + description: Provides a name to the specified issuer. The name + must be unique across all issuers and not be the reserved value + default Provides a name to the specified issuer. The name must + be unique across all issuers and not be the reserved value 'default'. + type: string keyBits: description: The number of bits to use The number of bits to use. type: number + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -162,8 +180,8 @@ spec: type: string type: description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "exported" - or "internal". + "internal" or "kms" Type of root to create. Must be either "existing", + "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. @@ -211,9 +229,27 @@ spec: items: type: string type: array + issuerName: + description: Provides a name to the specified issuer. The name + must be unique across all issuers and not be the reserved value + default Provides a name to the specified issuer. The name must + be unique across all issuers and not be the reserved value 'default'. + type: string keyBits: description: The number of bits to use The number of bits to use. type: number + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -279,8 +315,8 @@ spec: type: string type: description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "exported" - or "internal". + "internal" or "kms" Type of root to create. Must be either "existing", + "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. @@ -536,12 +572,38 @@ spec: items: type: string type: array + issuerId: + description: The ID of the generated issuer. The ID of the generated + issuer. + type: string + issuerName: + description: Provides a name to the specified issuer. The name + must be unique across all issuers and not be the reserved value + default Provides a name to the specified issuer. The name must + be unique across all issuers and not be the reserved value 'default'. + type: string issuingCa: description: The issuing CA certificate. The issuing CA. type: string keyBits: description: The number of bits to use The number of bits to use. type: number + keyId: + description: The ID of the generated key. The ID of the generated + key. + type: string + keyName: + description: When a new key is created with this request, optionally + specifies the name for this. The global ref default may not + be used as a name. When a new key is created with this request, + optionally specifies the name for this. + type: string + keyRef: + description: Specifies the key (either default, by name, or by + identifier) to use for generating this request. Only suitable + for type=existing requests. Specifies the key to use for generating + this request. + type: string keyType: description: The desired key type The desired key type. type: string @@ -615,8 +677,8 @@ spec: type: string type: description: Type of intermediate to create. Must be either "exported", - "internal" or "kms" Type of root to create. Must be either "exported" - or "internal". + "internal" or "kms" Type of root to create. Must be either "existing", + "exported", "internal" or "kms" type: string uriSans: description: List of alternative URIs List of alternative URIs. diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml index 52851654..7c6ca8a4 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml @@ -96,6 +96,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string locality: description: The locality. type: string @@ -188,6 +191,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string locality: description: The locality. type: string @@ -499,6 +505,9 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. + type: string issuingCa: description: The issuing CA certificate. type: string diff --git a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml index 1990e53f..60fe6a69 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml @@ -101,6 +101,13 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string minSecondsRemaining: description: Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate @@ -179,6 +186,13 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string minSecondsRemaining: description: Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate @@ -477,6 +491,13 @@ spec: items: type: string type: array + issuerRef: + description: Specifies the default issuer of this request. Can + be the value default, a name, or an issuer ID. Use ACLs to prevent + access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths + to prevent users overriding the role's issuer_ref value. Specifies + the default issuer of this request. + type: string issuingCa: description: The issuing CA The issuing CA. type: string diff --git a/package/crds/quota.vault.upbound.io_leasecounts.yaml b/package/crds/quota.vault.upbound.io_leasecounts.yaml index d37d6ad8..bf7615e2 100644 --- a/package/crds/quota.vault.upbound.io_leasecounts.yaml +++ b/package/crds/quota.vault.upbound.io_leasecounts.yaml @@ -95,6 +95,15 @@ spec: Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -137,6 +146,15 @@ spec: Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object managementPolicies: default: @@ -379,6 +397,15 @@ spec: Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. type: string + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object conditions: description: Conditions of the resource. diff --git a/package/crds/quota.vault.upbound.io_ratelimits.yaml b/package/crds/quota.vault.upbound.io_ratelimits.yaml index f80c6b4f..c6d36a02 100644 --- a/package/crds/quota.vault.upbound.io_ratelimits.yaml +++ b/package/crds/quota.vault.upbound.io_ratelimits.yaml @@ -107,6 +107,15 @@ spec: The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -161,6 +170,15 @@ spec: The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object managementPolicies: default: @@ -415,6 +433,15 @@ spec: The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. type: number + role: + description: If set on a quota where path is set to an auth mount + with a concept of roles (such as /auth/approle/), this will + make the quota restrict login requests to that mount that are + made with the specified role. If set on a quota where path is + set to an auth mount with a concept of roles (such as /auth/approle/), + this will make the quota restrict login requests to that mount + that are made with the specified role. + type: string type: object conditions: description: Conditions of the resource. diff --git a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml index ec994a90..2391d922 100644 --- a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml @@ -99,6 +99,10 @@ spec: description: The list of domains for which a client can request a host certificate. type: string + allowedDomainsTemplate: + description: Specifies if allowed_domains can be declared using + identity template policies. Non-templated domains are also permitted. + type: boolean allowedExtensions: description: Specifies a comma-separated list of extensions that certificates can have when signed. @@ -194,6 +198,12 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + notBeforeDuration: + description: Specifies the duration by which to backdate the ValidAfter + property. Uses duration format strings. Specifies the duration + by which to backdate the ValidAfter property. Uses duration + format strings. + type: string ttl: description: Specifies the Time To Live value. type: string @@ -243,6 +253,10 @@ spec: description: The list of domains for which a client can request a host certificate. type: string + allowedDomainsTemplate: + description: Specifies if allowed_domains can be declared using + identity template policies. Non-templated domains are also permitted. + type: boolean allowedExtensions: description: Specifies a comma-separated list of extensions that certificates can have when signed. @@ -338,6 +352,12 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + notBeforeDuration: + description: Specifies the duration by which to backdate the ValidAfter + property. Uses duration format strings. Specifies the duration + by which to backdate the ValidAfter property. Uses duration + format strings. + type: string ttl: description: Specifies the Time To Live value. type: string @@ -589,6 +609,10 @@ spec: description: The list of domains for which a client can request a host certificate. type: string + allowedDomainsTemplate: + description: Specifies if allowed_domains can be declared using + identity template policies. Non-templated domains are also permitted. + type: boolean allowedExtensions: description: Specifies a comma-separated list of extensions that certificates can have when signed. @@ -686,6 +710,12 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + notBeforeDuration: + description: Specifies the duration by which to backdate the ValidAfter + property. Uses duration format strings. Specifies the duration + by which to backdate the ValidAfter property. Uses duration + format strings. + type: string ttl: description: Specifies the Time To Live value. type: string diff --git a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml index b44ece01..5f1c7a61 100644 --- a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml +++ b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml @@ -79,10 +79,11 @@ spec: of 0 disables automatic rotation for the key. type: number autoRotatePeriod: - description: Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. - Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. + description: Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. type: number backend: description: The path the transit secret backend is mounted at, @@ -114,6 +115,13 @@ spec: allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. type: boolean + keySize: + description: The key size in bytes for algorithms that allow variable + key sizes. Currently only applicable to HMAC, where it must + be between 32 and 512 bytes. The key size in bytes for algorithms + that allow variable key sizes. Currently only applicable to + HMAC; this value must be between 32 and 512. + type: number minDecryptionVersion: description: Minimum key version to use for decryption. Minimum key version to use for decryption. @@ -137,10 +145,11 @@ spec: type: description: 'Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 - and rsa-4096. Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, - ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096' + ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, + rsa-3072 and rsa-4096. Specifies the type of key to create. + The currently-supported types are: aes128-gcm96, aes256-gcm96, + chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, + hmac, rsa-2048, rsa-3072, rsa-4096' type: string type: object initProvider: @@ -168,10 +177,11 @@ spec: of 0 disables automatic rotation for the key. type: number autoRotatePeriod: - description: Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. - Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. + description: Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. type: number backend: description: The path the transit secret backend is mounted at, @@ -203,6 +213,13 @@ spec: allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. type: boolean + keySize: + description: The key size in bytes for algorithms that allow variable + key sizes. Currently only applicable to HMAC, where it must + be between 32 and 512 bytes. The key size in bytes for algorithms + that allow variable key sizes. Currently only applicable to + HMAC; this value must be between 32 and 512. + type: number minDecryptionVersion: description: Minimum key version to use for decryption. Minimum key version to use for decryption. @@ -226,10 +243,11 @@ spec: type: description: 'Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 - and rsa-4096. Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, - ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096' + ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, + rsa-3072 and rsa-4096. Specifies the type of key to create. + The currently-supported types are: aes128-gcm96, aes256-gcm96, + chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, + hmac, rsa-2048, rsa-3072, rsa-4096' type: string type: object managementPolicies: @@ -455,10 +473,11 @@ spec: of 0 disables automatic rotation for the key. type: number autoRotatePeriod: - description: Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. - Amount of time the key should live before being automatically - rotated. A value of 0 disables automatic rotation for the key. + description: Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. Amount of seconds the key should live before being + automatically rotated. A value of 0 disables automatic rotation + for the key. type: number backend: description: The path the transit secret backend is mounted at, @@ -492,6 +511,13 @@ spec: type: boolean id: type: string + keySize: + description: The key size in bytes for algorithms that allow variable + key sizes. Currently only applicable to HMAC, where it must + be between 32 and 512 bytes. The key size in bytes for algorithms + that allow variable key sizes. Currently only applicable to + HMAC; this value must be between 32 and 512. + type: number keys: description: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on @@ -557,10 +583,11 @@ spec: type: description: 'Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, - ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 - and rsa-4096. Specifies the type of key to create. The currently-supported - types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, - ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072, rsa-4096' + ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, + rsa-3072 and rsa-4096. Specifies the type of key to create. + The currently-supported types are: aes128-gcm96, aes256-gcm96, + chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, + hmac, rsa-2048, rsa-3072, rsa-4096' type: string type: object conditions: diff --git a/package/crds/vault.vault.upbound.io_namespaces.yaml b/package/crds/vault.vault.upbound.io_namespaces.yaml index 35cd0eb7..890e24bb 100644 --- a/package/crds/vault.vault.upbound.io_namespaces.yaml +++ b/package/crds/vault.vault.upbound.io_namespaces.yaml @@ -67,6 +67,13 @@ spec: type: string forProvider: properties: + customMetadata: + additionalProperties: + type: string + description: Custom metadata describing this namespace. Value + type is map[string]string. Requires Vault version 1.12+. Custom + metadata describing this namespace. Value type is map[string]string. + type: object namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -76,12 +83,13 @@ spec: type: string path: description: The path of the namespace. Must not have a trailing - / Namespace path. + /. Namespace path. type: string pathFq: description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The fully - qualified namespace path. + when provisioning resources in a child namespace. The path is + relative to the provider's namespace argument. The fully qualified + namespace path. type: string type: object initProvider: @@ -97,6 +105,13 @@ spec: creation, for example because of an external controller is managing them, like an autoscaler. properties: + customMetadata: + additionalProperties: + type: string + description: Custom metadata describing this namespace. Value + type is map[string]string. Requires Vault version 1.12+. Custom + metadata describing this namespace. Value type is map[string]string. + type: object namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -106,12 +121,13 @@ spec: type: string path: description: The path of the namespace. Must not have a trailing - / Namespace path. + /. Namespace path. type: string pathFq: description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The fully - qualified namespace path. + when provisioning resources in a child namespace. The path is + relative to the provider's namespace argument. The fully qualified + namespace path. type: string type: object managementPolicies: @@ -321,8 +337,16 @@ spec: properties: atProvider: properties: + customMetadata: + additionalProperties: + type: string + description: Custom metadata describing this namespace. Value + type is map[string]string. Requires Vault version 1.12+. Custom + metadata describing this namespace. Value type is map[string]string. + type: object id: - description: ID of the namespace. + description: The fully qualified path to the namespace, including + the provider namespace and a trailing slash. type: string namespace: description: The namespace to provision the resource in. The value @@ -332,16 +356,18 @@ spec: Enterprise) type: string namespaceId: - description: ID of the namespace. Namespace ID. + description: Vault server's internal ID of the namespace. Namespace + ID. type: string path: description: The path of the namespace. Must not have a trailing - / Namespace path. + /. Namespace path. type: string pathFq: description: The fully qualified path to the namespace. Useful - when provisioning resources in a child namespace. The fully - qualified namespace path. + when provisioning resources in a child namespace. The path is + relative to the provider's namespace argument. The fully qualified + namespace path. type: string type: object conditions: diff --git a/package/crds/vault.vault.upbound.io_tokens.yaml b/package/crds/vault.vault.upbound.io_tokens.yaml index edca81fd..d9d7047c 100644 --- a/package/crds/vault.vault.upbound.io_tokens.yaml +++ b/package/crds/vault.vault.upbound.io_tokens.yaml @@ -71,8 +71,9 @@ spec: name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token The explicit max - TTL of the token. + description: The explicit max TTL of this token. This is specified + as a numeric string with suffix like "30s" ro "5m" The explicit + max TTL of the token. type: string metadata: additionalProperties: @@ -100,7 +101,9 @@ spec: of allowed uses of the token. type: number period: - description: The period of this token The period of the token. + description: The period of this token. This is specified as a + numeric string with suffix like "30s" ro "5m" The period of + the token. type: string policies: description: List of policies to attach to this token List of @@ -109,7 +112,8 @@ spec: type: string type: array renewIncrement: - description: The renew increment The renew increment. + description: The renew increment. This is specified in seconds + The renew increment. type: number renewMinLease: description: The minimal lease to renew this token The minimum @@ -123,12 +127,14 @@ spec: description: The token role name The token role name. type: string ttl: - description: The TTL period of this token The TTL period of the - token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the token. type: string wrappingTtl: - description: The TTL period of this token The TTL period of the - wrapped token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the wrapped token. type: string type: object initProvider: @@ -149,8 +155,9 @@ spec: name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token The explicit max - TTL of the token. + description: The explicit max TTL of this token. This is specified + as a numeric string with suffix like "30s" ro "5m" The explicit + max TTL of the token. type: string metadata: additionalProperties: @@ -178,7 +185,9 @@ spec: of allowed uses of the token. type: number period: - description: The period of this token The period of the token. + description: The period of this token. This is specified as a + numeric string with suffix like "30s" ro "5m" The period of + the token. type: string policies: description: List of policies to attach to this token List of @@ -187,7 +196,8 @@ spec: type: string type: array renewIncrement: - description: The renew increment The renew increment. + description: The renew increment. This is specified in seconds + The renew increment. type: number renewMinLease: description: The minimal lease to renew this token The minimum @@ -201,12 +211,14 @@ spec: description: The token role name The token role name. type: string ttl: - description: The TTL period of this token The TTL period of the - token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the token. type: string wrappingTtl: - description: The TTL period of this token The TTL period of the - wrapped token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the wrapped token. type: string type: object managementPolicies: @@ -416,8 +428,9 @@ spec: name of the token. type: string explicitMaxTtl: - description: The explicit max TTL of this token The explicit max - TTL of the token. + description: The explicit max TTL of this token. This is specified + as a numeric string with suffix like "30s" ro "5m" The explicit + max TTL of the token. type: string id: type: string @@ -455,7 +468,9 @@ spec: of allowed uses of the token. type: number period: - description: The period of this token The period of the token. + description: The period of this token. This is specified as a + numeric string with suffix like "30s" ro "5m" The period of + the token. type: string policies: description: List of policies to attach to this token List of @@ -464,7 +479,8 @@ spec: type: string type: array renewIncrement: - description: The renew increment The renew increment. + description: The renew increment. This is specified in seconds + The renew increment. type: number renewMinLease: description: The minimal lease to renew this token The minimum @@ -478,12 +494,14 @@ spec: description: The token role name The token role name. type: string ttl: - description: The TTL period of this token The TTL period of the - token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the token. type: string wrappingTtl: - description: The TTL period of this token The TTL period of the - wrapped token. + description: The TTL period of this token. This is specified as + a numeric string with suffix like "30s" ro "5m" The TTL period + of the wrapped token. type: string type: object conditions: