The highest tagged major version is
Documentation
¶
Overview ¶
nolint: lll
nolint: lll
nolint: lll
nolint: lll
nolint: lll
Index ¶
- type AuthBackend
- type AuthBackendArgs
- type AuthBackendRole
- type AuthBackendRoleArgs
- type AuthBackendRoleState
- type AuthBackendState
- type SecretBackend
- type SecretBackendArgs
- type SecretBackendState
- type SecretRoleset
- type SecretRolesetArgs
- type SecretRolesetBinding
- type SecretRolesetBindingArgs
- type SecretRolesetBindingArray
- type SecretRolesetBindingArrayInput
- type SecretRolesetBindingArrayOutput
- func (SecretRolesetBindingArrayOutput) ElementType() reflect.Type
- func (o SecretRolesetBindingArrayOutput) Index(i pulumi.IntInput) SecretRolesetBindingOutput
- func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput
- func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutputWithContext(ctx context.Context) SecretRolesetBindingArrayOutput
- type SecretRolesetBindingInput
- type SecretRolesetBindingOutput
- func (SecretRolesetBindingOutput) ElementType() reflect.Type
- func (o SecretRolesetBindingOutput) Resource() pulumi.StringOutput
- func (o SecretRolesetBindingOutput) Roles() pulumi.StringArrayOutput
- func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutput() SecretRolesetBindingOutput
- func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutputWithContext(ctx context.Context) SecretRolesetBindingOutput
- type SecretRolesetState
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthBackend ¶
type AuthBackend struct {
pulumi.CustomResourceState
// The clients email associated with the credentials
ClientEmail pulumi.StringOutput `pulumi:"clientEmail"`
// The Client ID of the credentials
ClientId pulumi.StringOutput `pulumi:"clientId"`
// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
Credentials pulumi.StringPtrOutput `pulumi:"credentials"`
Description pulumi.StringPtrOutput `pulumi:"description"`
Path pulumi.StringPtrOutput `pulumi:"path"`
// The ID of the private key from the credentials
PrivateKeyId pulumi.StringOutput `pulumi:"privateKeyId"`
// The GCP Project ID
ProjectId pulumi.StringOutput `pulumi:"projectId"`
}
Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
> This content is derived from https://github.com/terraform-providers/terraform-provider-vault/blob/master/website/docs/r/gcp_auth_backend.html.md.
func GetAuthBackend ¶
func GetAuthBackend(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AuthBackendState, opts ...pulumi.ResourceOption) (*AuthBackend, error)
GetAuthBackend gets an existing AuthBackend resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewAuthBackend ¶
func NewAuthBackend(ctx *pulumi.Context, name string, args *AuthBackendArgs, opts ...pulumi.ResourceOption) (*AuthBackend, error)
NewAuthBackend registers a new resource with the given unique name, arguments, and options.
type AuthBackendArgs ¶
type AuthBackendArgs struct {
// The clients email associated with the credentials
ClientEmail pulumi.StringPtrInput
// The Client ID of the credentials
ClientId pulumi.StringPtrInput
// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
Credentials pulumi.StringPtrInput
Description pulumi.StringPtrInput
Path pulumi.StringPtrInput
// The ID of the private key from the credentials
PrivateKeyId pulumi.StringPtrInput
// The GCP Project ID
ProjectId pulumi.StringPtrInput
}
The set of arguments for constructing a AuthBackend resource.
func (AuthBackendArgs) ElementType ¶
func (AuthBackendArgs) ElementType() reflect.Type
type AuthBackendRole ¶
type AuthBackendRole struct {
pulumi.CustomResourceState
AddGroupAliases pulumi.BoolOutput `pulumi:"addGroupAliases"`
// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
AllowGceInference pulumi.BoolOutput `pulumi:"allowGceInference"`
// Path to the mounted GCP auth backend
Backend pulumi.StringPtrOutput `pulumi:"backend"`
// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
BoundInstanceGroups pulumi.StringArrayOutput `pulumi:"boundInstanceGroups"`
// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
BoundLabels pulumi.StringArrayOutput `pulumi:"boundLabels"`
// GCP Projects that the role exists within
BoundProjects pulumi.StringArrayOutput `pulumi:"boundProjects"`
// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
BoundRegions pulumi.StringArrayOutput `pulumi:"boundRegions"`
// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
BoundServiceAccounts pulumi.StringArrayOutput `pulumi:"boundServiceAccounts"`
// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
BoundZones pulumi.StringArrayOutput `pulumi:"boundZones"`
// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
MaxJwtExp pulumi.StringOutput `pulumi:"maxJwtExp"`
// The maximum allowed lifetime of tokens
// issued using this role, provided as a number of seconds.
MaxTtl pulumi.StringOutput `pulumi:"maxTtl"`
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
Period pulumi.StringOutput `pulumi:"period"`
// An array of strings
// specifying the policies to be set on tokens issued using this role.
Policies pulumi.StringArrayOutput `pulumi:"policies"`
// Name of the GCP role
Role pulumi.StringOutput `pulumi:"role"`
// List of CIDR blocks; if set, specifies blocks of IP
// addresses which can authenticate successfully, and ties the resulting token to these blocks
// as well.
TokenBoundCidrs pulumi.StringArrayOutput `pulumi:"tokenBoundCidrs"`
// If set, will encode an
// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
// `tokenMaxTtl` would otherwise allow a renewal.
TokenExplicitMaxTtl pulumi.IntPtrOutput `pulumi:"tokenExplicitMaxTtl"`
// The maximum lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"`
// If set, the default policy will not be set on
// generated tokens; otherwise it will be added to the policies set in token_policies.
TokenNoDefaultPolicy pulumi.BoolPtrOutput `pulumi:"tokenNoDefaultPolicy"`
// The
// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
// if any, in number of seconds to set on the token.
TokenNumUses pulumi.IntPtrOutput `pulumi:"tokenNumUses"`
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
TokenPeriod pulumi.IntPtrOutput `pulumi:"tokenPeriod"`
// List of policies to encode onto generated tokens. Depending
// on the auth method, this list may be supplemented by user/group/other values.
TokenPolicies pulumi.StringArrayOutput `pulumi:"tokenPolicies"`
// The incremental lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenTtl pulumi.IntPtrOutput `pulumi:"tokenTtl"`
// The type of token that should be generated. Can be `service`,
// `batch`, or `default` to use the mount's tuned default (which unless changed will be
// `service` tokens). For token store roles, there are two additional possibilities:
// `default-service` and `default-batch` which specify the type to return unless the client
// requests a different type at generation time.
TokenType pulumi.StringPtrOutput `pulumi:"tokenType"`
// The TTL period of tokens issued
// using this role, provided as a number of seconds.
Ttl pulumi.StringOutput `pulumi:"ttl"`
// Type of GCP authentication role (either `gce` or `iam`)
Type pulumi.StringOutput `pulumi:"type"`
}
Provides a resource to create a role in an [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
> This content is derived from https://github.com/terraform-providers/terraform-provider-vault/blob/master/website/docs/r/gcp_auth_backend_role.html.md.
func GetAuthBackendRole ¶
func GetAuthBackendRole(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AuthBackendRoleState, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)
GetAuthBackendRole gets an existing AuthBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewAuthBackendRole ¶
func NewAuthBackendRole(ctx *pulumi.Context, name string, args *AuthBackendRoleArgs, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)
NewAuthBackendRole registers a new resource with the given unique name, arguments, and options.
type AuthBackendRoleArgs ¶
type AuthBackendRoleArgs struct {
AddGroupAliases pulumi.BoolPtrInput
// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
AllowGceInference pulumi.BoolPtrInput
// Path to the mounted GCP auth backend
Backend pulumi.StringPtrInput
// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
BoundInstanceGroups pulumi.StringArrayInput
// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
BoundLabels pulumi.StringArrayInput
// GCP Projects that the role exists within
BoundProjects pulumi.StringArrayInput
// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
BoundRegions pulumi.StringArrayInput
// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
BoundServiceAccounts pulumi.StringArrayInput
// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
BoundZones pulumi.StringArrayInput
// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
MaxJwtExp pulumi.StringPtrInput
// The maximum allowed lifetime of tokens
// issued using this role, provided as a number of seconds.
MaxTtl pulumi.StringPtrInput
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
Period pulumi.StringPtrInput
// An array of strings
// specifying the policies to be set on tokens issued using this role.
Policies pulumi.StringArrayInput
// Name of the GCP role
Role pulumi.StringInput
// List of CIDR blocks; if set, specifies blocks of IP
// addresses which can authenticate successfully, and ties the resulting token to these blocks
// as well.
TokenBoundCidrs pulumi.StringArrayInput
// If set, will encode an
// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
// `tokenMaxTtl` would otherwise allow a renewal.
TokenExplicitMaxTtl pulumi.IntPtrInput
// The maximum lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenMaxTtl pulumi.IntPtrInput
// If set, the default policy will not be set on
// generated tokens; otherwise it will be added to the policies set in token_policies.
TokenNoDefaultPolicy pulumi.BoolPtrInput
// The
// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
// if any, in number of seconds to set on the token.
TokenNumUses pulumi.IntPtrInput
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
TokenPeriod pulumi.IntPtrInput
// List of policies to encode onto generated tokens. Depending
// on the auth method, this list may be supplemented by user/group/other values.
TokenPolicies pulumi.StringArrayInput
// The incremental lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenTtl pulumi.IntPtrInput
// The type of token that should be generated. Can be `service`,
// `batch`, or `default` to use the mount's tuned default (which unless changed will be
// `service` tokens). For token store roles, there are two additional possibilities:
// `default-service` and `default-batch` which specify the type to return unless the client
// requests a different type at generation time.
TokenType pulumi.StringPtrInput
// The TTL period of tokens issued
// using this role, provided as a number of seconds.
Ttl pulumi.StringPtrInput
// Type of GCP authentication role (either `gce` or `iam`)
Type pulumi.StringInput
}
The set of arguments for constructing a AuthBackendRole resource.
func (AuthBackendRoleArgs) ElementType ¶
func (AuthBackendRoleArgs) ElementType() reflect.Type
type AuthBackendRoleState ¶
type AuthBackendRoleState struct {
AddGroupAliases pulumi.BoolPtrInput
// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
AllowGceInference pulumi.BoolPtrInput
// Path to the mounted GCP auth backend
Backend pulumi.StringPtrInput
// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
BoundInstanceGroups pulumi.StringArrayInput
// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
BoundLabels pulumi.StringArrayInput
// GCP Projects that the role exists within
BoundProjects pulumi.StringArrayInput
// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
BoundRegions pulumi.StringArrayInput
// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
BoundServiceAccounts pulumi.StringArrayInput
// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
BoundZones pulumi.StringArrayInput
// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
MaxJwtExp pulumi.StringPtrInput
// The maximum allowed lifetime of tokens
// issued using this role, provided as a number of seconds.
MaxTtl pulumi.StringPtrInput
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
Period pulumi.StringPtrInput
// An array of strings
// specifying the policies to be set on tokens issued using this role.
Policies pulumi.StringArrayInput
// Name of the GCP role
Role pulumi.StringPtrInput
// List of CIDR blocks; if set, specifies blocks of IP
// addresses which can authenticate successfully, and ties the resulting token to these blocks
// as well.
TokenBoundCidrs pulumi.StringArrayInput
// If set, will encode an
// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
// `tokenMaxTtl` would otherwise allow a renewal.
TokenExplicitMaxTtl pulumi.IntPtrInput
// The maximum lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenMaxTtl pulumi.IntPtrInput
// If set, the default policy will not be set on
// generated tokens; otherwise it will be added to the policies set in token_policies.
TokenNoDefaultPolicy pulumi.BoolPtrInput
// The
// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
// if any, in number of seconds to set on the token.
TokenNumUses pulumi.IntPtrInput
// If set, indicates that the
// token generated using this role should never expire. The token should be renewed within the
// duration specified by this value. At each renewal, the token's TTL will be set to the
// value of this field. Specified in seconds.
TokenPeriod pulumi.IntPtrInput
// List of policies to encode onto generated tokens. Depending
// on the auth method, this list may be supplemented by user/group/other values.
TokenPolicies pulumi.StringArrayInput
// The incremental lifetime for generated tokens in number of seconds.
// Its current value will be referenced at renewal time.
TokenTtl pulumi.IntPtrInput
// The type of token that should be generated. Can be `service`,
// `batch`, or `default` to use the mount's tuned default (which unless changed will be
// `service` tokens). For token store roles, there are two additional possibilities:
// `default-service` and `default-batch` which specify the type to return unless the client
// requests a different type at generation time.
TokenType pulumi.StringPtrInput
// The TTL period of tokens issued
// using this role, provided as a number of seconds.
Ttl pulumi.StringPtrInput
// Type of GCP authentication role (either `gce` or `iam`)
Type pulumi.StringPtrInput
}
func (AuthBackendRoleState) ElementType ¶
func (AuthBackendRoleState) ElementType() reflect.Type
type AuthBackendState ¶
type AuthBackendState struct {
// The clients email associated with the credentials
ClientEmail pulumi.StringPtrInput
// The Client ID of the credentials
ClientId pulumi.StringPtrInput
// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
Credentials pulumi.StringPtrInput
Description pulumi.StringPtrInput
Path pulumi.StringPtrInput
// The ID of the private key from the credentials
PrivateKeyId pulumi.StringPtrInput
// The GCP Project ID
ProjectId pulumi.StringPtrInput
}
func (AuthBackendState) ElementType ¶
func (AuthBackendState) ElementType() reflect.Type
type SecretBackend ¶
type SecretBackend struct {
pulumi.CustomResourceState
// The GCP service account credentials in JSON format.
Credentials pulumi.StringPtrOutput `pulumi:"credentials"`
// The default TTL for credentials
// issued by this backend. Defaults to '0'.
DefaultLeaseTtlSeconds pulumi.IntPtrOutput `pulumi:"defaultLeaseTtlSeconds"`
// A human-friendly description for this backend.
Description pulumi.StringPtrOutput `pulumi:"description"`
// The maximum TTL that can be requested
// for credentials issued by this backend. Defaults to '0'.
MaxLeaseTtlSeconds pulumi.IntPtrOutput `pulumi:"maxLeaseTtlSeconds"`
// The unique path this backend should be mounted at. Must
// not begin or end with a `/`. Defaults to `gcp`.
Path pulumi.StringPtrOutput `pulumi:"path"`
}
func GetSecretBackend ¶
func GetSecretBackend(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SecretBackendState, opts ...pulumi.ResourceOption) (*SecretBackend, error)
GetSecretBackend gets an existing SecretBackend resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewSecretBackend ¶
func NewSecretBackend(ctx *pulumi.Context, name string, args *SecretBackendArgs, opts ...pulumi.ResourceOption) (*SecretBackend, error)
NewSecretBackend registers a new resource with the given unique name, arguments, and options.
type SecretBackendArgs ¶
type SecretBackendArgs struct {
// The GCP service account credentials in JSON format.
Credentials pulumi.StringPtrInput
// The default TTL for credentials
// issued by this backend. Defaults to '0'.
DefaultLeaseTtlSeconds pulumi.IntPtrInput
// A human-friendly description for this backend.
Description pulumi.StringPtrInput
// The maximum TTL that can be requested
// for credentials issued by this backend. Defaults to '0'.
MaxLeaseTtlSeconds pulumi.IntPtrInput
// The unique path this backend should be mounted at. Must
// not begin or end with a `/`. Defaults to `gcp`.
Path pulumi.StringPtrInput
}
The set of arguments for constructing a SecretBackend resource.
func (SecretBackendArgs) ElementType ¶
func (SecretBackendArgs) ElementType() reflect.Type
type SecretBackendState ¶
type SecretBackendState struct {
// The GCP service account credentials in JSON format.
Credentials pulumi.StringPtrInput
// The default TTL for credentials
// issued by this backend. Defaults to '0'.
DefaultLeaseTtlSeconds pulumi.IntPtrInput
// A human-friendly description for this backend.
Description pulumi.StringPtrInput
// The maximum TTL that can be requested
// for credentials issued by this backend. Defaults to '0'.
MaxLeaseTtlSeconds pulumi.IntPtrInput
// The unique path this backend should be mounted at. Must
// not begin or end with a `/`. Defaults to `gcp`.
Path pulumi.StringPtrInput
}
func (SecretBackendState) ElementType ¶
func (SecretBackendState) ElementType() reflect.Type
type SecretRoleset ¶
type SecretRoleset struct {
pulumi.CustomResourceState
// Path where the GCP Secrets Engine is mounted
Backend pulumi.StringOutput `pulumi:"backend"`
// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Bindings SecretRolesetBindingArrayOutput `pulumi:"bindings"`
// Name of the GCP project that this roleset's service account will belong to.
Project pulumi.StringOutput `pulumi:"project"`
// Name of the Roleset to create
Roleset pulumi.StringOutput `pulumi:"roleset"`
// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
SecretType pulumi.StringOutput `pulumi:"secretType"`
// Email of the service account created by Vault for this Roleset
ServiceAccountEmail pulumi.StringOutput `pulumi:"serviceAccountEmail"`
// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
TokenScopes pulumi.StringArrayOutput `pulumi:"tokenScopes"`
}
Creates a Roleset in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.
Each Roleset is [tied](https://www.vaultproject.io/docs/secrets/gcp/index.html#service-accounts-are-tied-to-rolesets) to a Service Account, and can have one or more [bindings](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings) associated with it.
> This content is derived from https://github.com/terraform-providers/terraform-provider-vault/blob/master/website/docs/r/gcp_secret_roleset.html.md.
func GetSecretRoleset ¶
func GetSecretRoleset(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SecretRolesetState, opts ...pulumi.ResourceOption) (*SecretRoleset, error)
GetSecretRoleset gets an existing SecretRoleset resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewSecretRoleset ¶
func NewSecretRoleset(ctx *pulumi.Context, name string, args *SecretRolesetArgs, opts ...pulumi.ResourceOption) (*SecretRoleset, error)
NewSecretRoleset registers a new resource with the given unique name, arguments, and options.
type SecretRolesetArgs ¶
type SecretRolesetArgs struct {
// Path where the GCP Secrets Engine is mounted
Backend pulumi.StringInput
// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Bindings SecretRolesetBindingArrayInput
// Name of the GCP project that this roleset's service account will belong to.
Project pulumi.StringInput
// Name of the Roleset to create
Roleset pulumi.StringInput
// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
SecretType pulumi.StringPtrInput
// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
TokenScopes pulumi.StringArrayInput
}
The set of arguments for constructing a SecretRoleset resource.
func (SecretRolesetArgs) ElementType ¶
func (SecretRolesetArgs) ElementType() reflect.Type
type SecretRolesetBinding ¶
type SecretRolesetBinding struct {
// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).
Resource string `pulumi:"resource"`
// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
Roles []string `pulumi:"roles"`
}
type SecretRolesetBindingArgs ¶
type SecretRolesetBindingArgs struct {
// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).
Resource pulumi.StringInput `pulumi:"resource"`
// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
Roles pulumi.StringArrayInput `pulumi:"roles"`
}
func (SecretRolesetBindingArgs) ElementType ¶
func (SecretRolesetBindingArgs) ElementType() reflect.Type
func (SecretRolesetBindingArgs) ToSecretRolesetBindingOutput ¶
func (i SecretRolesetBindingArgs) ToSecretRolesetBindingOutput() SecretRolesetBindingOutput
func (SecretRolesetBindingArgs) ToSecretRolesetBindingOutputWithContext ¶
func (i SecretRolesetBindingArgs) ToSecretRolesetBindingOutputWithContext(ctx context.Context) SecretRolesetBindingOutput
type SecretRolesetBindingArray ¶
type SecretRolesetBindingArray []SecretRolesetBindingInput
func (SecretRolesetBindingArray) ElementType ¶
func (SecretRolesetBindingArray) ElementType() reflect.Type
func (SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutput ¶
func (i SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput
func (SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutputWithContext ¶
func (i SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutputWithContext(ctx context.Context) SecretRolesetBindingArrayOutput
type SecretRolesetBindingArrayInput ¶
type SecretRolesetBindingArrayInput interface {
pulumi.Input
ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput
ToSecretRolesetBindingArrayOutputWithContext(context.Context) SecretRolesetBindingArrayOutput
}
type SecretRolesetBindingArrayOutput ¶
type SecretRolesetBindingArrayOutput struct{ *pulumi.OutputState }
func (SecretRolesetBindingArrayOutput) ElementType ¶
func (SecretRolesetBindingArrayOutput) ElementType() reflect.Type
func (SecretRolesetBindingArrayOutput) Index ¶
func (o SecretRolesetBindingArrayOutput) Index(i pulumi.IntInput) SecretRolesetBindingOutput
func (SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutput ¶
func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput
func (SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutputWithContext ¶
func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutputWithContext(ctx context.Context) SecretRolesetBindingArrayOutput
type SecretRolesetBindingInput ¶
type SecretRolesetBindingInput interface {
pulumi.Input
ToSecretRolesetBindingOutput() SecretRolesetBindingOutput
ToSecretRolesetBindingOutputWithContext(context.Context) SecretRolesetBindingOutput
}
type SecretRolesetBindingOutput ¶
type SecretRolesetBindingOutput struct{ *pulumi.OutputState }
func (SecretRolesetBindingOutput) ElementType ¶
func (SecretRolesetBindingOutput) ElementType() reflect.Type
func (SecretRolesetBindingOutput) Resource ¶
func (o SecretRolesetBindingOutput) Resource() pulumi.StringOutput
Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).
func (SecretRolesetBindingOutput) Roles ¶
func (o SecretRolesetBindingOutput) Roles() pulumi.StringArrayOutput
List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
func (SecretRolesetBindingOutput) ToSecretRolesetBindingOutput ¶
func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutput() SecretRolesetBindingOutput
func (SecretRolesetBindingOutput) ToSecretRolesetBindingOutputWithContext ¶
func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutputWithContext(ctx context.Context) SecretRolesetBindingOutput
type SecretRolesetState ¶
type SecretRolesetState struct {
// Path where the GCP Secrets Engine is mounted
Backend pulumi.StringPtrInput
// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Bindings SecretRolesetBindingArrayInput
// Name of the GCP project that this roleset's service account will belong to.
Project pulumi.StringPtrInput
// Name of the Roleset to create
Roleset pulumi.StringPtrInput
// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
SecretType pulumi.StringPtrInput
// Email of the service account created by Vault for this Roleset
ServiceAccountEmail pulumi.StringPtrInput
// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
TokenScopes pulumi.StringArrayInput
}
func (SecretRolesetState) ElementType ¶
func (SecretRolesetState) ElementType() reflect.Type
Source Files
Click to show internal directories.
Click to hide internal directories.