From cb3a8c293a289cf03df9e6eedca0c803b51e8608 Mon Sep 17 00:00:00 2001 From: Sergey Yakovlev Date: Thu, 18 Jul 2024 12:36:28 +0300 Subject: [PATCH] chore: update terraform provider v3.25.0 -> v4.4.0 chore: update go version to 1.21 in CI and go.mod --- .github/workflows/ci.yml | 2 +- .github/workflows/e2e.yaml | 2 +- Makefile | 4 +- apis/ad/v1alpha1/zz_generated.deepcopy.go | 30 - apis/ad/v1alpha1/zz_secretbackend_types.go | 35 +- apis/auth/v1alpha1/zz_backend_types.go | 10 + apis/auth/v1alpha1/zz_generated.deepcopy.go | 15 + .../v1alpha1/zz_authbackendclient_types.go | 66 ++- apis/aws/v1alpha1/zz_generated.deepcopy.go | 165 ++++++ .../v1alpha1/zz_secretbackendrole_types.go | 51 ++ .../v1alpha1/zz_authbackendconfig_types.go | 35 ++ apis/azure/v1alpha1/zz_generated.deepcopy.go | 75 +++ apis/azure/v1alpha1/zz_secretbackend_types.go | 48 ++ .../cert/v1alpha1/zz_authbackendrole_types.go | 7 - apis/cert/v1alpha1/zz_generated.deepcopy.go | 33 -- apis/consul/v1alpha1/zz_generated.deepcopy.go | 15 - .../v1alpha1/zz_secretbackendrole_types.go | 16 - .../v1alpha1/zz_generated.deepcopy.go | 144 +++++ .../v1alpha1/zz_secretsmount_types.go | 60 ++ apis/gcp/v1alpha1/zz_authbackend_types.go | 40 ++ apis/gcp/v1alpha1/zz_generated.deepcopy.go | 125 ++++ apis/gcp/v1alpha1/zz_secretbackend_types.go | 74 +++ .../v1alpha1/zz_generated.deepcopy.go | 5 - .../v1alpha1/zz_groupmemberentityids_types.go | 6 - apis/identity/v1alpha1/zz_oidcclient_types.go | 1 + apis/jwt/v1alpha1/zz_authbackendrole_types.go | 30 +- .../v1alpha1/zz_generated.deepcopy.go | 159 +++++ .../v1alpha1/zz_secretbackend_types.go | 60 ++ .../v1alpha1/zz_secretbackendrole_types.go | 38 +- .../v1alpha1/zz_secretrole_types.go | 12 +- apis/okta/v1alpha1/zz_authbackend_types.go | 90 +++ apis/okta/v1alpha1/zz_generated.deepcopy.go | 171 ++++++ apis/pki/v1alpha1/zz_generated.deepcopy.go | 30 +- .../zz_secretbackendconfigurls_types.go | 13 + .../zz_secretbackendrootcert_types.go | 4 - ...secretbackendrootsignintermediate_types.go | 3 - .../v1alpha1/zz_secretbackendsign_types.go | 4 - apis/quota/v1alpha1/zz_generated.deepcopy.go | 30 + apis/quota/v1alpha1/zz_leasecount_types.go | 13 + apis/quota/v1alpha1/zz_ratelimit_types.go | 13 + apis/ssh/v1alpha1/zz_generated.deepcopy.go | 75 +-- apis/ssh/v1alpha1/zz_generated_terraformed.go | 2 +- apis/ssh/v1alpha1/zz_secretbackendca_types.go | 26 + .../v1alpha1/zz_secretbackendrole_types.go | 16 - .../v1alpha1/zz_cloudsecretbackend_types.go | 9 +- .../transit/v1alpha1/zz_generated.deepcopy.go | 15 - .../v1alpha1/zz_secretbackendkey_types.go | 13 - apis/vault/v1alpha1/zz_generated.deepcopy.go | 144 +++++ apis/vault/v1alpha1/zz_mount_types.go | 99 ++++ config/provider-metadata.yaml | 561 ++++++++++++++++-- config/schema.json | 2 +- examples-generated/aws/authbackendclient.yaml | 12 +- .../azure/authbackendconfig.yaml | 8 +- examples-generated/azure/secretbackend.yaml | 8 +- examples-generated/gcp/secretbackend.yaml | 8 +- .../mongodbatlas/secretbackend.yaml | 2 +- .../mongodbatlas/secretrole.yaml | 8 +- examples/aws/authbackendclient.yaml | 19 + examples/azure/authbackendconfig.yaml | 38 ++ examples/azure/secretbackend.yaml | 28 + examples/gcp/secretbackend.yaml | 14 + go.mod | 2 +- go.sum | 14 + .../ad.vault.upbound.io_secretbackends.yaml | 42 +- .../crds/auth.vault.upbound.io_backends.yaml | 9 + ...s.vault.upbound.io_authbackendclients.yaml | 66 ++- ...s.vault.upbound.io_secretbackendroles.yaml | 63 ++ ...e.vault.upbound.io_authbackendconfigs.yaml | 33 ++ ...azure.vault.upbound.io_secretbackends.yaml | 42 ++ ...ert.vault.upbound.io_authbackendroles.yaml | 12 - ...l.vault.upbound.io_secretbackendroles.yaml | 21 - ...tabase.vault.upbound.io_secretsmounts.yaml | 90 +++ .../gcp.vault.upbound.io_authbackends.yaml | 39 ++ .../gcp.vault.upbound.io_secretbackends.yaml | 73 +++ ....upbound.io_groupmemberentityidsidses.yaml | 6 - ...identity.vault.upbound.io_oidcclients.yaml | 3 +- ...jwt.vault.upbound.io_authbackendroles.yaml | 42 +- ...s.vault.upbound.io_secretbackendroles.yaml | 61 +- ...netes.vault.upbound.io_secretbackends.yaml | 90 +++ ...odbatlas.vault.upbound.io_secretroles.yaml | 33 +- .../okta.vault.upbound.io_authbackends.yaml | 102 ++++ ...lt.upbound.io_secretbackendconfigurls.yaml | 12 + ...ult.upbound.io_secretbackendrootcerts.yaml | 4 - ...io_secretbackendrootsignintermediates.yaml | 3 - ...i.vault.upbound.io_secretbackendsigns.yaml | 3 - .../quota.vault.upbound.io_leasecounts.yaml | 39 ++ .../quota.vault.upbound.io_ratelimits.yaml | 39 ++ ...ssh.vault.upbound.io_secretbackendcas.yaml | 36 ++ ...h.vault.upbound.io_secretbackendroles.yaml | 21 - ....vault.upbound.io_cloudsecretbackends.yaml | 6 +- ...it.vault.upbound.io_secretbackendkeys.yaml | 15 - .../crds/vault.vault.upbound.io_mounts.yaml | 120 ++++ 92 files changed, 3434 insertions(+), 548 deletions(-) create mode 100644 examples/aws/authbackendclient.yaml create mode 100644 examples/azure/authbackendconfig.yaml create mode 100644 examples/azure/secretbackend.yaml create mode 100644 examples/gcp/secretbackend.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e99b2fc..fa6305b8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ on: env: # Common versions - GO_VERSION: '1.20' + GO_VERSION: '1.21' GOLANGCI_VERSION: 'v1.53.3' DOCKER_BUILDX_VERSION: 'v0.8.2' diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c55c2181..3601e923 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -8,7 +8,7 @@ jobs: e2e: uses: upbound/uptest/.github/workflows/pr-comment-trigger.yml@main with: - go-version: '1.20' + go-version: '1.21' secrets: UPTEST_CLOUD_CREDENTIALS: "not used" UPTEST_DATASOURCE: ${{ secrets.UPTEST_DATASOURCE }} diff --git a/Makefile b/Makefile index fcd1c962..8ffe2395 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ export TERRAFORM_VERSION := 1.5.5 export TERRAFORM_PROVIDER_SOURCE ?= hashicorp/vault export TERRAFORM_PROVIDER_REPO ?= https://github.com/hashicorp/terraform-provider-vault -export TERRAFORM_PROVIDER_VERSION ?= 3.25.0 +export TERRAFORM_PROVIDER_VERSION ?= 4.4.0 export TERRAFORM_PROVIDER_DOWNLOAD_NAME ?= terraform-provider-vault export TERRAFORM_DOCS_PATH ?= website/docs/r @@ -37,7 +37,7 @@ NPROCS ?= 1 # to half the number of CPU cores. GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 ))) -GO_REQUIRED_VERSION ?= 1.20 +GO_REQUIRED_VERSION ?= 1.21 GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/provider $(GO_PROJECT)/cmd/generator GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.Version=$(VERSION) GO_SUBDIRS += cmd internal apis diff --git a/apis/ad/v1alpha1/zz_generated.deepcopy.go b/apis/ad/v1alpha1/zz_generated.deepcopy.go index bb0e6285..d5acf584 100644 --- a/apis/ad/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ad/v1alpha1/zz_generated.deepcopy.go @@ -94,11 +94,6 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -124,11 +119,6 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -306,11 +296,6 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -341,11 +326,6 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -502,11 +482,6 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } - if in.Formatter != nil { - in, out := &in.Formatter, &out.Formatter - *out = new(string) - **out = **in - } if in.Groupattr != nil { in, out := &in.Groupattr, &out.Groupattr *out = new(string) @@ -532,11 +507,6 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(float64) **out = **in } - if in.Length != nil { - in, out := &in.Length, &out.Length - *out = new(float64) - **out = **in - } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) diff --git a/apis/ad/v1alpha1/zz_secretbackend_types.go b/apis/ad/v1alpha1/zz_secretbackend_types.go index 2a2b764a..bf9df598 100755 --- a/apis/ad/v1alpha1/zz_secretbackend_types.go +++ b/apis/ad/v1alpha1/zz_secretbackend_types.go @@ -61,10 +61,6 @@ type SecretBackendInitParameters struct { // Use anonymous bind to discover the bind DN of a user. Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -89,11 +85,6 @@ type SecretBackendInitParameters struct { // The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -114,7 +105,7 @@ type SecretBackendInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` @@ -221,10 +212,6 @@ type SecretBackendObservation struct { // Use anonymous bind to discover the bind DN of a user. Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -251,11 +238,6 @@ type SecretBackendObservation struct { // The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -276,7 +258,7 @@ type SecretBackendObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` @@ -408,11 +390,6 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Discoverdn *bool `json:"discoverdn,omitempty" tf:"discoverdn,omitempty"` - // Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - // +kubebuilder:validation:Optional - Formatter *string `json:"formatter,omitempty" tf:"formatter,omitempty"` - // LDAP attribute to follow on objects returned by in order to enumerate // user group membership. Examples: cn or memberOf, etc. Defaults to cn. // LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn @@ -442,12 +419,6 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional LastRotationTolerance *float64 `json:"lastRotationTolerance,omitempty" tf:"last_rotation_tolerance,omitempty"` - // Deprecated use password_policy. The desired length of passwords that Vault generates. - // Mutually exclusive with - // The desired length of passwords that Vault generates. - // +kubebuilder:validation:Optional - Length *float64 `json:"length,omitempty" tf:"length,omitempty"` - // Mark the secrets engine as local-only. Local engines are not replicated or removed by // replication.Tolerance duration to use when checking the last rotation time. // Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -472,7 +443,7 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` - // 1.11+ + // Name of the password policy to use to generate passwords. // Name of the password policy to use to generate passwords. // +kubebuilder:validation:Optional PasswordPolicy *string `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"` diff --git a/apis/auth/v1alpha1/zz_backend_types.go b/apis/auth/v1alpha1/zz_backend_types.go index 1e76eb88..5a146014 100755 --- a/apis/auth/v1alpha1/zz_backend_types.go +++ b/apis/auth/v1alpha1/zz_backend_types.go @@ -21,6 +21,9 @@ type BackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -53,6 +56,9 @@ type BackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -82,6 +88,10 @@ type BackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // Specifies if the auth method is local only // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` diff --git a/apis/auth/v1alpha1/zz_generated.deepcopy.go b/apis/auth/v1alpha1/zz_generated.deepcopy.go index 1eb5e9be..7902bdb3 100644 --- a/apis/auth/v1alpha1/zz_generated.deepcopy.go +++ b/apis/auth/v1alpha1/zz_generated.deepcopy.go @@ -53,6 +53,11 @@ func (in *BackendInitParameters) DeepCopyInto(out *BackendInitParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -147,6 +152,11 @@ func (in *BackendObservation) DeepCopyInto(out *BackendObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -199,6 +209,11 @@ func (in *BackendParameters) DeepCopyInto(out *BackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) diff --git a/apis/aws/v1alpha1/zz_authbackendclient_types.go b/apis/aws/v1alpha1/zz_authbackendclient_types.go index b235fb73..7853d16f 100755 --- a/apis/aws/v1alpha1/zz_authbackendclient_types.go +++ b/apis/aws/v1alpha1/zz_authbackendclient_types.go @@ -36,6 +36,21 @@ type AuthBackendClientInitParameters struct { // The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -43,6 +58,11 @@ type AuthBackendClientInitParameters struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // Override the URL Vault uses when making STS API // calls. // URL to override the default generated endpoint for making AWS STS API calls. @@ -87,6 +107,21 @@ type AuthBackendClientObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -94,6 +129,11 @@ type AuthBackendClientObservation struct { // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // Override the URL Vault uses when making STS API // calls. // URL to override the default generated endpoint for making AWS STS API calls. @@ -116,7 +156,7 @@ type AuthBackendClientObservation struct { type AuthBackendClientParameters struct { // The AWS access key that Vault should use for the - // auth backend. + // auth backend. Mutually exclusive with identity_token_audience. // AWS Access key with permissions to query AWS APIs. // +kubebuilder:validation:Optional AccessKeySecretRef *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty" tf:"-"` @@ -146,6 +186,24 @@ type AuthBackendClientParameters struct { // +kubebuilder:validation:Optional IAMServerIDHeaderValue *string `json:"iamServerIdHeaderValue,omitempty" tf:"iam_server_id_header_value,omitempty"` + // The audience claim value. Mutually exclusive with access_key. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + + // Number of max retries the client should use for recoverable errors. + // The default -1 falls back to the AWS SDK's default behavior. + // Number of max retries the client should use for recoverable errors. + // +kubebuilder:validation:Optional + MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -154,6 +212,12 @@ type AuthBackendClientParameters struct { // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` + // Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + // Available only for Vault Enterprise + // Role ARN to assume for plugin identity token federation. + // +kubebuilder:validation:Optional + RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"` + // The AWS secret key that Vault should use for the // auth backend. // AWS Secret key with permissions to query AWS APIs. diff --git a/apis/aws/v1alpha1/zz_generated.deepcopy.go b/apis/aws/v1alpha1/zz_generated.deepcopy.go index ff2f2558..e33923b8 100644 --- a/apis/aws/v1alpha1/zz_generated.deepcopy.go +++ b/apis/aws/v1alpha1/zz_generated.deepcopy.go @@ -283,11 +283,31 @@ func (in *AuthBackendClientInitParameters) DeepCopyInto(out *AuthBackendClientIn *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -375,11 +395,31 @@ func (in *AuthBackendClientObservation) DeepCopyInto(out *AuthBackendClientObser *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.StsEndpoint != nil { in, out := &in.StsEndpoint, &out.StsEndpoint *out = new(string) @@ -435,11 +475,31 @@ func (in *AuthBackendClientParameters) DeepCopyInto(out *AuthBackendClientParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } + if in.MaxRetries != nil { + in, out := &in.MaxRetries, &out.MaxRetries + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) **out = **in } + if in.RoleArn != nil { + in, out := &in.RoleArn, &out.RoleArn + *out = new(string) + **out = **in + } if in.SecretKeySecretRef != nil { in, out := &in.SecretKeySecretRef, &out.SecretKeySecretRef *out = new(v1.SecretKeySelector) @@ -3197,6 +3257,11 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3208,6 +3273,21 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.MaxStsTTL != nil { in, out := &in.MaxStsTTL, &out.MaxStsTTL *out = new(float64) @@ -3255,6 +3335,21 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) @@ -3322,6 +3417,11 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3333,6 +3433,21 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -3385,6 +3500,21 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) @@ -3420,6 +3550,11 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(float64) **out = **in } + if in.ExternalID != nil { + in, out := &in.ExternalID, &out.ExternalID + *out = new(string) + **out = **in + } if in.IAMGroups != nil { in, out := &in.IAMGroups, &out.IAMGroups *out = make([]*string, len(*in)) @@ -3431,6 +3566,21 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.IAMTags != nil { + in, out := &in.IAMTags, &out.IAMTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.MaxStsTTL != nil { in, out := &in.MaxStsTTL, &out.MaxStsTTL *out = new(float64) @@ -3478,6 +3628,21 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame } } } + if in.SessionTags != nil { + in, out := &in.SessionTags, &out.SessionTags + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } if in.UserPath != nil { in, out := &in.UserPath, &out.UserPath *out = new(string) diff --git a/apis/aws/v1alpha1/zz_secretbackendrole_types.go b/apis/aws/v1alpha1/zz_secretbackendrole_types.go index b7172132..7ace1037 100755 --- a/apis/aws/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/aws/v1alpha1/zz_secretbackendrole_types.go @@ -34,6 +34,11 @@ type SecretBackendRoleInitParameters struct { // The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -43,6 +48,11 @@ type SecretBackendRoleInitParameters struct { // A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + // The max allowed TTL in seconds for STS credentials // (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is // one of assumed_role or federation_token. @@ -92,6 +102,12 @@ type SecretBackendRoleInitParameters struct { // ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / @@ -119,6 +135,11 @@ type SecretBackendRoleObservation struct { // The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -128,6 +149,11 @@ type SecretBackendRoleObservation struct { // A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + ID *string `json:"id,omitempty" tf:"id,omitempty"` // The max allowed TTL in seconds for STS credentials @@ -179,6 +205,12 @@ type SecretBackendRoleObservation struct { // ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / @@ -209,6 +241,12 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional DefaultStsTTL *float64 `json:"defaultStsTtl,omitempty" tf:"default_sts_ttl,omitempty"` + // External ID to set for assume role creds. + // Valid only when credential_type is set to assumed_role. + // External ID to set for assume role creds. + // +kubebuilder:validation:Optional + ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"` + // A list of IAM group names. IAM users generated // against this vault role will be added to these IAM Groups. For a credential // type of assumed_role or federation_token, the policies sent to the @@ -219,6 +257,12 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional IAMGroups []*string `json:"iamGroups,omitempty" tf:"iam_groups,omitempty"` + // A map of strings representing key/value pairs + // to be used as tags for any IAM user that is created by this role. + // A map of strings representing key/value pairs used as tags for any IAM user created by this role. + // +kubebuilder:validation:Optional + IAMTags map[string]*string `json:"iamTags,omitempty" tf:"iam_tags,omitempty"` + // The max allowed TTL in seconds for STS credentials // (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is // one of assumed_role or federation_token. @@ -275,6 +319,13 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"` + // A map of strings representing key/value pairs to be set + // during assume role creds creation. Valid only when credential_type is set to + // assumed_role. + // Session tags to be set for assume role creds created. + // +kubebuilder:validation:Optional + SessionTags map[string]*string `json:"sessionTags,omitempty" tf:"session_tags,omitempty"` + // The path for the user name. Valid only when // credential_type is iam_user. Default is /. // The path for the user name. Valid only when credential_type is iam_user. Default is / diff --git a/apis/azure/v1alpha1/zz_authbackendconfig_types.go b/apis/azure/v1alpha1/zz_authbackendconfig_types.go index a842f6b6..a2e35db5 100755 --- a/apis/azure/v1alpha1/zz_authbackendconfig_types.go +++ b/apis/azure/v1alpha1/zz_authbackendconfig_types.go @@ -26,6 +26,17 @@ type AuthBackendConfigInitParameters struct { // The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -54,6 +65,17 @@ type AuthBackendConfigObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -94,6 +116,19 @@ type AuthBackendConfigParameters struct { // +kubebuilder:validation:Optional Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value for plugin identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The TTL of generated identity tokens in seconds. + // Defaults to 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. diff --git a/apis/azure/v1alpha1/zz_generated.deepcopy.go b/apis/azure/v1alpha1/zz_generated.deepcopy.go index 595801e2..f0323f00 100644 --- a/apis/azure/v1alpha1/zz_generated.deepcopy.go +++ b/apis/azure/v1alpha1/zz_generated.deepcopy.go @@ -54,6 +54,16 @@ func (in *AuthBackendConfigInitParameters) DeepCopyInto(out *AuthBackendConfigIn *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -126,6 +136,16 @@ func (in *AuthBackendConfigObservation) DeepCopyInto(out *AuthBackendConfigObser *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -171,6 +191,16 @@ func (in *AuthBackendConfigParameters) DeepCopyInto(out *AuthBackendConfigParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -987,6 +1017,21 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1069,6 +1114,21 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -1124,6 +1184,21 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) diff --git a/apis/azure/v1alpha1/zz_secretbackend_types.go b/apis/azure/v1alpha1/zz_secretbackend_types.go index b5a3ed19..5d272eb0 100755 --- a/apis/azure/v1alpha1/zz_secretbackend_types.go +++ b/apis/azure/v1alpha1/zz_secretbackend_types.go @@ -27,6 +27,21 @@ type SecretBackendInitParameters struct { // The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -61,6 +76,21 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -106,6 +136,24 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Environment *string `json:"environment,omitempty" tf:"environment,omitempty"` + // The audience claim value. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The audience claim value. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + // Available only for Vault Enterprise + // The TTL of generated identity tokens in seconds. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. diff --git a/apis/cert/v1alpha1/zz_authbackendrole_types.go b/apis/cert/v1alpha1/zz_authbackendrole_types.go index e8beb98f..fcac7247 100755 --- a/apis/cert/v1alpha1/zz_authbackendrole_types.go +++ b/apis/cert/v1alpha1/zz_authbackendrole_types.go @@ -22,8 +22,6 @@ type AuthBackendRoleInitParameters struct { AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` @@ -93,8 +91,6 @@ type AuthBackendRoleObservation struct { AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` AllowedURISans []*string `json:"allowedUriSans,omitempty" tf:"allowed_uri_sans,omitempty"` @@ -171,9 +167,6 @@ type AuthBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowedNames []*string `json:"allowedNames,omitempty" tf:"allowed_names,omitempty"` - // +kubebuilder:validation:Optional - AllowedOrganizationUnits []*string `json:"allowedOrganizationUnits,omitempty" tf:"allowed_organization_units,omitempty"` - // +kubebuilder:validation:Optional AllowedOrganizationalUnits []*string `json:"allowedOrganizationalUnits,omitempty" tf:"allowed_organizational_units,omitempty"` diff --git a/apis/cert/v1alpha1/zz_generated.deepcopy.go b/apis/cert/v1alpha1/zz_generated.deepcopy.go index 31654b24..0c63c1bc 100644 --- a/apis/cert/v1alpha1/zz_generated.deepcopy.go +++ b/apis/cert/v1alpha1/zz_generated.deepcopy.go @@ -87,17 +87,6 @@ func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitPa } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) @@ -335,17 +324,6 @@ func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservati } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) @@ -556,17 +534,6 @@ func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters } } } - if in.AllowedOrganizationUnits != nil { - in, out := &in.AllowedOrganizationUnits, &out.AllowedOrganizationUnits - *out = make([]*string, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(string) - **out = **in - } - } - } if in.AllowedOrganizationalUnits != nil { in, out := &in.AllowedOrganizationalUnits, &out.AllowedOrganizationalUnits *out = make([]*string, len(*in)) diff --git a/apis/consul/v1alpha1/zz_generated.deepcopy.go b/apis/consul/v1alpha1/zz_generated.deepcopy.go index 0bb69d13..6f4ddf92 100644 --- a/apis/consul/v1alpha1/zz_generated.deepcopy.go +++ b/apis/consul/v1alpha1/zz_generated.deepcopy.go @@ -428,11 +428,6 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleInitParameters. @@ -580,11 +575,6 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleObservation. @@ -695,11 +685,6 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame *out = new(float64) **out = **in } - if in.TokenType != nil { - in, out := &in.TokenType, &out.TokenType - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendRoleParameters. diff --git a/apis/consul/v1alpha1/zz_secretbackendrole_types.go b/apis/consul/v1alpha1/zz_secretbackendrole_types.go index 13791ebe..2db15ac8 100755 --- a/apis/consul/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/consul/v1alpha1/zz_secretbackendrole_types.go @@ -78,11 +78,6 @@ type SecretBackendRoleInitParameters struct { // Specifies the TTL for this role. // Specifies the TTL for this role. TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } type SecretBackendRoleObservation struct { @@ -152,11 +147,6 @@ type SecretBackendRoleObservation struct { // Specifies the TTL for this role. // Specifies the TTL for this role. TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } type SecretBackendRoleParameters struct { @@ -237,12 +227,6 @@ type SecretBackendRoleParameters struct { // Specifies the TTL for this role. // +kubebuilder:validation:Optional TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"` - - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. - // Specifies the type of token to create when using this role. Valid values are "client" or "management". - // +kubebuilder:validation:Optional - TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` } // SecretBackendRoleSpec defines the desired state of SecretBackendRole diff --git a/apis/database/v1alpha1/zz_generated.deepcopy.go b/apis/database/v1alpha1/zz_generated.deepcopy.go index fdf9c0f4..996da84b 100644 --- a/apis/database/v1alpha1/zz_generated.deepcopy.go +++ b/apis/database/v1alpha1/zz_generated.deepcopy.go @@ -5741,6 +5741,17 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -5782,6 +5793,17 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -5806,6 +5828,11 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbInitParameters, len(*in)) @@ -5813,6 +5840,11 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -5899,11 +5931,27 @@ func (in *SecretsMountInitParameters) DeepCopyInto(out *SecretsMountInitParamete (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlInitParameters, len(*in)) @@ -8205,6 +8253,17 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -8246,6 +8305,17 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -8280,6 +8350,11 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbObservation, len(*in)) @@ -8287,6 +8362,11 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -8373,11 +8453,27 @@ func (in *SecretsMountObservation) DeepCopyInto(out *SecretsMountObservation) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlObservation, len(*in)) @@ -8770,6 +8866,17 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -8811,6 +8918,17 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -8835,6 +8953,11 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.Influxdb != nil { in, out := &in.Influxdb, &out.Influxdb *out = make([]SecretsMountInfluxdbParameters, len(*in)) @@ -8842,6 +8965,11 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -8928,11 +9056,27 @@ func (in *SecretsMountParameters) DeepCopyInto(out *SecretsMountParameters) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.Postgresql != nil { in, out := &in.Postgresql, &out.Postgresql *out = make([]SecretsMountPostgresqlParameters, len(*in)) diff --git a/apis/database/v1alpha1/zz_secretsmount_types.go b/apis/database/v1alpha1/zz_secretsmount_types.go index 6738d19b..2bff2aea 100755 --- a/apis/database/v1alpha1/zz_secretsmount_types.go +++ b/apis/database/v1alpha1/zz_secretsmount_types.go @@ -1027,6 +1027,9 @@ type SecretsMountInitParameters struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -1049,6 +1052,9 @@ type SecretsMountInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -1067,11 +1073,17 @@ type SecretsMountInitParameters struct { // Connection parameters for the hana-database-plugin plugin. Hana []SecretsMountHanaInitParameters `json:"hana,omitempty" tf:"hana,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. Influxdb []SecretsMountInfluxdbInitParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -1127,10 +1139,16 @@ type SecretsMountInitParameters struct { // Connection parameters for the oracle-database-plugin plugin. Oracle []SecretsMountOracleInitParameters `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. @@ -2582,6 +2600,9 @@ type SecretsMountObservation struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -2604,6 +2625,9 @@ type SecretsMountObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -2628,11 +2652,17 @@ type SecretsMountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. Influxdb []SecretsMountInfluxdbObservation `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -2688,10 +2718,16 @@ type SecretsMountObservation struct { // Connection parameters for the oracle-database-plugin plugin. Oracle []SecretsMountOracleObservation `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. @@ -2937,6 +2973,10 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional @@ -2964,6 +3004,10 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount // +kubebuilder:validation:Optional @@ -2986,12 +3030,20 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional Hana []SecretsMountHanaParameters `json:"hana,omitempty" tf:"hana,omitempty"` + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A nested block containing configuration options for InfluxDB connections. // See // Connection parameters for the influxdb-database-plugin plugin. // +kubebuilder:validation:Optional Influxdb []SecretsMountInfluxdbParameters `json:"influxdb,omitempty" tf:"influxdb,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -3059,11 +3111,19 @@ type SecretsMountParameters struct { // +kubebuilder:validation:Optional Oracle []SecretsMountOracleParameters `json:"oracle,omitempty" tf:"oracle,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // A nested block containing configuration options for PostgreSQL connections. // See // Connection parameters for the postgresql-database-plugin plugin. diff --git a/apis/gcp/v1alpha1/zz_authbackend_types.go b/apis/gcp/v1alpha1/zz_authbackend_types.go index 45041aa6..9b97797b 100755 --- a/apis/gcp/v1alpha1/zz_authbackend_types.go +++ b/apis/gcp/v1alpha1/zz_authbackend_types.go @@ -26,6 +26,15 @@ type AuthBackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -38,6 +47,9 @@ type AuthBackendInitParameters struct { ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"` } @@ -60,6 +72,15 @@ type AuthBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -72,6 +93,9 @@ type AuthBackendObservation struct { ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"` } @@ -97,6 +121,18 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Specifies if the auth method is local only // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -114,6 +150,10 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` + // Service Account to impersonate for plugin workload identity federation. + // +kubebuilder:validation:Optional + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` + // +kubebuilder:validation:Optional Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"` } diff --git a/apis/gcp/v1alpha1/zz_generated.deepcopy.go b/apis/gcp/v1alpha1/zz_generated.deepcopy.go index 0b0ed067..024a38e5 100644 --- a/apis/gcp/v1alpha1/zz_generated.deepcopy.go +++ b/apis/gcp/v1alpha1/zz_generated.deepcopy.go @@ -71,6 +71,21 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -96,6 +111,11 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneInitParameters, len(*in)) @@ -187,6 +207,21 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -212,6 +247,11 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneObservation, len(*in)) @@ -266,6 +306,21 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -291,6 +346,11 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } if in.Tune != nil { in, out := &in.Tune, &out.Tune *out = make([]TuneParameters, len(*in)) @@ -1206,6 +1266,21 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1226,6 +1301,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendInitParameters. @@ -1273,6 +1353,11 @@ func (in *SecretBackendList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) { *out = *in + if in.Accessor != nil { + in, out := &in.Accessor, &out.Accessor + *out = new(string) + **out = **in + } if in.DefaultLeaseTTLSeconds != nil { in, out := &in.DefaultLeaseTTLSeconds, &out.DefaultLeaseTTLSeconds *out = new(float64) @@ -1293,6 +1378,21 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1313,6 +1413,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendObservation. @@ -1348,6 +1453,21 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenAudience != nil { + in, out := &in.IdentityTokenAudience, &out.IdentityTokenAudience + *out = new(string) + **out = **in + } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.IdentityTokenTTL != nil { + in, out := &in.IdentityTokenTTL, &out.IdentityTokenTTL + *out = new(float64) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1368,6 +1488,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.ServiceAccountEmail != nil { + in, out := &in.ServiceAccountEmail, &out.ServiceAccountEmail + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretBackendParameters. diff --git a/apis/gcp/v1alpha1/zz_secretbackend_types.go b/apis/gcp/v1alpha1/zz_secretbackend_types.go index 1ab20d79..b4aafef0 100755 --- a/apis/gcp/v1alpha1/zz_secretbackend_types.go +++ b/apis/gcp/v1alpha1/zz_secretbackend_types.go @@ -29,6 +29,23 @@ type SecretBackendInitParameters struct { // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -49,10 +66,19 @@ type SecretBackendInitParameters struct { // not begin or end with a /. Defaults to gcp. // Path to mount the backend at. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } type SecretBackendObservation struct { + // The accessor of the created GCP mount. + // Accessor of the created GCP mount. + Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"` + // The default TTL for credentials // issued by this backend. Defaults to '0'. // Default lease duration for secrets in seconds @@ -69,6 +95,23 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -89,6 +132,11 @@ type SecretBackendObservation struct { // not begin or end with a /. Defaults to gcp. // Path to mount the backend at. Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } type SecretBackendParameters struct { @@ -115,6 +163,26 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` + // The audience claim value for plugin identity + // tokens. Must match an allowed audience configured for the target Workload Identity Pool. + // Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + // The audience claim value for plugin identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenAudience *string `json:"identityTokenAudience,omitempty" tf:"identity_token_audience,omitempty"` + + // The key to use for signing plugin identity + // tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + // The key to use for signing identity tokens. + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // The TTL of generated tokens. Defaults to + // 1 hour. Uses duration format strings. + // Requires Vault 1.17+. Available only for Vault Enterprise. + // The TTL of generated tokens. + // +kubebuilder:validation:Optional + IdentityTokenTTL *float64 `json:"identityTokenTtl,omitempty" tf:"identity_token_ttl,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -139,6 +207,12 @@ type SecretBackendParameters struct { // Path to mount the backend at. // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + + // – Service Account to impersonate for plugin workload identity federation. + // Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. + // Service Account to impersonate for plugin workload identity federation. + // +kubebuilder:validation:Optional + ServiceAccountEmail *string `json:"serviceAccountEmail,omitempty" tf:"service_account_email,omitempty"` } // SecretBackendSpec defines the desired state of SecretBackend diff --git a/apis/identity/v1alpha1/zz_generated.deepcopy.go b/apis/identity/v1alpha1/zz_generated.deepcopy.go index 0c816799..bdfb2034 100644 --- a/apis/identity/v1alpha1/zz_generated.deepcopy.go +++ b/apis/identity/v1alpha1/zz_generated.deepcopy.go @@ -1240,11 +1240,6 @@ func (in *GroupMemberEntityIdsObservation) DeepCopyInto(out *GroupMemberEntityId *out = new(string) **out = **in } - if in.GroupName != nil { - in, out := &in.GroupName, &out.GroupName - *out = new(string) - **out = **in - } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) diff --git a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go index 188ae26a..a5a1979b 100755 --- a/apis/identity/v1alpha1/zz_groupmemberentityids_types.go +++ b/apis/identity/v1alpha1/zz_groupmemberentityids_types.go @@ -47,12 +47,6 @@ type GroupMemberEntityIdsObservation struct { // ID of the group. GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"` - // The name of the group that are assigned the member entities. - // Deprecated: The value for group_name may not always be accurate - // use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead. - // Name of the group. - GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"` - ID *string `json:"id,omitempty" tf:"id,omitempty"` // List of member entities that belong to the group diff --git a/apis/identity/v1alpha1/zz_oidcclient_types.go b/apis/identity/v1alpha1/zz_oidcclient_types.go index f98a314c..145ef412 100755 --- a/apis/identity/v1alpha1/zz_oidcclient_types.go +++ b/apis/identity/v1alpha1/zz_oidcclient_types.go @@ -67,6 +67,7 @@ type OidcClientObservation struct { // A list of assignment resources associated with the client. Assignments []*string `json:"assignments,omitempty" tf:"assignments,omitempty"` + // The Client ID returned by Vault. // The Client ID from Vault. ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"` diff --git a/apis/jwt/v1alpha1/zz_authbackendrole_types.go b/apis/jwt/v1alpha1/zz_authbackendrole_types.go index 3c0a682b..ed2521a5 100755 --- a/apis/jwt/v1alpha1/zz_authbackendrole_types.go +++ b/apis/jwt/v1alpha1/zz_authbackendrole_types.go @@ -25,9 +25,7 @@ type AuthBackendRoleInitParameters struct { // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. // List of aud claims to match against. Any match is sufficient. BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` @@ -63,9 +61,9 @@ type AuthBackendRoleInitParameters struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify @@ -88,7 +86,7 @@ type AuthBackendRoleInitParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` @@ -191,9 +189,7 @@ type AuthBackendRoleObservation struct { // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. // List of aud claims to match against. Any match is sufficient. BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` @@ -229,9 +225,9 @@ type AuthBackendRoleObservation struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify @@ -256,7 +252,7 @@ type AuthBackendRoleObservation struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` @@ -361,9 +357,7 @@ type AuthBackendRoleParameters struct { // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` - // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - // Any match is sufficient. + // List of aud claims to match against. Any match is sufficient. // List of aud claims to match against. Any match is sufficient. // +kubebuilder:validation:Optional BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` @@ -406,9 +400,9 @@ type AuthBackendRoleParameters struct { DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. - // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` @@ -435,7 +429,7 @@ type AuthBackendRoleParameters struct { Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for - // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + // clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional diff --git a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go index d78ed8c4..d7ad074d 100644 --- a/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go +++ b/apis/kubernetes/v1alpha1/zz_generated.deepcopy.go @@ -798,6 +798,17 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -825,6 +836,17 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -840,6 +862,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -850,6 +877,11 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -880,11 +912,27 @@ func (in *SecretBackendInitParameters) DeepCopyInto(out *SecretBackendInitParame (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -953,6 +1001,17 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -980,6 +1039,17 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -1000,6 +1070,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -1010,6 +1085,11 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1040,11 +1120,27 @@ func (in *SecretBackendObservation) DeepCopyInto(out *SecretBackendObservation) (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -1076,6 +1172,17 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -1103,6 +1210,17 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -1118,6 +1236,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } if in.KubernetesCACert != nil { in, out := &in.KubernetesCACert, &out.KubernetesCACert *out = new(string) @@ -1128,6 +1251,11 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { *out = new(string) **out = **in } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -1158,11 +1286,27 @@ func (in *SecretBackendParameters) DeepCopyInto(out *SecretBackendParameters) { (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -1215,6 +1359,11 @@ func (in *SecretBackendRole) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleInitParameters) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) @@ -1353,6 +1502,11 @@ func (in *SecretBackendRoleList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObservation) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) @@ -1464,6 +1618,11 @@ func (in *SecretBackendRoleObservation) DeepCopy() *SecretBackendRoleObservation // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParameters) { *out = *in + if in.AllowedKubernetesNamespaceSelector != nil { + in, out := &in.AllowedKubernetesNamespaceSelector, &out.AllowedKubernetesNamespaceSelector + *out = new(string) + **out = **in + } if in.AllowedKubernetesNamespaces != nil { in, out := &in.AllowedKubernetesNamespaces, &out.AllowedKubernetesNamespaces *out = make([]*string, len(*in)) diff --git a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go index 5f324a0a..fa74b1a1 100755 --- a/apis/kubernetes/v1alpha1/zz_secretbackend_types.go +++ b/apis/kubernetes/v1alpha1/zz_secretbackend_types.go @@ -18,6 +18,9 @@ type SecretBackendInitParameters struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -27,6 +30,9 @@ type SecretBackendInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -38,6 +44,9 @@ type SecretBackendInitParameters struct { // Enable the secrets engine to access Vault's external entropy source ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -51,6 +60,9 @@ type SecretBackendInitParameters struct { // The Kubernetes API URL to connect to. KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -67,9 +79,15 @@ type SecretBackendInitParameters struct { // Specifies mount type specific options that are passed to the backend Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` } @@ -82,6 +100,9 @@ type SecretBackendObservation struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -91,6 +112,9 @@ type SecretBackendObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -104,6 +128,9 @@ type SecretBackendObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -117,6 +144,9 @@ type SecretBackendObservation struct { // The Kubernetes API URL to connect to. KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -133,9 +163,15 @@ type SecretBackendObservation struct { // Specifies mount type specific options that are passed to the backend Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` } @@ -146,6 +182,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -158,6 +198,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // +kubebuilder:validation:Optional Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -172,6 +216,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + // A PEM-encoded CA certificate used by the // secrets engine to verify the Kubernetes API server certificate. Defaults to the local // pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where @@ -187,6 +235,10 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional KubernetesHost *string `json:"kubernetesHost,omitempty" tf:"kubernetes_host,omitempty"` + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -207,10 +259,18 @@ type SecretBackendParameters struct { // +kubebuilder:validation:Optional Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // +kubebuilder:validation:Optional SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` diff --git a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go index 452145b4..93d29d57 100755 --- a/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/kubernetes/v1alpha1/zz_secretbackendrole_types.go @@ -15,9 +15,17 @@ import ( type SecretBackendRoleInitParameters struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` // The path of the Kubernetes Secrets Engine backend mount to create @@ -87,9 +95,17 @@ type SecretBackendRoleInitParameters struct { type SecretBackendRoleObservation struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` // The path of the Kubernetes Secrets Engine backend mount to create @@ -161,9 +177,18 @@ type SecretBackendRoleObservation struct { type SecretBackendRoleParameters struct { + // A label selector for Kubernetes namespaces + // in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + // of type LabelSelector. + // If set with allowed_kubernetes_namespace, the conditions are ORed. + // A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed. + // +kubebuilder:validation:Optional + AllowedKubernetesNamespaceSelector *string `json:"allowedKubernetesNamespaceSelector,omitempty" tf:"allowed_kubernetes_namespace_selector,omitempty"` + // The list of Kubernetes namespaces this role - // can generate credentials for. If set to * all namespaces are allowed. - // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + // can generate credentials for. If set to * all namespaces are allowed. If set with + // allowed_kubernetes_namespace_selector, the conditions are ORed. + // The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed. // +kubebuilder:validation:Optional AllowedKubernetesNamespaces []*string `json:"allowedKubernetesNamespaces,omitempty" tf:"allowed_kubernetes_namespaces,omitempty"` @@ -280,7 +305,6 @@ type SecretBackendRoleStatus struct { type SecretBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces) || has(self.initProvider.allowedKubernetesNamespaces)",message="allowedKubernetesNamespaces is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.backend) || has(self.initProvider.backend)",message="backend is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.name) || has(self.initProvider.name)",message="name is a required parameter" Spec SecretBackendRoleSpec `json:"spec"` diff --git a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go index 959859b4..ae1b635d 100755 --- a/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go +++ b/apis/mongodbatlas/v1alpha1/zz_secretrole_types.go @@ -52,11 +52,11 @@ type SecretRoleInitParameters struct { // ID for the project to which the target API Key belongs ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` @@ -106,11 +106,11 @@ type SecretRoleObservation struct { // ID for the project to which the target API Key belongs ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` @@ -166,12 +166,12 @@ type SecretRoleParameters struct { // +kubebuilder:validation:Optional ProjectID *string `json:"projectId,omitempty" tf:"project_id,omitempty"` - // Roles assigned when an org API key is assigned to a project API key. + // Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY. // Roles assigned when an org API key is assigned to a project API key // +kubebuilder:validation:Optional ProjectRoles []*string `json:"projectRoles,omitempty" tf:"project_roles,omitempty"` - // List of roles that the API Key needs to have. + // List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY. // List of roles that the API Key needs to have // +kubebuilder:validation:Optional Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"` diff --git a/apis/okta/v1alpha1/zz_authbackend_types.go b/apis/okta/v1alpha1/zz_authbackend_types.go index a1f777cc..15fd35c9 100755 --- a/apis/okta/v1alpha1/zz_authbackend_types.go +++ b/apis/okta/v1alpha1/zz_authbackend_types.go @@ -44,6 +44,33 @@ type AuthBackendInitParameters struct { // Duration after which authentication will be expired TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + User []UserInitParameters `json:"user,omitempty" tf:"user,omitempty"` } @@ -83,6 +110,33 @@ type AuthBackendObservation struct { // Duration after which authentication will be expired TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + + // The initial ttl of the token to generate in seconds + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + User []UserObservation `json:"user,omitempty" tf:"user,omitempty"` } @@ -127,10 +181,46 @@ type AuthBackendParameters struct { // +kubebuilder:validation:Optional TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"` + // Specifies the blocks of IP addresses which are allowed to use the generated token + // +kubebuilder:validation:Optional + TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` + + // Generated Token's Explicit Maximum TTL in seconds + // +kubebuilder:validation:Optional + TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` + + // The maximum lifetime of the generated token + // +kubebuilder:validation:Optional + TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` + + // If true, the 'default' policy will not automatically be added to generated tokens + // +kubebuilder:validation:Optional + TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` + + // The maximum number of times a token may be used, a value of zero means unlimited + // +kubebuilder:validation:Optional + TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` + + // Generated Token's Period + // +kubebuilder:validation:Optional + TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` + + // Generated Token's Policies + // +kubebuilder:validation:Optional + TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` + // The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. // +kubebuilder:validation:Optional TokenSecretRef *v1.SecretKeySelector `json:"tokenSecretRef,omitempty" tf:"-"` + // The initial ttl of the token to generate in seconds + // +kubebuilder:validation:Optional + TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` + + // The type of token to generate, service or batch + // +kubebuilder:validation:Optional + TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` + // +kubebuilder:validation:Optional User []UserParameters `json:"user,omitempty" tf:"user,omitempty"` } diff --git a/apis/okta/v1alpha1/zz_generated.deepcopy.go b/apis/okta/v1alpha1/zz_generated.deepcopy.go index bafc3955..a0a2ad7b 100644 --- a/apis/okta/v1alpha1/zz_generated.deepcopy.go +++ b/apis/okta/v1alpha1/zz_generated.deepcopy.go @@ -318,6 +318,63 @@ func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserInitParameters, len(*in)) @@ -434,6 +491,63 @@ func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation) { *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserObservation, len(*in)) @@ -508,11 +622,68 @@ func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters) { *out = new(string) **out = **in } + if in.TokenBoundCidrs != nil { + in, out := &in.TokenBoundCidrs, &out.TokenBoundCidrs + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.TokenExplicitMaxTTL != nil { + in, out := &in.TokenExplicitMaxTTL, &out.TokenExplicitMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenMaxTTL != nil { + in, out := &in.TokenMaxTTL, &out.TokenMaxTTL + *out = new(float64) + **out = **in + } + if in.TokenNoDefaultPolicy != nil { + in, out := &in.TokenNoDefaultPolicy, &out.TokenNoDefaultPolicy + *out = new(bool) + **out = **in + } + if in.TokenNumUses != nil { + in, out := &in.TokenNumUses, &out.TokenNumUses + *out = new(float64) + **out = **in + } + if in.TokenPeriod != nil { + in, out := &in.TokenPeriod, &out.TokenPeriod + *out = new(float64) + **out = **in + } + if in.TokenPolicies != nil { + in, out := &in.TokenPolicies, &out.TokenPolicies + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.TokenSecretRef != nil { in, out := &in.TokenSecretRef, &out.TokenSecretRef *out = new(v1.SecretKeySelector) **out = **in } + if in.TokenTTL != nil { + in, out := &in.TokenTTL, &out.TokenTTL + *out = new(float64) + **out = **in + } + if in.TokenType != nil { + in, out := &in.TokenType, &out.TokenType + *out = new(string) + **out = **in + } if in.User != nil { in, out := &in.User, &out.User *out = make([]UserParameters, len(*in)) diff --git a/apis/pki/v1alpha1/zz_generated.deepcopy.go b/apis/pki/v1alpha1/zz_generated.deepcopy.go index a2e2b165..0c62587a 100644 --- a/apis/pki/v1alpha1/zz_generated.deepcopy.go +++ b/apis/pki/v1alpha1/zz_generated.deepcopy.go @@ -848,6 +848,11 @@ func (in *SecretBackendConfigUrlsInitParameters) DeepCopyInto(out *SecretBackend } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.IssuingCertificates != nil { in, out := &in.IssuingCertificates, &out.IssuingCertificates *out = make([]*string, len(*in)) @@ -938,6 +943,11 @@ func (in *SecretBackendConfigUrlsObservation) DeepCopyInto(out *SecretBackendCon } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.ID != nil { in, out := &in.ID, &out.ID *out = new(string) @@ -1001,6 +1011,11 @@ func (in *SecretBackendConfigUrlsParameters) DeepCopyInto(out *SecretBackendConf } } } + if in.EnableTemplating != nil { + in, out := &in.EnableTemplating, &out.EnableTemplating + *out = new(bool) + **out = **in + } if in.IssuingCertificates != nil { in, out := &in.IssuingCertificates, &out.IssuingCertificates *out = make([]*string, len(*in)) @@ -3775,11 +3790,6 @@ func (in *SecretBackendRootCertObservation) DeepCopyInto(out *SecretBackendRootC *out = new(string) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) @@ -4415,11 +4425,6 @@ func (in *SecretBackendRootSignIntermediateObservation) DeepCopyInto(out *Secret *out = new(bool) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) @@ -4953,11 +4958,6 @@ func (in *SecretBackendSignObservation) DeepCopyInto(out *SecretBackendSignObser *out = new(bool) **out = **in } - if in.Serial != nil { - in, out := &in.Serial, &out.Serial - *out = new(string) - **out = **in - } if in.SerialNumber != nil { in, out := &in.SerialNumber, &out.SerialNumber *out = new(string) diff --git a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go index 352b4328..2bfa0e75 100755 --- a/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendconfigurls_types.go @@ -23,6 +23,10 @@ type SecretBackendConfigUrlsInitParameters struct { // Specifies the URL values for the CRL Distribution Points field. CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + // Specifies the URL values for the Issuing Certificate field. // Specifies the URL values for the Issuing Certificate field. IssuingCertificates []*string `json:"issuingCertificates,omitempty" tf:"issuing_certificates,omitempty"` @@ -49,6 +53,10 @@ type SecretBackendConfigUrlsObservation struct { // Specifies the URL values for the CRL Distribution Points field. CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + ID *string `json:"id,omitempty" tf:"id,omitempty"` // Specifies the URL values for the Issuing Certificate field. @@ -79,6 +87,11 @@ type SecretBackendConfigUrlsParameters struct { // +kubebuilder:validation:Optional CrlDistributionPoints []*string `json:"crlDistributionPoints,omitempty" tf:"crl_distribution_points,omitempty"` + // Specifies that templating of AIA fields is allowed. + // Specifies that templating of AIA fields is allowed. + // +kubebuilder:validation:Optional + EnableTemplating *bool `json:"enableTemplating,omitempty" tf:"enable_templating,omitempty"` + // Specifies the URL values for the Issuing Certificate field. // Specifies the URL values for the Issuing Certificate field. // +kubebuilder:validation:Optional diff --git a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go index 41447e4e..91c77865 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootcert_types.go @@ -261,10 +261,6 @@ type SecretBackendRootCertObservation struct { // The province. Province *string `json:"province,omitempty" tf:"province,omitempty"` - // Deprecated, use serial_number instead. - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go index ac51d0d9..f5d5d0e0 100755 --- a/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendrootsignintermediate_types.go @@ -158,9 +158,6 @@ type SecretBackendRootSignIntermediateObservation struct { // Revoke the certificate upon resource destruction. Revoke *bool `json:"revoke,omitempty" tf:"revoke,omitempty"` - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` diff --git a/apis/pki/v1alpha1/zz_secretbackendsign_types.go b/apis/pki/v1alpha1/zz_secretbackendsign_types.go index 23e388b0..20f90d2e 100755 --- a/apis/pki/v1alpha1/zz_secretbackendsign_types.go +++ b/apis/pki/v1alpha1/zz_secretbackendsign_types.go @@ -164,10 +164,6 @@ type SecretBackendSignObservation struct { // Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. RenewPending *bool `json:"renewPending,omitempty" tf:"renew_pending,omitempty"` - // Use serial_number instead. - // The serial number. - Serial *string `json:"serial,omitempty" tf:"serial,omitempty"` - // The certificate's serial number, hex formatted. // The certificate's serial number, hex formatted. SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"` diff --git a/apis/quota/v1alpha1/zz_generated.deepcopy.go b/apis/quota/v1alpha1/zz_generated.deepcopy.go index 9acce5f3..19843b9f 100644 --- a/apis/quota/v1alpha1/zz_generated.deepcopy.go +++ b/apis/quota/v1alpha1/zz_generated.deepcopy.go @@ -43,6 +43,11 @@ func (in *LeaseCount) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaseCountInitParameters) DeepCopyInto(out *LeaseCountInitParameters) { *out = *in + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -120,6 +125,11 @@ func (in *LeaseCountObservation) DeepCopyInto(out *LeaseCountObservation) { *out = new(string) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -160,6 +170,11 @@ func (in *LeaseCountObservation) DeepCopy() *LeaseCountObservation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaseCountParameters) DeepCopyInto(out *LeaseCountParameters) { *out = *in + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.MaxLeases != nil { in, out := &in.MaxLeases, &out.MaxLeases *out = new(float64) @@ -267,6 +282,11 @@ func (in *RateLimitInitParameters) DeepCopyInto(out *RateLimitInitParameters) { *out = new(float64) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) @@ -354,6 +374,11 @@ func (in *RateLimitObservation) DeepCopyInto(out *RateLimitObservation) { *out = new(string) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) @@ -404,6 +429,11 @@ func (in *RateLimitParameters) DeepCopyInto(out *RateLimitParameters) { *out = new(float64) **out = **in } + if in.Inheritable != nil { + in, out := &in.Inheritable, &out.Inheritable + *out = new(bool) + **out = **in + } if in.Interval != nil { in, out := &in.Interval, &out.Interval *out = new(float64) diff --git a/apis/quota/v1alpha1/zz_leasecount_types.go b/apis/quota/v1alpha1/zz_leasecount_types.go index f1db68b4..c50dc7be 100755 --- a/apis/quota/v1alpha1/zz_leasecount_types.go +++ b/apis/quota/v1alpha1/zz_leasecount_types.go @@ -15,6 +15,10 @@ import ( type LeaseCountInitParameters struct { + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -48,6 +52,10 @@ type LeaseCountInitParameters struct { type LeaseCountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -80,6 +88,11 @@ type LeaseCountObservation struct { type LeaseCountParameters struct { + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + // +kubebuilder:validation:Optional + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The maximum number of leases to be allowed by the quota // rule. The max_leases must be positive. // The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. diff --git a/apis/quota/v1alpha1/zz_ratelimit_types.go b/apis/quota/v1alpha1/zz_ratelimit_types.go index b7076e11..4c52a3dc 100755 --- a/apis/quota/v1alpha1/zz_ratelimit_types.go +++ b/apis/quota/v1alpha1/zz_ratelimit_types.go @@ -20,6 +20,10 @@ type RateLimitInitParameters struct { // If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"` @@ -63,6 +67,10 @@ type RateLimitObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"` @@ -105,6 +113,11 @@ type RateLimitParameters struct { // +kubebuilder:validation:Optional BlockInterval *float64 `json:"blockInterval,omitempty" tf:"block_interval,omitempty"` + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. + // If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. + // +kubebuilder:validation:Optional + Inheritable *bool `json:"inheritable,omitempty" tf:"inheritable,omitempty"` + // The duration in seconds to enforce rate limiting for. // The duration in seconds to enforce rate limiting for. // +kubebuilder:validation:Optional diff --git a/apis/ssh/v1alpha1/zz_generated.deepcopy.go b/apis/ssh/v1alpha1/zz_generated.deepcopy.go index da88a3e9..5e2db81f 100644 --- a/apis/ssh/v1alpha1/zz_generated.deepcopy.go +++ b/apis/ssh/v1alpha1/zz_generated.deepcopy.go @@ -147,6 +147,16 @@ func (in *SecretBackendCAInitParameters) DeepCopyInto(out *SecretBackendCAInitPa *out = new(bool) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -219,6 +229,16 @@ func (in *SecretBackendCAObservation) DeepCopyInto(out *SecretBackendCAObservati *out = new(string) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -254,6 +274,16 @@ func (in *SecretBackendCAParameters) DeepCopyInto(out *SecretBackendCAParameters *out = new(bool) **out = **in } + if in.KeyBits != nil { + in, out := &in.KeyBits, &out.KeyBits + *out = new(float64) + **out = **in + } + if in.KeyType != nil { + in, out := &in.KeyType, &out.KeyType + *out = new(string) + **out = **in + } if in.Namespace != nil { in, out := &in.Namespace, &out.Namespace *out = new(string) @@ -403,21 +433,6 @@ func (in *SecretBackendRoleInitParameters) DeepCopyInto(out *SecretBackendRoleIn (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) @@ -617,21 +632,6 @@ func (in *SecretBackendRoleObservation) DeepCopyInto(out *SecretBackendRoleObser (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) @@ -804,21 +804,6 @@ func (in *SecretBackendRoleParameters) DeepCopyInto(out *SecretBackendRoleParame (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.AllowedUserKeyLengths != nil { - in, out := &in.AllowedUserKeyLengths, &out.AllowedUserKeyLengths - *out = make(map[string]*float64, len(*in)) - for key, val := range *in { - var outVal *float64 - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(float64) - **out = **in - } - (*out)[key] = outVal - } - } if in.AllowedUsers != nil { in, out := &in.AllowedUsers, &out.AllowedUsers *out = new(string) diff --git a/apis/ssh/v1alpha1/zz_generated_terraformed.go b/apis/ssh/v1alpha1/zz_generated_terraformed.go index a74c1eae..557f35a6 100755 --- a/apis/ssh/v1alpha1/zz_generated_terraformed.go +++ b/apis/ssh/v1alpha1/zz_generated_terraformed.go @@ -94,7 +94,7 @@ func (tr *SecretBackendCA) LateInitialize(attrs []byte) (bool, error) { // GetTerraformSchemaVersion returns the associated Terraform schema version func (tr *SecretBackendCA) GetTerraformSchemaVersion() int { - return 0 + return 1 } // GetTerraformResourceType returns Terraform resource type for this SecretBackendRole diff --git a/apis/ssh/v1alpha1/zz_secretbackendca_types.go b/apis/ssh/v1alpha1/zz_secretbackendca_types.go index 9336d73a..f33ba654 100755 --- a/apis/ssh/v1alpha1/zz_secretbackendca_types.go +++ b/apis/ssh/v1alpha1/zz_secretbackendca_types.go @@ -23,6 +23,14 @@ type SecretBackendCAInitParameters struct { // Whether Vault should generate the signing key pair internally. GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -47,6 +55,14 @@ type SecretBackendCAObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. @@ -71,6 +87,16 @@ type SecretBackendCAParameters struct { // +kubebuilder:validation:Optional GenerateSigningKey *bool `json:"generateSigningKey,omitempty" tf:"generate_signing_key,omitempty"` + // Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`. + // +kubebuilder:validation:Optional + KeyBits *float64 `json:"keyBits,omitempty" tf:"key_bits,omitempty"` + + // Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. + // Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`. + // +kubebuilder:validation:Optional + KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"` + // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. diff --git a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go index 3245b47e..2913e89a 100755 --- a/apis/ssh/v1alpha1/zz_secretbackendrole_types.go +++ b/apis/ssh/v1alpha1/zz_secretbackendrole_types.go @@ -108,11 +108,6 @@ type SecretBackendRoleInitParameters struct { // Set of allowed public key types and their relevant configuration AllowedUserKeyConfig []AllowedUserKeyConfigInitParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` @@ -205,11 +200,6 @@ type SecretBackendRoleObservation struct { // Set of allowed public key types and their relevant configuration AllowedUserKeyConfig []AllowedUserKeyConfigObservation `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` @@ -315,12 +305,6 @@ type SecretBackendRoleParameters struct { // +kubebuilder:validation:Optional AllowedUserKeyConfig []AllowedUserKeyConfigParameters `json:"allowedUserKeyConfig,omitempty" tf:"allowed_user_key_config,omitempty"` - // Specifies a map of ssh key types and their expected sizes which - // are allowed to be signed by the CA type. - // Deprecated: use allowed_user_key_config instead - // +kubebuilder:validation:Optional - AllowedUserKeyLengths map[string]*float64 `json:"allowedUserKeyLengths,omitempty" tf:"allowed_user_key_lengths,omitempty"` - // Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. // +kubebuilder:validation:Optional AllowedUsers *string `json:"allowedUsers,omitempty" tf:"allowed_users,omitempty"` diff --git a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go index 4f021105..c5b667fb 100755 --- a/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go +++ b/apis/terraform/v1alpha1/zz_cloudsecretbackend_types.go @@ -15,7 +15,8 @@ import ( type CloudSecretBackendInitParameters struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". Address *string `json:"address,omitempty" tf:"address,omitempty"` // The unique location this backend should be mounted at. Must not begin or end with a / @@ -51,7 +52,8 @@ type CloudSecretBackendInitParameters struct { type CloudSecretBackendObservation struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". Address *string `json:"address,omitempty" tf:"address,omitempty"` // The unique location this backend should be mounted at. Must not begin or end with a / @@ -89,7 +91,8 @@ type CloudSecretBackendObservation struct { type CloudSecretBackendParameters struct { - // 0.0.1:8500". + // The default is + // https://app.0.0.1:8500". // +kubebuilder:validation:Optional Address *string `json:"address,omitempty" tf:"address,omitempty"` diff --git a/apis/transit/v1alpha1/zz_generated.deepcopy.go b/apis/transit/v1alpha1/zz_generated.deepcopy.go index b3925ed3..96e8de02 100644 --- a/apis/transit/v1alpha1/zz_generated.deepcopy.go +++ b/apis/transit/v1alpha1/zz_generated.deepcopy.go @@ -48,11 +48,6 @@ func (in *SecretBackendKeyInitParameters) DeepCopyInto(out *SecretBackendKeyInit *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) @@ -165,11 +160,6 @@ func (in *SecretBackendKeyObservation) DeepCopyInto(out *SecretBackendKeyObserva *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) @@ -306,11 +296,6 @@ func (in *SecretBackendKeyParameters) DeepCopyInto(out *SecretBackendKeyParamete *out = new(bool) **out = **in } - if in.AutoRotateInterval != nil { - in, out := &in.AutoRotateInterval, &out.AutoRotateInterval - *out = new(float64) - **out = **in - } if in.AutoRotatePeriod != nil { in, out := &in.AutoRotatePeriod, &out.AutoRotatePeriod *out = new(float64) diff --git a/apis/transit/v1alpha1/zz_secretbackendkey_types.go b/apis/transit/v1alpha1/zz_secretbackendkey_types.go index d489b35b..ad1bec1d 100755 --- a/apis/transit/v1alpha1/zz_secretbackendkey_types.go +++ b/apis/transit/v1alpha1/zz_secretbackendkey_types.go @@ -19,10 +19,6 @@ type SecretBackendKeyInitParameters struct { // If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. @@ -82,10 +78,6 @@ type SecretBackendKeyObservation struct { // If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. @@ -176,11 +168,6 @@ type SecretBackendKeyParameters struct { // +kubebuilder:validation:Optional AllowPlaintextBackup *bool `json:"allowPlaintextBackup,omitempty" tf:"allow_plaintext_backup,omitempty"` - // Replaced by auto_rotate_period. - // Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. - // +kubebuilder:validation:Optional - AutoRotateInterval *float64 `json:"autoRotateInterval,omitempty" tf:"auto_rotate_interval,omitempty"` - // Amount of seconds the key should live before being automatically rotated. // A value of 0 disables automatic rotation for the key. // Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. diff --git a/apis/vault/v1alpha1/zz_generated.deepcopy.go b/apis/vault/v1alpha1/zz_generated.deepcopy.go index 91793da1..36b04c77 100644 --- a/apis/vault/v1alpha1/zz_generated.deepcopy.go +++ b/apis/vault/v1alpha1/zz_generated.deepcopy.go @@ -318,6 +318,17 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -345,6 +356,17 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -355,6 +377,16 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -385,11 +417,27 @@ func (in *MountInitParameters) DeepCopyInto(out *MountInitParameters) { (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -463,6 +511,17 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -490,6 +549,17 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -505,6 +575,16 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { *out = new(string) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -535,11 +615,27 @@ func (in *MountObservation) DeepCopyInto(out *MountObservation) { (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) @@ -576,6 +672,17 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { } } } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.AuditNonHMACRequestKeys != nil { in, out := &in.AuditNonHMACRequestKeys, &out.AuditNonHMACRequestKeys *out = make([]*string, len(*in)) @@ -603,6 +710,17 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { *out = new(float64) **out = **in } + if in.DelegatedAuthAccessors != nil { + in, out := &in.DelegatedAuthAccessors, &out.DelegatedAuthAccessors + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Description != nil { in, out := &in.Description, &out.Description *out = new(string) @@ -613,6 +731,16 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { *out = new(bool) **out = **in } + if in.IdentityTokenKey != nil { + in, out := &in.IdentityTokenKey, &out.IdentityTokenKey + *out = new(string) + **out = **in + } + if in.ListingVisibility != nil { + in, out := &in.ListingVisibility, &out.ListingVisibility + *out = new(string) + **out = **in + } if in.Local != nil { in, out := &in.Local, &out.Local *out = new(bool) @@ -643,11 +771,27 @@ func (in *MountParameters) DeepCopyInto(out *MountParameters) { (*out)[key] = outVal } } + if in.PassthroughRequestHeaders != nil { + in, out := &in.PassthroughRequestHeaders, &out.PassthroughRequestHeaders + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) **out = **in } + if in.PluginVersion != nil { + in, out := &in.PluginVersion, &out.PluginVersion + *out = new(string) + **out = **in + } if in.SealWrap != nil { in, out := &in.SealWrap, &out.SealWrap *out = new(bool) diff --git a/apis/vault/v1alpha1/zz_mount_types.go b/apis/vault/v1alpha1/zz_mount_types.go index 1b0a5cd7..8d158aeb 100755 --- a/apis/vault/v1alpha1/zz_mount_types.go +++ b/apis/vault/v1alpha1/zz_mount_types.go @@ -19,6 +19,11 @@ type MountInitParameters struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -31,6 +36,11 @@ type MountInitParameters struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -39,6 +49,16 @@ type MountInitParameters struct { // Enable the secrets engine to access Vault's external entropy source ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -58,10 +78,21 @@ type MountInitParameters struct { // Specifies mount type specific options that are passed to the backend Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` @@ -81,6 +112,11 @@ type MountObservation struct { // List of managed key registry entry names that the mount in question is allowed to access AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` @@ -93,6 +129,11 @@ type MountObservation struct { // Default lease duration for tokens and secrets in seconds DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount Description *string `json:"description,omitempty" tf:"description,omitempty"` @@ -103,6 +144,16 @@ type MountObservation struct { ID *string `json:"id,omitempty" tf:"id,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment Local *bool `json:"local,omitempty" tf:"local,omitempty"` @@ -122,10 +173,21 @@ type MountObservation struct { // Specifies mount type specific options that are passed to the backend Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability SealWrap *bool `json:"sealWrap,omitempty" tf:"seal_wrap,omitempty"` @@ -142,6 +204,12 @@ type MountParameters struct { // +kubebuilder:validation:Optional AllowedManagedKeys []*string `json:"allowedManagedKeys,omitempty" tf:"allowed_managed_keys,omitempty"` + // List of headers to allow, allowing a plugin to include + // them in the response. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` + // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional @@ -157,6 +225,12 @@ type MountParameters struct { // +kubebuilder:validation:Optional DefaultLeaseTTLSeconds *float64 `json:"defaultLeaseTtlSeconds,omitempty" tf:"default_lease_ttl_seconds,omitempty"` + // List of allowed authentication mount accessors the + // backend can request delegated authentication for. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + DelegatedAuthAccessors []*string `json:"delegatedAuthAccessors,omitempty" tf:"delegated_auth_accessors,omitempty"` + // Human-friendly description of the mount // Human-friendly description of the mount // +kubebuilder:validation:Optional @@ -167,6 +241,18 @@ type MountParameters struct { // +kubebuilder:validation:Optional ExternalEntropyAccess *bool `json:"externalEntropyAccess,omitempty" tf:"external_entropy_access,omitempty"` + // The key to use for signing plugin workload identity tokens. If + // not provided, this will default to Vault's OIDC default key. + // The key to use for signing plugin workload identity tokens + // +kubebuilder:validation:Optional + IdentityTokenKey *string `json:"identityTokenKey,omitempty" tf:"identity_token_key,omitempty"` + + // Specifies whether to show this mount in the UI-specific + // listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. + // Specifies whether to show this mount in the UI-specific listing endpoint + // +kubebuilder:validation:Optional + ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` + // Boolean flag that can be explicitly set to true to enforce local mount in HA environment // Local mount flag that can be explicitly set to true to enforce local mount in HA environment // +kubebuilder:validation:Optional @@ -190,11 +276,24 @@ type MountParameters struct { // +kubebuilder:validation:Optional Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"` + // List of headers to allow and pass from the request to + // the plugin. + // List of headers to allow and pass from the request to the plugin + // +kubebuilder:validation:Optional + PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` + // Where the secret backend will be mounted // Where the secret backend will be mounted // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` + // Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + // If unspecified, the server will select any matching unversioned plugin that may have been + // registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. + // Specifies the semantic version of the plugin to use, e.g. 'v1.0.0' + // +kubebuilder:validation:Optional + PluginVersion *string `json:"pluginVersion,omitempty" tf:"plugin_version,omitempty"` + // Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability // +kubebuilder:validation:Optional diff --git a/config/provider-metadata.yaml b/config/provider-metadata.yaml index 50f98979..3be72ac2 100644 --- a/config/provider-metadata.yaml +++ b/config/provider-metadata.yaml @@ -39,7 +39,6 @@ resources: postal_code: '- (Optional) The postal code' province: '- (Optional) The province' revoke: '- If set to true, the certificate will be revoked on resource destruction.' - serial: '- Use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' street_address: '- (Optional) The street address' ttl: '- (Optional) Time to live' @@ -88,7 +87,6 @@ resources: - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration discoverdn: '- (Optional) Use anonymous bind to discover the bind Distinguished Name of a user.' - formatter: '- (Optional) Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".' groupattr: |- - (Optional) LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn. @@ -102,9 +100,6 @@ resources: last_rotation_tolerance: |- - (Optional) The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band - length: |- - - (Optional) Deprecated use password_policy. The desired length of passwords that Vault generates. - Mutually exclusive with local: |- - (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -115,7 +110,7 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_policy: on vault-1.11+ + password_policy: '- (Optional) Name of the password policy to use to generate passwords.' request_timeout: |- - (Optional) Timeout, in seconds, for the connection when making requests against the server before returning back an error. @@ -577,10 +572,7 @@ resources: allowed_dns_sans: '- (Optional array: []) Allowed alternative dns names for authenticated client certificates' allowed_email_sans: '- (Optional array: []) Allowed emails for authenticated client certificates' allowed_names: '- (Optional string) DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates' - allowed_organization_units: ', please update accordingly' - allowed_organizational_units: |- - - (Optional array: []) Allowed organization units for authenticated client certificates. - In previous provider releases this field was incorrectly named + allowed_organizational_units: '- (Optional array: []) Allowed organization units for authenticated client certificates.' allowed_uri_sans: '- (Optional array: []) Allowed URIs for authenticated client certificates' backend: '- (Optional string: "cert") Path to the mounted Cert auth backend' certificate: '- (Required string) CA certificate used to validate client certificates' @@ -684,6 +676,41 @@ resources: token: |- - (Optional) The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. + token_bound_cidrs: |- + - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + token_explicit_max_ttl: |- + - (Optional) If set, will encode an + explicit max TTL + onto the token in number of seconds. This is a hard cap even if token_ttl and + token_max_ttl would otherwise allow a renewal. + token_max_ttl: |- + - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_no_default_policy: |- + - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + token_num_uses: |- + - (Optional) The maximum number + of times a generated token may be used (within its lifetime); 0 means unlimited. + token_period: |- + - (Optional) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. Specified in seconds. + token_policies: |- + - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + token_ttl: |- + - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + token_type: |- + - (Optional) The type of token that should be generated. Can be service, + batch, or default to use the mount's tuned default (which unless changed will be + service tokens). For token store roles, there are two additional possibilities: + default-service and default-batch which specify the type to return unless the client + requests a different type at generation time. ttl: |- - (Optional) Duration after which authentication will be expired. See the documentation for info on valid duration formats. @@ -767,6 +794,18 @@ resources: name: vault_aws_auth_backend_client title: vault_aws_auth_backend_client resource examples: + - name: example + manifest: |- + { + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "role_arn": "\u003cAWS_ROLE_ARN\u003e" + } + dependencies: + vault_auth_backend.example: |- + { + "type": "aws" + } - name: example manifest: |- { @@ -784,7 +823,7 @@ resources: argumentDocs: access_key: |- - (Optional) The AWS access key that Vault should use for the - auth backend. + auth backend. Mutually exclusive with identity_token_audience. backend: |- - (Optional) The path the AWS auth backend being configured was mounted at. Defaults to aws. @@ -798,11 +837,23 @@ resources: - (Optional) The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method. + identity_token_audience: |- + - (Optional) The audience claim value. Mutually exclusive with access_key. + Requires Vault 1.17+. Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise + max_retries: |- + - (Optional) Number of max retries the client should use for recoverable errors. + The default -1 falls back to the AWS SDK's default behavior. namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. + role_arn: |- + - (Optional) Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. + Available only for Vault Enterprise secret_key: |- - (Optional) The AWS secret key that Vault should use for the auth backend. @@ -1397,6 +1448,9 @@ resources: and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + external_id: |- + (Optional) - External ID to set for assume role creds. + Valid only when credential_type is set to assumed_role. iam_groups: |- (Optional) - A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential @@ -1404,6 +1458,9 @@ resources: corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + iam_tags: |- + (Optional) - A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. max_sts_ttl: |- - (Optional) The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is @@ -1439,6 +1496,10 @@ resources: - (Optional) Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise. + session_tags: |- + (Optional) - A map of strings representing key/value pairs to be set + during assume role creds creation. Valid only when credential_type is set to + assumed_role. user_path: |- - (Optional) The path for the user name. Valid only when credential_type is iam_user. Default is /. @@ -1486,6 +1547,23 @@ resources: name: vault_azure_auth_backend_config title: vault_azure_auth_backend_config resource examples: + - name: example + manifest: |- + { + "backend": "${vault_auth_backend.example.path}", + "client_id": "11111111-2222-3333-4444-555555555555", + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "tenant_id": "11111111-2222-3333-4444-555555555555" + } + references: + backend: vault_auth_backend.example.path + dependencies: + vault_auth_backend.example: |- + { + "identity_token_key": "example-key", + "type": "azure" + } - name: example manifest: |- { @@ -1516,6 +1594,13 @@ resources: - (Optional) The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud. + identity_token_audience: |- + - (Optional) The audience claim value for plugin identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -1633,6 +1718,15 @@ resources: name: vault_azure_secret_backend title: vault_azure_secret_backend resource examples: + - name: azure + manifest: |- + { + "client_id": "11111111-2222-3333-4444-333333333333", + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_ttl": "\u003cTOKEN_TTL\u003e", + "subscription_id": "11111111-2222-3333-4444-111111111111", + "tenant_id": "11111111-2222-3333-4444-222222222222" + } - name: azure manifest: |- { @@ -1660,6 +1754,15 @@ resources: - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration environment: (string:"") - The Azure environment. + identity_token_audience: |- + - (Optional) The audience claim value. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_key: |- + - (Optional) The key to use for signing identity tokens. Requires Vault 1.17+. + Available only for Vault Enterprise + identity_token_ttl: |- + - (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.17+. + Available only for Vault Enterprise namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -1754,6 +1857,42 @@ resources: – (Optional) Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. importStatements: [] + vault_config_ui_custom_message: + subCategory: "" + description: Manages a UI custom message in Vault. + name: vault_config_ui_custom_message + title: vault_config_ui_custom_message resource + examples: + - name: maintenance + manifest: |- + { + "authenticated": true, + "end_time": "2024-02-01T05:00:00.000Z", + "message": "${base64encode(\"Vault will be offline for planned maintenance on February 1st, 2024 from 05:00Z to 08:00Z\")}", + "start_time": "2024-01-01T00:00:00.000Z", + "title": "Upcoming maintenance", + "type": "banner" + } + argumentDocs: + authenticated: |- + - (Optional) The value true if the custom message is displayed after logins are completed or false if they are + displayed during the login in the Vault UI. The default value is true. + end_time: '- (Optional) The time when the custom message expires. If this value is not specified, the custom message never expires.' + href: '- (Required) The URL set in the hyperlink''s href attribute.' + link: '- (Optional) A hyperlink to be included with the message. See below for more details.' + message: '- (Required) The base64-encoded content of the custom message.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + options: '- (Optional) A map of additional options that can be set on the custom message.' + start_time: |- + - (Required) The time when the custom message begins to be active. This value can be set to a future time, but cannot + occur on or after the end_time value. + title: '- (Required) The title of the custom message to create.' + type: '- (Optional) The presentation type of the custom message. Must be one of the following values: banner or modal.' + importStatements: [] vault_consul_secret_backend: subCategory: "" description: Creates a Consul secret backend for Vault. @@ -1863,9 +2002,6 @@ resources: service_identities: |- - (Optional)SEE NOTE Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. - token_type: |- - - (Optional) Specifies the type of token to create when using this role. Valid values are "client" or "management". - Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. ttl: '- (Optional) Specifies the TTL for this role.' importStatements: [] vault_database_secret_backend_connection: @@ -2495,12 +2631,21 @@ resources: name: vault_gcp_secret_backend title: vault_gcp_secret_backend resource examples: + - name: gcp + manifest: |- + { + "identity_token_audience": "\u003cTOKEN_AUDIENCE\u003e", + "identity_token_key": "example-key", + "identity_token_ttl": 1800, + "service_account_email": "\u003cSERVICE_ACCOUNT_EMAIL\u003e" + } - name: gcp manifest: |- { "credentials": "${file(\"credentials.json\")}" } argumentDocs: + accessor: '- The accessor of the created GCP mount.' credentials: '- (Optional) The GCP service account credentials in JSON format.' default_lease_ttl_seconds: |- - (Optional) The default TTL for credentials @@ -2509,6 +2654,17 @@ resources: disable_remount: |- - (Optional) If set, opts out of mount migration on path updates. See here for more info on Mount Migration + identity_token_audience: |- + - (Optional) The audience claim value for plugin identity + tokens. Must match an allowed audience configured for the target Workload Identity Pool. + Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise. + identity_token_key: |- + - (Optional) The key to use for signing plugin identity + tokens. Requires Vault 1.17+. Available only for Vault Enterprise. + identity_token_ttl: |- + - (Optional) The TTL of generated tokens. Defaults to + 1 hour. Uses duration format strings. + Requires Vault 1.17+. Available only for Vault Enterprise. local: '- (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment' max_lease_ttl_seconds: |- - (Optional) The maximum TTL that can be requested @@ -2521,6 +2677,9 @@ resources: path: |- - (Optional) The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp. + service_account_email: |- + – (Optional) Service Account to impersonate for plugin workload identity federation. + Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise. importStatements: [] vault_gcp_secret_impersonated_account: subCategory: "" @@ -3340,10 +3499,6 @@ resources: exclusive: '- (Optional) Defaults to true.' "false": ', this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.' group_id: '- (Required) Group ID to assign member entities to.' - group_name: |- - - The name of the group that are assigned the member entities. - Deprecated: The value for group_name may not always be accurate - use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead. member_entity_ids: '- (Required) List of member entities that belong to the group' namespace: |- - (Optional) The namespace to provision the resource in. @@ -3761,6 +3916,10 @@ resources: argumentDocs: access_token_ttl: '- (Optional) The time-to-live for access tokens obtained by the client.' assignments: '- (Optional) A list of assignment resources associated with the client.' + client_id: '- The Client ID returned by Vault.' + client_secret: |- + - The Client Secret Key returned by Vault. + For public OpenID Clients client_secret is set to an empty string "" client_type: |- - (Optional) The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: confidential, public. Defaults to confidential. @@ -4186,9 +4345,8 @@ resources: - (Optional) The unique name of the auth backend to configure. Defaults to jwt. bound_audiences: |- - - (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims - or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. + - (Required for roles of type jwt, optional for roles of + type oidc) List of aud claims to match against. Any match is sufficient. bound_claims: |- - (Optional) If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple @@ -4209,7 +4367,7 @@ resources: Only applicable with "jwt" roles. expiration_leeway: |- - (Optional) The amount of leeway to add to expiration (exp) claims to account for - clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. groups_claim: |- - (Optional) The claim to use to uniquely identify @@ -4226,7 +4384,7 @@ resources: Available only for Vault Enterprise. not_before_leeway: |- - (Optional) The amount of leeway to add to not before (nbf) claims to account for - clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. + clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. oidc_scopes: |- - (Optional) If set, a list of OIDC scopes to be used with an OIDC role. @@ -4683,9 +4841,15 @@ resources: "service_account_jwt": "${file(\"/path/to/token\")}" } argumentDocs: + allowed_kubernetes_namespace_selector: |- + - (Optional) A label selector for Kubernetes namespaces + in which credentials can be generated. Accepts either a JSON or YAML object. The value should be + of type LabelSelector. + If set with allowed_kubernetes_namespace, the conditions are ORed. allowed_kubernetes_namespaces: |- - - (Required) The list of Kubernetes namespaces this role - can generate credentials for. If set to * all namespaces are allowed. + - (Optional) The list of Kubernetes namespaces this role + can generate credentials for. If set to * all namespaces are allowed. If set with + allowed_kubernetes_namespace_selector, the conditions are ORed. backend: |- - (Required) The path of the Kubernetes Secrets Engine backend mount to create the role in. @@ -4913,9 +5077,6 @@ resources: insecure_tls: |- - (Optional) Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false. - length: |- - - (Optional) Deprecated use password_policy. The desired length of passwords that Vault generates. - Mutually exclusive with local: |- - (Optional) Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. @@ -4925,7 +5086,7 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_policy: on vault-1.11+ + password_policy: '- (Optional) Name of the password policy to use to generate passwords.' path: |- - (Optional) The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap. @@ -4933,6 +5094,9 @@ resources: - (Optional) Timeout, in seconds, for the connection when making requests against the server before returning back an error. schema: '- (Optional) The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.' + skip_static_role_import_rotation: |- + - (Optional) If set to true, static roles will not be rotated during import. + Defaults to false. Requires Vault 1.16 or above. starttls: '- (Optional) Issue a StartTLS command after establishing unencrypted connection.' upndomain: '- (Optional) Enables userPrincipalDomain login with [username]@UPNDomain.' url: |- @@ -5103,6 +5267,9 @@ resources: Available only for Vault Enterprise. role_name: '- (Required) Name of the role.' rotation_period: '- (Required) How often Vault should rotate the password of the user entry.' + skip_import_rotation: |- + - (Optional) Causes vault to skip the initial secret rotation on import. Not applicable to updates. + Requires Vault 1.16 or above. username: '- (Required) The username of the existing LDAP entry to manage password rotation for.' importStatements: [] vault_managed_keys: @@ -5385,10 +5552,12 @@ resources: - name: config manifest: |- { - "mount": "vault_mount.mongo.path", + "mount": "${vault_mount.mongo.path}", "private_key": "privateKey", "public_key": "publicKey" } + references: + mount: vault_mount.mongo.path dependencies: vault_mount.mongo: |- { @@ -5422,8 +5591,12 @@ resources: "name": "tf-test-role", "organization_id": "7cf5a45a9ccf6400e60981b7", "project_id": "5cf5a45a9ccf6400e60981b6", - "project_roles": "GROUP_READ_ONLY", - "roles": "ORG_READ_ONLY", + "project_roles": [ + "GROUP_READ_ONLY" + ], + "roles": [ + "ORG_READ_ONLY" + ], "ttl": "60" } references: @@ -5431,7 +5604,7 @@ resources: dependencies: vault_mongodbatlas_secret_backend.config: |- { - "mount": "vault_mount.mongo.path", + "mount": "${vault_mount.mongo.path}", "private_key": "privateKey", "public_key": "publicKey" } @@ -5458,8 +5631,8 @@ resources: project_id: |- - (Optional) Unique identifier for the project to which the target API Key belongs. Required if organization_id is not set. - project_roles: '- (Optional) Roles assigned when an org API key is assigned to a project API key.' - roles: '- (Required) List of roles that the API Key needs to have.' + project_roles: '- (Optional) Roles assigned when an org API key is assigned to a project API key. Possible values are GROUP_CLUSTER_MANAGER, GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, GROUP_OWNER and GROUP_READ_ONLY.' + roles: '- (Required) List of roles that the API Key needs to have. Possible values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN and ORG_READ_ONLY.' ttl: '- (Optional) Duration in seconds after which the issued credential should expire.' importStatements: [] vault_mount: @@ -5508,11 +5681,23 @@ resources: argumentDocs: accessor: '- The accessor for this mount.' allowed_managed_keys: '- (Optional) Set of managed key registry entry names that the mount in question is allowed to access' + allowed_response_headers: |- + - (Optional) List of headers to allow, allowing a plugin to include + them in the response. audit_non_hmac_request_keys: '- (Optional) Specifies the list of keys that will not be HMAC''d by audit devices in the request data object.' audit_non_hmac_response_keys: '- (Optional) Specifies the list of keys that will not be HMAC''d by audit devices in the response data object.' default_lease_ttl_seconds: '- (Optional) Default lease duration for tokens and secrets in seconds' + delegated_auth_accessors: |- + - (Optional) List of allowed authentication mount accessors the + backend can request delegated authentication for. description: '- (Optional) Human-friendly description of the mount' external_entropy_access: '- (Optional) Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault''s external entropy source' + identity_token_key: |- + - (Optional) The key to use for signing plugin workload identity tokens. If + not provided, this will default to Vault's OIDC default key. + listing_visibility: |- + - (Optional) Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not set, behaves like hidden. local: '- (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment' max_lease_ttl_seconds: '- (Optional) Maximum possible lease duration for tokens and secrets in seconds' namespace: |- @@ -5521,7 +5706,14 @@ resources: The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. options: '- (Optional) Specifies mount type specific options that are passed to the backend' + passthrough_request_headers: |- + - (Optional) List of headers to allow and pass from the request to + the plugin. path: '- (Required) Where the secret backend will be mounted' + plugin_version: |- + - (Optional) Specifies the semantic version of the plugin to use, e.g. "v1.0.0". + If unspecified, the server will select any matching unversioned plugin that may have been + registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. seal_wrap: '- (Optional) Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal''s encryption capability' type: '- (Required) Type of the backend, such as "aws"' importStatements: [] @@ -5807,6 +5999,137 @@ resources: Available only for Vault Enterprise. pem_bundle: '- (Required) The key and certificate PEM bundle' importStatements: [] + vault_pki_secret_backend_config_cluster: + subCategory: "" + description: Sets the cluster configuration on an PKI Secret Backend for Vault. + name: vault_pki_secret_backend_config_cluster + title: vault_pki_secret_backend_config_cluster resource + examples: + - name: example + manifest: |- + { + "aia_path": "http://127.0.0.1:8200/v1/pki-root", + "backend": "${vault_mount.root.path}", + "path": "http://127.0.0.1:8200/v1/pki-root" + } + references: + backend: vault_mount.root.path + dependencies: + vault_mount.root: |- + { + "default_lease_ttl_seconds": 8640000, + "description": "root PKI", + "max_lease_ttl_seconds": 8640000, + "path": "pki-root", + "type": "pki" + } + argumentDocs: + aia_path: '- (Required) Specifies the path to this performance replication cluster''s AIA distribution point.' + backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + path: '- (Required) Specifies the path to this performance replication cluster''s API mount path.' + importStatements: [] + vault_pki_secret_backend_config_est: + subCategory: "" + description: Sets the EST configuration on a PKI Secret Backend for Vault. + name: vault_pki_secret_backend_config_est + title: vault_pki_secret_backend_config_est resource + examples: + - name: example + manifest: |- + { + "audit_fields": [ + "csr", + "common_name", + "alt_names", + "ip_sans", + "uri_sans", + "other_sans", + "signature_bits", + "exclude_cn_from_sans", + "ou", + "organization", + "country", + "locality", + "province", + "street_address", + "postal_code", + "serial_number", + "use_pss", + "key_type", + "key_bits", + "add_basic_constraints" + ], + "authenticators": [ + { + "cert": { + "accessor": "test", + "cert_role": "cert-auth-role" + }, + "userpass": { + "accessor": "test2" + } + } + ], + "backend": "${vault_mount.pki.path}", + "default_mount": true, + "default_path_policy": "${format(\"role:%s\", vault_pki_secret_backend_role.est_role.name)}", + "enable_sentinel_parsing": true, + "enabled": true, + "label_to_path_policy": { + "test-label": "sign-verbatim", + "test-label-2": "${format(\"role:%s\", vault_pki_secret_backend_role.est_role_2.name)}" + } + } + references: + backend: vault_mount.pki.path + dependencies: + vault_mount.pki: |- + { + "description": "PKI secret engine mount", + "path": "pki-root", + "type": "pki" + } + vault_pki_secret_backend_role.est_role: |- + { + "backend": "${vault_mount.pki.path}", + "key_bits": "256", + "key_type": "ec", + "name": "est-role", + "ttl": 3600 + } + vault_pki_secret_backend_role.est_role_2: |- + { + "backend": "${vault_mount.pki.path}", + "key_bits": "256", + "key_type": "ec", + "name": "est-role-2", + "ttl": 3600 + } + argumentDocs: + audit_fields: '- (Optional) Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.' + authenticators: '- (Optional) Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).' + backend: |- + - (Required) The path to the PKI secret backend to + read the EST configuration from, with no leading or trailing /s. + cert: '- "The accessor (required) and cert_role (optional) properties for cert auth backends".' + default_mount: '- (Optional) If set, this mount will register the default .well-known/est URL path. Only a single mount can enable this across a Vault cluster.' + default_path_policy: '- (Optional) Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:.' + enable_sentinel_parsing: '- (Optional) If set, parse out fields from the provided CSR making them available for Sentinel policies.' + enabled: '- (Optional) Specifies whether EST is enabled.' + label_to_path_policy: '- (Optional) Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:. Labels must be unique across Vault cluster, and will register .well-known/est/ URL paths.' + last_updated: '- A read-only timestamp representing the last time the configuration was updated.' + namespace: |- + - (Optional) The namespace of the target resource. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + Available only for Vault Enterprise. + userpass: '- "The accessor (required) property for user pass auth backends".' + importStatements: [] vault_pki_secret_backend_config_issuers: subCategory: "" description: Allows setting the value of the default issuer. @@ -5889,6 +6212,7 @@ resources: argumentDocs: backend: '- (Required) The path the PKI secret backend is mounted at, with no leading or trailing /s.' crl_distribution_points: '- (Optional) Specifies the URL values for the CRL Distribution Points field.' + enable_templating: '- (Optional) Specifies that templating of AIA fields is allowed.' issuing_certificates: '- (Optional) Specifies the URL values for the Issuing Certificate field.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -6405,7 +6729,6 @@ resources: postal_code: '- (Optional) The postal code' private_key_format: '- (Optional) The private key format' province: '- (Optional) The province' - serial: '- Deprecated, use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' street_address: '- (Optional) The street address' ttl: '- (Optional) Time to live' @@ -6461,11 +6784,85 @@ resources: Available only for Vault Enterprise. other_sans: '- (Optional) List of other SANs' renew_pending: '- true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending.' - serial: '- Use serial_number instead.' serial_number: '- The certificate''s serial number, hex formatted.' ttl: '- (Optional) Time to live' uri_sans: '- (Optional) List of alternative URIs' importStatements: [] + vault_plugin: + subCategory: "" + description: Manage external plugins registered in the plugin catalog. + name: vault_plugin + title: vault_plugin resource + examples: + - name: jwt + manifest: |- + { + "command": "vault-plugin-auth-jwt", + "env": [ + "HTTP_PROXY=http://proxy.example.com:8080" + ], + "name": "jwt", + "sha256": "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc", + "type": "auth", + "version": "v0.17.0" + } + dependencies: + vault_auth_backend.jwt_auth: |- + { + "type": "${vault_plugin.jwt.name}" + } + argumentDocs: + args: '- (Optional) List of additional args to pass to the plugin.' + command: '- (Required) Command to execute the plugin, relative to the server''s configured plugin_directory.' + env: '- (Optional) List of additional environment variables to run the plugin with in KEY=VALUE form.' + name: '- (Required) Name of the plugin.' + oci_image: |- + - (Optional) Specifies OCI image to run. If specified, setting + command, args, and env will update the container's entrypoint, args, and + environment variables (append-only) respectively. + runtime: '- (Optional) Vault plugin runtime to use if oci_image is specified.' + sha256: '- (Required) SHA256 sum of the plugin binary.' + type: '- (Required) Type of plugin; one of "auth", "secret", or "database".' + version: '- (Optional) Semantic version of the plugin.' + importStatements: [] + vault_plugin_pinned_version: + subCategory: "" + description: Manage pinned plugin version registered in the plugin catalog. + name: vault_plugin_pinned_version + title: vault_plugin_pinned_version resource + examples: + - name: jwt_pin + manifest: |- + { + "name": "${vault_plugin.jwt.name}", + "type": "${vault_plugin.jwt.type}", + "version": "${vault_plugin.jwt.version}" + } + references: + name: vault_plugin.jwt.name + type: vault_plugin.jwt.type + version: vault_plugin.jwt.version + dependencies: + vault_auth_backend.jwt_auth: |- + { + "type": "${vault_plugin_pinned_version.jwt_pin.name}" + } + vault_plugin.jwt: |- + { + "command": "vault-plugin-auth-jwt", + "env": [ + "HTTP_PROXY=http://proxy.example.com:8080" + ], + "name": "jwt", + "sha256": "6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc", + "type": "auth", + "version": "v0.17.0" + } + argumentDocs: + name: '- (Required) Name of the plugin.' + type: '- (Required) Type of plugin; one of "auth", "secret", or "database".' + version: '- (Required) Semantic version of the plugin to pin.' + importStatements: [] vault_policy: subCategory: "" description: Writes arbitrary policies for Vault @@ -6501,6 +6898,7 @@ resources: "path": "" } argumentDocs: + inheritable: '- (Optional) If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.' max_leases: |- - (Required) The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. @@ -6536,6 +6934,7 @@ resources: block_interval: |- - (Optional) If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + inheritable: '- (Optional) If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.' interval: '- (Optional) The duration in seconds to enforce rate limiting for.' name: '- (Required) Name of the rate limit quota' namespace: |- @@ -7029,9 +7428,16 @@ resources: The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. secret_name: '- (Required) Specifies the name of the secret to synchronize.' - sync_status: '- Specifies the status of the association (for eg. SYNCED).' + subkeys: '- A list of subkeys for the associated secret.' + sync_status: |- + - A map of sync statuses for each subkey of the associated secret + (for ex. {kv_624bea/aws-token/dev: "SYNCED", kv_624bea/aws-token/prod: "SYNCED"}). type: '- (Required) Specifies the destination type.' - updated_at: '- Duration string specifying when the secret was last updated.' + updated_at: |- + - A map of duration strings specifying when each subkey of the associated + secret was last updated. + (for ex. + {kv_624bea/aws-token/dev: "2024-03-21T12:42:02.558533-07:00", kv_624bea/aws-token/prod: "2024-03-21T12:42:02.558533-07:00"}). importStatements: [] vault_secrets_sync_aws_destination: subCategory: "" @@ -7046,8 +7452,10 @@ resources: "custom_tags": { "foo": "bar" }, + "external_id": "external-id", "name": "aws-dest", "region": "us-east-1", + "role_arn": "role-arn", "secret_access_key": "${var.secret_access_key}", "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" } @@ -7060,6 +7468,15 @@ resources: Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable. custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + external_id: |- + - (Optional) Optional extra protection that must match the trust policy granting access to the + AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. + The field is mutable with no special condition, but users must be careful that the new value fits with the trust + relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access + denied errors. Ignored if the role_arn field is empty. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the AWS destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7069,6 +7486,12 @@ resources: - (Optional) Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable. + role_arn: |- + - (Optional) Specifies a role to assume when connecting to AWS. When assuming a role, + Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must + exist for Vault to be able to assume this role. The role can be in a different account. + The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. + It is possible to provide both an access key pair and a role to assume. secret_access_key: |- - (Optional) Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment @@ -7113,6 +7536,9 @@ resources: variable. cloud: '- (Optional) Specifies a cloud for the client. The default is Azure Public Cloud.' custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. key_vault_uri: |- - (Optional) URI of an existing Azure Key Vault instance. Can be omitted and directly provided to Vault using the KEY_VAULT_URI environment @@ -7165,6 +7591,7 @@ resources: "foo": "bar" }, "name": "gcp-dest", + "project_id": "gcp-project-id", "secret_name_template": "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}" } argumentDocs: @@ -7173,11 +7600,19 @@ resources: Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable. custom_tags: '- (Optional) Custom tags to set on the secret managed at the destination.' + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the GCP destination.' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. + project_id: |- + - (Optional) The target project to manage secrets in. If set, + overrides the project ID derived from the service account JSON credentials or application + default credentials. The service account must be authorized + to perform Secret Manager actions in the target project. secret_name_template: |- - (Optional) Template describing how to generate external secret names. Supports a subset of the Go Template syntax. @@ -7206,6 +7641,16 @@ resources: - (Optional) Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable. + app_name: |- + - (Optional) The user-defined name of the GitHub App configuration. This is a reference to the name used + on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. + Takes precedence over the access_token field. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. + installation_id: |- + -(Optional) The ID of the installation generated by GitHub when the app referenced by the app_name + was installed in the user’s GitHub account. Can be modified. Necessary if the app_name field is also provided. name: '- (Required) Unique name of the GitHub destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7224,6 +7669,30 @@ resources: Supports a subset of the Go Template syntax. type: '- The type of the secrets destination (gh).' importStatements: [] + vault_secrets_sync_github_apps: + subCategory: "" + description: Creates a GitHub App to synchronize secrets in Vault + name: vault_secrets_sync_github_apps + title: vault_secrets_sync_github_apps resource + examples: + - name: github-apps + manifest: |- + { + "app_id": "${var.app_id}", + "name": "gh-apps", + "private_key": "${file(var.privatekey_file)}" + } + references: + app_id: var.app_id + argumentDocs: + app_id: '- (Required) The GitHub application ID.' + name: '- (Required) The user-defined name of the GitHub App configuration.' + namespace: |- + - (Optional) The namespace to provision the resource in. + The value should not contain leading or trailing forward slashes. + The namespace is always relative to the provider's configured namespace. + private_key: '- (Required) The content of a PEM formatted private key generated on GitHub for the app.' + importStatements: [] vault_secrets_sync_vercel_destination: subCategory: "" description: Creates a GitHub destination to synchronize secrets in Vault @@ -7253,6 +7722,9 @@ resources: deployment_environments: |- - (Required) Deployment environments where the environment variables are available. Accepts development, preview and production. + granularity: |- + - (Optional) Determines what level of information is synced as a distinct resource + at the destination. Supports secret-path and secret-key. name: '- (Required) Unique name of the GitHub destination.' namespace: |- - (Optional) The namespace to provision the resource in. @@ -7286,6 +7758,8 @@ resources: argumentDocs: backend: '- (Optional) The path where the SSH secret backend is mounted. Defaults to ''ssh''' generate_signing_key: '- (Optional) Whether Vault should generate the signing key pair internally. Defaults to true' + key_bits: '- (Optional) Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true.' + key_type: '- (Optional) Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true.' namespace: |- - (Optional) The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. @@ -7349,10 +7823,6 @@ resources: - (Optional) Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See - allowed_user_key_lengths: |- - - (Optional) Specifies a map of ssh key types and their expected sizes which - are allowed to be signed by the CA type. - Deprecated: use allowed_user_key_config instead allowed_users: '- (Optional) Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.' allowed_users_template: '- (Optional) Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.' backend: '- (Required) The path where the SSH secret backend is mounted.' @@ -7399,6 +7869,10 @@ resources: "token": "V0idfhi2iksSDU234ucdbi2nidsi..." } argumentDocs: + address: |- + - (Optional) The address of the Terraform Cloud server, if using + Terraform Enterprise, provided as "protocol://host:port". The default is + https://app.terraform.io for Terraform Cloud. backend: '- (Optional) The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to terraform.' default_lease_ttl_seconds: '- (Optional) The default TTL for credentials issued by this backend.' description: '- (Optional) A human-friendly description for this backend.' @@ -7812,7 +8286,6 @@ resources: argumentDocs: aes128-gcm96: ', aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key''s metadata.' allow_plaintext_backup: '- (Optional) Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.' - auto_rotate_interval: '- Replaced by auto_rotate_period.' auto_rotate_period: |- - (Optional) Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. diff --git a/config/schema.json b/config/schema.json index 23b07562..b1cb8b6a 100644 --- a/config/schema.json +++ b/config/schema.json @@ -1 +1 @@ -{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"set_namespace_from_token":{"type":"bool","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true,"sensitive":true},"path":{"type":"string","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_token_file":{"nesting_mode":"list","block":{"attributes":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token","description_kind":"plain","required":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using ","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain","deprecated":true},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":1,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"formatter":{"type":"string","description":"Text to insert the password into, ex. \"customPrefix{{PASSWORD}}customSuffix\".","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true},"use_sts_region_from_client":{"type":"bool","description":"If set, will override sts_region and use the region from the client request's header","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":1,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path where the AWS secrets backend is mounted.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing AWS IAM user to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":1,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permanently_delete":{"type":"bool","description":"Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"sign_in_audience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount","description_kind":"plain","optional":true},"tags":{"type":["list","string"],"description":"Comma-separated strings of Azure tags to attach to an application.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organization_units":{"type":["set","string"],"description_kind":"plain","deprecated":true,"optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_ca_certificates":{"type":"string","description":"Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.","description_kind":"plain","optional":true},"ocsp_enabled":{"type":"bool","description":"If enabled, validate certificates' revocation status using OCSP.","description_kind":"plain","optional":true,"computed":true},"ocsp_fail_open":{"type":"bool","description":"If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.","description_kind":"plain","optional":true,"computed":true},"ocsp_query_all_servers":{"type":"bool","description":"If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.","description_kind":"plain","optional":true,"computed":true},"ocsp_servers_override":{"type":["set","string"],"description":"A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","deprecated":true,"optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"credential_config":{"type":["map","string"],"description":"Specifies the configuration for the given credential_type.","description_kind":"plain","optional":true},"credential_type":{"type":"string","description":"Specifies the type of credential that will be generated for the role.","description_kind":"plain","optional":true,"computed":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","optional":true},"rotation_schedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.","description_kind":"plain","optional":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"rotation_window":{"type":"number","description":"The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":1,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be configured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","deprecated":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":1,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed.","description_kind":"plain","required":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":2,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"max_page_size":{"type":"number","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ldap_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"connection_timeout":{"type":"number","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"length":{"type":"number","description":"The desired length of passwords that Vault generates.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true,"computed":true},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf.","description_kind":"plain","optional":true,"computed":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_dynamic_role":{"version":0,"block":{"attributes":{"creation_ldif":{"type":"string","description":"A templatized LDIF string used to create a user account. May contain multiple entries.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Specifies the TTL for the leases associated with this role.","description_kind":"plain","optional":true},"deletion_ldif":{"type":"string","description":"A templatized LDIF string used to delete the user account once its TTL has expired. This may contain multiple LDIF entries.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Specifies the maximum TTL for the leases associated with this role.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rollback_ldif":{"type":"string","description":"A templatized LDIF string used to attempt to rollback any changes in the event that execution of the creation_ldif results in an error. This may contain multiple LDIF entries.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"A template used to generate a dynamic username. This will be used to fill in the .Username field within the creation_ldif string.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_library_set":{"version":0,"block":{"attributes":{"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time a check-out last with renewal before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The maximum amount of time a single check-out lasts before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_static_role":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Custom metadata describing this namespace. Value type is map[string]string.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"user_ids":{"type":["list","string"],"description":"List of Subject User IDs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"default":{"type":"string","description":"Specifies the default issuer by ID.","description_kind":"plain","optional":true},"default_follows_latest_issuer":{"type":"bool","description":"Specifies whether a root creation or an issuer import operation updates the default issuer to the newly added issuer.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"imported_issuers":{"type":["list","string"],"description":"The imported issuers.","description_kind":"plain","computed":true},"imported_keys":{"type":["list","string"],"description":"The imported keys.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_aia_url_templating":{"type":"bool","description":"Specifies that the AIA URL values should be templated.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's 'NotAfter' field during issuance.","description_kind":"plain","optional":true,"computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true},"revocation_signature_algorithm":{"type":"string","description":"Which signature algorithm to use when building CRLs.","description_kind":"plain","optional":true,"computed":true},"usage":{"type":"string","description":"Comma-separated list of allowed usages for this issuer.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the number of bits to use for the generated keys.","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type; must be 'rsa', 'ed25519' or 'ec'.","description_kind":"plain","optional":true,"computed":true},"managed_key_id":{"type":"string","description":"The managed key's UUID.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The managed key's configured name.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"Specifies the type of the key to create.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allow_wildcard_certificates":{"type":"bool","description":"Flag to allow wildcard certificates","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"allowed_uri_sans_template":{"type":"bool","description":"Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true,"computed":true},"allowed_user_ids":{"type":["list","string"],"description":"The allowed User ID's.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"ext_key_usage_oids":{"type":["list","string"],"description":"A list of extended key usage OIDs.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_id":{"type":"string","description":"The ID of the generated issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'.","description_kind":"plain","optional":true,"computed":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial":{"type":"string","description":"The serial number.","description_kind":"plain","deprecated":true,"computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":1,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_saml_auth_backend":{"version":0,"block":{"attributes":{"acs_urls":{"type":["list","string"],"description":"The well-formatted URLs of your Assertion Consumer Service (ACS) that should receive a response from the identity provider.","description_kind":"plain","required":true},"default_role":{"type":"string","description":"The role to use if no role is provided during login.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"entity_id":{"type":"string","description":"The entity ID of the SAML authentication service provider.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_cert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive with 'idp_metadata_url'","description_kind":"plain","optional":true},"idp_entity_id":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"idp_metadata_url":{"type":"string","description":"The metadata URL of the identity provider.","description_kind":"plain","optional":true},"idp_sso_url":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"verbose_logging":{"type":"bool","description":"Log additional, potentially sensitive information during the SAML exchange according to the current logging level. Not recommended for production.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_saml_auth_backend_role":{"version":0,"block":{"attributes":{"bound_attributes":{"type":["map","string"],"description":"Mapping of attribute names to values that are expected to exist in the SAML assertion.","description_kind":"plain","optional":true},"bound_attributes_type":{"type":"string","description":"The type of matching assertion to perform on bound_attributes.","description_kind":"plain","optional":true,"computed":true},"bound_subjects":{"type":["list","string"],"description":"The subject being asserted for SAML authentication.","description_kind":"plain","optional":true},"bound_subjects_type":{"type":"string","description":"The type of matching assertion to perform on bound_subjects.","description_kind":"plain","optional":true,"computed":true},"groups_attribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the user belongs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where SAML Auth engine is mounted.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_association":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Specifies the mount where the secret is located.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name":{"type":"string","description":"Specifies the name of the secret to synchronize.","description_kind":"plain","required":true},"sync_status":{"type":"string","description":"Specifies the status of the association.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Type of sync destination.","description_kind":"plain","required":true},"updated_at":{"type":"string","description":"Duration string stating when the secret was last updated.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_aws_destination":{"version":0,"block":{"attributes":{"access_key_id":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the AWS destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.","description_kind":"plain","optional":true},"secret_access_key":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true,"sensitive":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_azure_destination":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"Client ID of an Azure app registration.","description_kind":"plain","optional":true},"client_secret":{"type":"string","description":"Client Secret of an Azure app registration.","description_kind":"plain","optional":true,"sensitive":true},"cloud":{"type":"string","description":"Specifies a cloud for the client.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_vault_uri":{"type":"string","description":"URI of an existing Azure Key Vault instance.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the Azure destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"ID of the target Azure tenant.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_config":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Disables the syncing process between Vault and external destinations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"queue_capacity":{"type":"number","description":"Maximum number of pending sync operations allowed on the queue.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_gcp_destination":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.","description_kind":"plain","optional":true,"sensitive":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the GCP destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_gh_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Fine-grained or personal access token.","description_kind":"plain","optional":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the github destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"repository_name":{"type":"string","description":"Name of the repository.","description_kind":"plain","optional":true},"repository_owner":{"type":"string","description":"GitHub organization or username that owns the repository.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_vercel_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Vercel API access token with the permissions to manage environment variables.","description_kind":"plain","required":true,"sensitive":true},"deployment_environments":{"type":["list","string"],"description":"Deployment environments where the environment variables are available. Accepts 'development', 'preview' \u0026 'production'.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the Vercel destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"Project ID where to manage environment variables.","description_kind":"plain","required":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"team_id":{"type":"string","description":"Team ID the project belongs to.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_user_key_lengths":{"type":["map","number"],"description_kind":"plain","deprecated":true,"optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_interval":{"type":"number","description":"Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","deprecated":true,"optional":true,"computed":true},"auto_rotate_period":{"type":"number","description":"Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_size":{"type":"number","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512.","description_kind":"plain","optional":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain","deprecated":true}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_auth_backends":{"version":0,"block":{"attributes":{"accessors":{"type":["list","string"],"description":"The accessors of the auth backends.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"The auth backend mount points.","description_kind":"plain","computed":true},"type":{"type":"string","description":"The type of the auth backend.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_static_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the environment configured in the Vault backend.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_dynamic_credentials":{"version":0,"block":{"attributes":{"distinguished_names":{"type":["list","string"],"description":"List of the distinguished names (DN) created.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the dynamic role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the dynamic role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_static_credentials":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this static role's password.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","computed":true},"ttl":{"type":"number","description":"Duration in seconds after which the issued credential should expire.","description_kind":"plain","computed":true},"username":{"type":"string","description":"Name of the static role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Name of the issuer.","description_kind":"plain","computed":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"key_id":{"type":"string","description":"ID of the key used by the issuer.","description_kind":"plain","computed":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during issuance.","description_kind":"plain","computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"usage":{"type":"string","description":"Allowed usages for this issuer.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of issuer strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key info data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used by issuers under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the key used.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","computed":true},"key_ref":{"type":"string","description":"Reference to an existing key.","description_kind":"plain","required":true},"key_type":{"type":"string","description":"Type of the key.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_keys":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of key strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} +{"format_version":"1.0","provider_schemas":{"registry.terraform.io/hashicorp/vault":{"provider":{"version":0,"block":{"attributes":{"add_address_to_env":{"type":"string","description":"If true, adds the value of the `address` argument to the Terraform process environment.","description_kind":"plain","optional":true},"address":{"type":"string","description":"URL of the root of the target Vault server.","description_kind":"plain","required":true},"ca_cert_dir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate.","description_kind":"plain","optional":true},"ca_cert_file":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum TTL for secret leases requested by this provider.","description_kind":"plain","optional":true},"max_retries":{"type":"number","description":"Maximum number of retries when a 5xx error code is encountered.","description_kind":"plain","optional":true},"max_retries_ccc":{"type":"number","description":"Maximum number of retries for Client Controlled Consistency related operations","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise.","description_kind":"plain","optional":true},"set_namespace_from_token":{"type":"bool","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources.","description_kind":"plain","optional":true},"skip_child_token":{"type":"bool","description":"Set this to true to prevent the creation of ephemeral child token used by this provider.","description_kind":"plain","optional":true},"skip_get_vault_version":{"type":"bool","description":"Skip the dynamic fetching of the Vault server version.","description_kind":"plain","optional":true},"skip_tls_verify":{"type":"bool","description":"Set this to true only if the target Vault server is an insecure development instance.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"Name to use as the SNI host when connecting via TLS.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Token to use to authenticate to Vault.","description_kind":"plain","optional":true},"token_name":{"type":"string","description":"Token name to use for creating the Vault child token.","description_kind":"plain","optional":true},"vault_version_override":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server","description_kind":"plain","optional":true}},"block_types":{"auth_login":{"nesting_mode":"list","block":{"attributes":{"method":{"type":"string","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"parameters":{"type":["map","string"],"description_kind":"plain","optional":true,"sensitive":true},"path":{"type":"string","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login","description_kind":"plain"},"max_items":1},"auth_login_aws":{"nesting_mode":"list","block":{"attributes":{"aws_access_key_id":{"type":"string","description":"The AWS access key ID.","description_kind":"plain","optional":true},"aws_iam_endpoint":{"type":"string","description":"The IAM endpoint URL.","description_kind":"plain","optional":true},"aws_profile":{"type":"string","description":"The name of the AWS profile.","description_kind":"plain","optional":true},"aws_region":{"type":"string","description":"The AWS region.","description_kind":"plain","optional":true},"aws_role_arn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_role_session_name":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"The AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"The AWS session token.","description_kind":"plain","optional":true},"aws_shared_credentials_file":{"type":"string","description":"Path to the AWS shared credentials file.","description_kind":"plain","optional":true},"aws_sts_endpoint":{"type":"string","description":"The STS endpoint URL.","description_kind":"plain","optional":true},"aws_web_identity_token_file":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.","description_kind":"plain","optional":true},"header_value":{"type":"string","description":"The Vault header value to include in the STS signing request.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"The Vault role to use when logging into Vault.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the AWS method","description_kind":"plain"},"max_items":1},"auth_login_azure":{"nesting_mode":"list","block":{"attributes":{"client_id":{"type":"string","description":"The identity's client ID.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"resource_group_name":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"scope":{"type":"string","description":"The scopes to include in the token request.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"vm_name":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true},"vmss_name":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.","description_kind":"plain","optional":true}},"description":"Login to vault using the azure method","description_kind":"plain"},"max_items":1},"auth_login_cert":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","required":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the certificate's role","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the cert method","description_kind":"plain"},"max_items":1},"auth_login_gcp":{"nesting_mode":"list","block":{"attributes":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.","description_kind":"plain","optional":true},"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"service_account":{"type":"string","description":"IAM service account.","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the gcp method","description_kind":"plain"},"max_items":1},"auth_login_jwt":{"nesting_mode":"list","block":{"attributes":{"jwt":{"type":"string","description":"A signed JSON Web Token.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the jwt method","description_kind":"plain"},"max_items":1},"auth_login_kerberos":{"nesting_mode":"list","block":{"attributes":{"disable_fast_negotiation":{"type":"bool","description":"Disable the Kerberos FAST negotiation.","description_kind":"plain","optional":true},"keytab_path":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.","description_kind":"plain","optional":true},"krb5conf_path":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain","description_kind":"plain","optional":true},"remove_instance_name":{"type":"bool","description":"Strip the host from the username found in the keytab.","description_kind":"plain","optional":true},"service":{"type":"string","description":"The service principle name.","description_kind":"plain","optional":true},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to login into Kerberos with.","description_kind":"plain","optional":true}},"description":"Login to vault using the kerberos method","description_kind":"plain"},"max_items":1},"auth_login_oci":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Authentication type to use when getting OCI credentials.","description_kind":"plain","required":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the OCI method","description_kind":"plain"},"max_items":1},"auth_login_oidc":{"nesting_mode":"list","block":{"attributes":{"callback_address":{"type":"string","description":"The callback address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"callback_listener_address":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the login role.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using the oidc method","description_kind":"plain"},"max_items":1},"auth_login_radius":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"The Radius password for username.","description_kind":"plain","required":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"The Radius username.","description_kind":"plain","required":true}},"description":"Login to vault using the radius method","description_kind":"plain"},"max_items":1},"auth_login_token_file":{"nesting_mode":"list","block":{"attributes":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token","description_kind":"plain","required":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true}},"description":"Login to vault using ","description_kind":"plain"},"max_items":1},"auth_login_userpass":{"nesting_mode":"list","block":{"attributes":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace","description_kind":"plain","optional":true},"password":{"type":"string","description":"Login with password","description_kind":"plain","optional":true},"password_file":{"type":"string","description":"Login with password from a file","description_kind":"plain","optional":true},"use_root_namespace":{"type":"bool","description":"Authenticate to the root Vault namespace. Conflicts with namespace","description_kind":"plain","optional":true},"username":{"type":"string","description":"Login with username","description_kind":"plain","required":true}},"description":"Login to vault using the userpass method","description_kind":"plain"},"max_items":1},"client_auth":{"nesting_mode":"list","block":{"attributes":{"cert_file":{"type":"string","description":"Path to a file containing the client certificate.","description_kind":"plain","optional":true},"key_file":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.","description_kind":"plain","optional":true}},"description":"Client authentication credentials.","description_kind":"plain","deprecated":true},"max_items":1},"headers":{"nesting_mode":"list","block":{"attributes":{"name":{"type":"string","description":"The header name","description_kind":"plain","required":true},"value":{"type":"string","description":"The header value","description_kind":"plain","required":true}},"description":"The headers to send with each Vault request.","description_kind":"plain"}}},"description_kind":"plain"}},"resource_schemas":{"vault_ad_secret_backend":{"version":1,"block":{"attributes":{"anonymous_group_search":{"type":"bool","description":"Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for a backend, for example, the path given in \"$ vault auth enable -path=my-ad ad\".","description_kind":"plain","optional":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description":"If true, case sensitivity will be used when comparing usernames and groups for matching policies.","description_kind":"plain","optional":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"deny_null_bind":{"type":"bool","description":"Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description":"Use anonymous bind to discover the bind DN of a user.","description_kind":"plain","optional":true},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate user group membership. Examples: \"cn\" or \"memberOf\", etc. Default: cn","description_kind":"plain","optional":true},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)","description_kind":"plain","optional":true},"groupfilter":{"type":"string","description":"Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"last_rotation_tolerance":{"type":"number","description":"The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"In seconds, the maximum password time-to-live.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description":"Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12'","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true},"use_pre111_group_cn_behavior":{"type":"bool","description":"In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.","description_kind":"plain","optional":true,"computed":true},"use_token_groups":{"type":"bool","description":"If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.","description_kind":"plain","optional":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_library":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time, in seconds, a check-out last with renewal before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set. These service accounts must already exist in Active Directory.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The amount of time, in seconds, a single check-out lasts before Vault automatically checks it back in.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain","deprecated":true}},"vault_ad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the AD backend.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this service account's password.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password_last_set":{"type":"string","description":"Last time Vault set this service account's password.","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The username/logon name for the service account with which this role will be associated.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"In seconds, the default password time-to-live.","description_kind":"plain","optional":true}},"description_kind":"plain","deprecated":true}},"vault_alicloud_auth_backend_role":{"version":0,"block":{"attributes":{"arn":{"type":"string","description":"The role's arn.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Auth backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of the role reflected in the arn.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor for the token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"How long the token is valid for.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The timestamp the lease started on, as determined by the machine running Terraform.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with the token.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies set on the token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"Whether the token is renewable or not.","description_kind":"plain","computed":true},"role_id":{"type":"string","description":"The RoleID to log in with.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to log in with.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bind_secret_id":{"type":"bool","description":"Whether or not to require secret_id to be present when logging in using this AppRole.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role. Autogenerated if not set.","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id_bound_cidrs":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the AppRole.","description_kind":"plain","optional":true},"secret_id_num_uses":{"type":"number","description":"Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses.","description_kind":"plain","optional":true},"secret_id_ttl":{"type":"number","description":"Number of seconds a SecretID remains valid for.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_approle_auth_backend_role_secret_id":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The unique ID used to access this SecretID.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cidr_list":{"type":["set","string"],"description":"List of CIDR blocks that can log in using the SecretID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"The SecretID to be managed. If not specified, Vault auto-generates one.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"with_wrapped_accessor":{"type":"bool","description":"Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping.","description_kind":"plain","optional":true},"wrapping_accessor":{"type":"string","description":"The wrapped SecretID accessor.","description_kind":"plain","computed":true},"wrapping_token":{"type":"string","description":"The wrapped SecretID token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL duration of the wrapped SecretID.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_audit":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"Human-friendly description of the audit device.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Configuration options to pass to the audit device itself.","description_kind":"plain","required":true},"path":{"type":"string","description":"Path in which to enable the audit device.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_audit_request_header":{"version":0,"block":{"attributes":{"hmac":{"type":"bool","description":"Whether this header's value should be HMAC'd in the audit logs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the request header to audit.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend. This defaults to the type.","description_kind":"plain","optional":true,"computed":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Name of the auth backend","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_auth_backend_cert":{"version":0,"block":{"attributes":{"aws_public_cert":{"type":"string","description":"Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"cert_name":{"type":"string","description":"Name of the certificate to configure.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of document that can be verified using the certificate. Must be either \"pkcs7\" or \"identity\".","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_client":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS Access key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS EC2 API calls.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS IAM API calls.","description_kind":"plain","optional":true},"iam_server_id_header_value":{"type":"string","description":"The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"max_retries":{"type":"number","description":"Number of max retries the client should use for recoverable errors.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"URL to override the default generated endpoint for making AWS STS API calls.","description_kind":"plain","optional":true},"sts_region":{"type":"string","description":"Region to override the default region for making AWS STS API calls.","description_kind":"plain","optional":true},"use_sts_region_from_client":{"type":"bool","description":"If set, will override sts_region and use the region from the client request's header","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_config_identity":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"ec2_alias":{"type":"string","description":"Configures how to generate the identity alias when using the ec2 auth method.","description_kind":"plain","optional":true},"ec2_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"iam_alias":{"type":"string","description":"How to generate the identity alias when using the iam auth method.","description_kind":"plain","optional":true},"iam_metadata":{"type":["set","string"],"description":"The metadata to include on the token returned by the login endpoint.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_identity_whitelist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the identiy whitelist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_login":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor returned from Vault for this token.","description_kind":"plain","computed":true},"auth_type":{"type":"string","description":"The auth method used to generate this token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"AWS Auth Backend to read the token from.","description_kind":"plain","optional":true},"client_token":{"type":"string","description":"The token returned by Vault.","description_kind":"plain","computed":true,"sensitive":true},"iam_http_request_method":{"type":"string","description":"The HTTP method used in the signed request.","description_kind":"plain","optional":true},"iam_request_body":{"type":"string","description":"The Base64-encoded body of the signed request.","description_kind":"plain","optional":true},"iam_request_headers":{"type":"string","description":"The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers.","description_kind":"plain","optional":true},"iam_request_url":{"type":"string","description":"The Base64-encoded HTTP URL used in the signed request.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity":{"type":"string","description":"Base64-encoded EC2 instance identity document to authenticate with.","description_kind":"plain","optional":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"The metadata reported by the Vault server.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"nonce":{"type":"string","description":"The nonce to be used for subsequent login requests.","description_kind":"plain","optional":true,"computed":true},"pkcs7":{"type":"string","description":"PKCS7 signature of the identity document to authenticate with, with all newline characters removed.","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"The policies assigned to this token.","description_kind":"plain","computed":true},"renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"role":{"type":"string","description":"AWS Auth Role to read the token from.","description_kind":"plain","optional":true,"computed":true},"signature":{"type":"string","description":"Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"When true, allows migration of the underlying instance where the client resides. Use with caution.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"The auth type permitted for this role.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_account_ids":{"type":["set","string"],"description":"Only EC2 instances with this account ID in their identity document will be permitted to log in.","description_kind":"plain","optional":true},"bound_ami_ids":{"type":["set","string"],"description":"Only EC2 instances using this AMI ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_ec2_instance_ids":{"type":["set","string"],"description":"Only EC2 instances that match this instance ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_instance_profile_arns":{"type":["set","string"],"description":"Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.","description_kind":"plain","optional":true},"bound_iam_principal_arns":{"type":["set","string"],"description":"The IAM principal that must be authenticated using the iam auth method.","description_kind":"plain","optional":true},"bound_iam_role_arns":{"type":["set","string"],"description":"Only EC2 instances that match this IAM role ARN will be permitted to log in.","description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description":"Only EC2 instances in this region will be permitted to log in.","description_kind":"plain","optional":true},"bound_subnet_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this subnet ID will be permitted to log in.","description_kind":"plain","optional":true},"bound_vpc_ids":{"type":["set","string"],"description":"Only EC2 instances associated with this VPC ID will be permitted to log in.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"When true, only allows a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inferred_aws_region":{"type":"string","description":"The region to search for the inferred entities in.","description_kind":"plain","optional":true},"inferred_entity_type":{"type":"string","description":"The type of inferencing Vault should do.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resolve_aws_unique_ids":{"type":"bool","description":"Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_id":{"type":"string","description":"The Vault generated role ID.","description_kind":"plain","computed":true},"role_tag":{"type":"string","description":"The key of the tag on EC2 instance to use for role tags.","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_role_tag":{"version":0,"block":{"attributes":{"allow_instance_migration":{"type":"bool","description":"Allows migration of the underlying instance where the client resides.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"AWS auth backend to read tags from.","description_kind":"plain","optional":true},"disallow_reauthentication":{"type":"bool","description":"Only allow a single token to be granted per instance ID.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"instance_id":{"type":"string","description":"Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of tokens issued using this role.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be associated with the tag.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"tag_key":{"type":"string","description_kind":"plain","computed":true},"tag_value":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_aws_auth_backend_roletag_blacklist":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","required":true},"disable_periodic_tidy":{"type":"bool","description":"If true, disables the periodic tidying of the roletag blacklist entries.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"safety_buffer":{"type":"number","description":"The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_auth_backend_sts_role":{"version":0,"block":{"attributes":{"account_id":{"type":"string","description":"AWS account ID to be associated with STS role.","description_kind":"plain","required":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"sts_role":{"type":"string","description":"AWS ARN for STS role to be assumed when interacting with the account specified.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_aws_secret_backend":{"version":1,"block":{"attributes":{"access_key":{"type":"string","description":"The AWS Access Key ID to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"iam_endpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1.","description_kind":"plain","optional":true,"computed":true},"role_arn":{"type":"string","description":"Role ARN to assume for plugin identity token federation.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","description_kind":"plain","optional":true,"sensitive":true},"sts_endpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_aws_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the AWS Secret Backend the role belongs to.","description_kind":"plain","required":true},"credential_type":{"type":"string","description":"Role credential type.","description_kind":"plain","required":true},"default_sts_ttl":{"type":"number","description":"The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"external_id":{"type":"string","description":"External ID to set for assume role creds.","description_kind":"plain","optional":true},"iam_groups":{"type":["set","string"],"description":"A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.","description_kind":"plain","optional":true},"iam_tags":{"type":["map","string"],"description":"A map of strings representing key/value pairs used as tags for any IAM user created by this role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_sts_ttl":{"type":"number","description":"The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permissions_boundary_arn":{"type":"string","description":"The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.","description_kind":"plain","optional":true},"policy_arns":{"type":["set","string"],"description":"ARN for an existing IAM policy the role should use.","description_kind":"plain","optional":true},"policy_document":{"type":"string","description":"IAM policy the role should use in JSON format.","description_kind":"plain","optional":true},"role_arns":{"type":["set","string"],"description":"ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'","description_kind":"plain","optional":true},"session_tags":{"type":["map","string"],"description":"Session tags to be set for assume role creds created.","description_kind":"plain","optional":true},"user_path":{"type":"string","description":"The path for the user name. Valid only when credential_type is iam_user. Default is /","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path where the AWS secrets backend is mounted.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"username":{"type":"string","description":"The username of the existing AWS IAM user to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_azure_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"resource":{"type":"string","description":"The configured URL for the application registered in Azure Active Directory.","description_kind":"plain","required":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_auth_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_group_ids":{"type":["list","string"],"description":"The list of group ids that login is restricted to.","description_kind":"plain","optional":true},"bound_locations":{"type":["list","string"],"description":"The list of locations that login is restricted to.","description_kind":"plain","optional":true},"bound_resource_groups":{"type":["list","string"],"description":"The list of resource groups that login is restricted to.","description_kind":"plain","optional":true},"bound_scale_sets":{"type":["list","string"],"description":"The list of scale set names that the login is restricted to.","description_kind":"plain","optional":true},"bound_service_principal_ids":{"type":["list","string"],"description":"The list of Service Principal IDs that login is restricted to.","description_kind":"plain","optional":true},"bound_subscription_ids":{"type":["list","string"],"description":"The list of subscription IDs that login is restricted to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_azure_secret_backend":{"version":1,"block":{"attributes":{"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required.","description_kind":"plain","optional":true,"sensitive":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"environment":{"type":"string","description":"The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated identity tokens in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"subscription_id":{"type":"string","description":"The subscription id for the Azure Active Directory.","description_kind":"plain","required":true,"sensitive":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization.","description_kind":"plain","required":true,"sensitive":true},"use_microsoft_graph_api":{"type":"bool","description":"Use the Microsoft Graph API. Should be set to true on vault-1.10+","description_kind":"plain","deprecated":true,"optional":true,"computed":true}},"description_kind":"plain"}},"vault_azure_secret_backend_role":{"version":0,"block":{"attributes":{"application_object_id":{"type":"string","description":"Application Object ID for an existing service principal that will be used instead of creating dynamic service principals.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"permanently_delete":{"type":"bool","description":"Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role to create","description_kind":"plain","required":true},"sign_in_audience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount","description_kind":"plain","optional":true},"tags":{"type":["list","string"],"description":"Comma-separated strings of Azure tags to attach to an application.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true}},"block_types":{"azure_groups":{"nesting_mode":"set","block":{"attributes":{"group_name":{"type":"string","description_kind":"plain","required":true},"object_id":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"azure_roles":{"nesting_mode":"set","block":{"attributes":{"role_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"scope":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_cert_auth_backend_role":{"version":1,"block":{"attributes":{"allowed_common_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_dns_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_email_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_names":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"allowed_organizational_units":{"type":["set","string"],"description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"certificate":{"type":"string","description_kind":"plain","required":true},"display_name":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_ca_certificates":{"type":"string","description":"Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data.","description_kind":"plain","optional":true},"ocsp_enabled":{"type":"bool","description":"If enabled, validate certificates' revocation status using OCSP.","description_kind":"plain","optional":true,"computed":true},"ocsp_fail_open":{"type":"bool","description":"If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked.","description_kind":"plain","optional":true,"computed":true},"ocsp_query_all_servers":{"type":"bool","description":"If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree.","description_kind":"plain","optional":true,"computed":true},"ocsp_servers_override":{"type":["set","string"],"description":"A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected.","description_kind":"plain","optional":true},"required_extensions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_config_ui_custom_message":{"version":0,"block":{"attributes":{"authenticated":{"type":"bool","description":"A flag indicating whether the custom message is displayed pre-login (false) or post-login (true)","description_kind":"plain","optional":true},"end_time":{"type":"string","description":"The ending time of the active period of the custom message. Can be omitted for non-expiring message","description_kind":"plain","optional":true},"id":{"type":"string","description":"The unique ID for the custom message","description_kind":"plain","computed":true},"message_base64":{"type":"string","description":"The base64-encoded content of the custom message","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"A map containing additional options for the custom message","description_kind":"plain","optional":true},"start_time":{"type":"string","description":"The starting time of the active period of the custom message","description_kind":"plain","required":true},"title":{"type":"string","description":"The title of the custom message","description_kind":"plain","required":true},"type":{"type":"string","description":"The display type of custom message. Allowed values are banner and modal","description_kind":"plain","optional":true}},"block_types":{"link":{"nesting_mode":"set","block":{"attributes":{"href":{"type":"string","description":"The URL of the hyperlink","description_kind":"plain","required":true},"title":{"type":"string","description":"The title of the hyperlink","description_kind":"plain","required":true}},"description":"A block containing a hyperlink associated with the custom message","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_consul_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","required":true},"bootstrap":{"type":"bool","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the secret backend is local only","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the Vault Consul mount to configure","description_kind":"plain","optional":true},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \"http\".","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_consul_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Consul Secret Backend the role belongs to.","description_kind":"plain","optional":true},"consul_namespace":{"type":"string","description":"The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+","description_kind":"plain","optional":true,"computed":true},"consul_policies":{"type":["set","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"consul_roles":{"type":["set","string"],"description":"Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.","description_kind":"plain","optional":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Consul credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"node_identities":{"type":["set","string"],"description":"Set of Consul node identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.8+","description_kind":"plain","optional":true},"partition":{"type":"string","description":"The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+","description_kind":"plain","optional":true,"computed":true},"policies":{"type":["list","string"],"description":"List of Consul policies to associate with this role","description_kind":"plain","optional":true},"service_identities":{"type":["set","string"],"description":"Set of Consul service identities to attach to\n\t\t\t\tthe token. Applicable for Vault 1.11+ with Consul 1.5+","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Specifies the TTL for this role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_connection":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault mount to configure.","description_kind":"plain","required":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"},"max_items":1},"couchbase":{"nesting_mode":"list","block":{"attributes":{"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"},"max_items":1},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"},"max_items":1},"hana":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"},"max_items":1},"influxdb":{"nesting_mode":"list","block":{"attributes":{"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodb":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mssql":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"},"max_items":1},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"},"max_items":1},"oracle":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"},"max_items":1},"postgresql":{"nesting_mode":"list","block":{"attributes":{"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis":{"nesting_mode":"list","block":{"attributes":{"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"},"max_items":1},"redshift":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"},"max_items":1},"snowflake":{"nesting_mode":"list","block":{"attributes":{"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_database_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"creation_statements":{"type":["list","string"],"description":"Database statements to execute to create and configure a user.","description_kind":"plain","required":true},"credential_config":{"type":["map","string"],"description":"Specifies the configuration for the given credential_type.","description_kind":"plain","optional":true},"credential_type":{"type":"string","description":"Specifies the type of credential that will be generated for the role.","description_kind":"plain","optional":true,"computed":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Default TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum TTL for leases associated with this role, in seconds.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"renew_statements":{"type":["list","string"],"description":"Database statements to execute to renew a user.","description_kind":"plain","optional":true},"revocation_statements":{"type":["list","string"],"description":"Database statements to execute to revoke a user.","description_kind":"plain","optional":true},"rollback_statements":{"type":["list","string"],"description":"Database statements to execute to rollback a create operation in the event of an error.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_database_secret_backend_static_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Database Secret Backend the role belongs to.","description_kind":"plain","required":true},"db_name":{"type":"string","description":"Database connection to use for this role.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the static role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"The amount of time Vault should wait before rotating the password, in seconds.","description_kind":"plain","optional":true},"rotation_schedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.","description_kind":"plain","optional":true},"rotation_statements":{"type":["list","string"],"description":"Database statements to execute to rotate the password for the configured database user.","description_kind":"plain","optional":true},"rotation_window":{"type":"number","description":"The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The database username that this role corresponds to.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_database_secrets_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"engine_count":{"type":"number","description":"Total number of database secret engines configured under the mount.","description_kind":"plain","computed":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true}},"block_types":{"cassandra":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"Cassandra hosts to connect to.","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.","description_kind":"plain","optional":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Cassandra.","description_kind":"plain","optional":true},"protocol_version":{"type":"number","description":"The CQL protocol version to use.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Cassandra.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the cassandra-database-plugin plugin.","description_kind":"plain"}},"couchbase":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"base64_pem":{"type":"string","description":"Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.","description_kind":"plain","optional":true,"sensitive":true},"bucket_name":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"hosts":{"type":["list","string"],"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":" Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Couchbase.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the couchbase-database-plugin plugin.","description_kind":"plain"}},"elasticsearch":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"ca_path":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication","description_kind":"plain","optional":true},"client_key":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"insecure":{"type":"bool","description":"Whether to disable certificate verification","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The password to be used in the connection URL","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls_server_name":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS","description_kind":"plain","optional":true},"url":{"type":"string","description":"The URL for Elasticsearch's API","description_kind":"plain","required":true},"username":{"type":"string","description":"The username to be used in the connection URL","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the elasticsearch-database-plugin.","description_kind":"plain"}},"hana":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the hana-database-plugin plugin.","description_kind":"plain"}},"influxdb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connect_timeout":{"type":"number","description":"The number of seconds to use as a connection timeout.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Influxdb host to connect to.","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"pem_bundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"pem_json":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Influxdb.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Whether to use TLS when connecting to Influxdb.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username to use for superuser access.","description_kind":"plain","required":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the influxdb-database-plugin plugin.","description_kind":"plain"}},"mongodb":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodb-database-plugin plugin.","description_kind":"plain"}},"mongodbatlas":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.","description_kind":"plain","required":true,"sensitive":true},"project_id":{"type":"string","description":"The Project ID the Database User should be created within.","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.","description_kind":"plain","required":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mongodbatlas-database-plugin plugin.","description_kind":"plain"}},"mssql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"contained_db":{"type":"bool","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mssql-database-plugin plugin.","description_kind":"plain"}},"mysql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-database-plugin plugin.","description_kind":"plain"}},"mysql_aurora":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-aurora-database-plugin plugin.","description_kind":"plain"}},"mysql_legacy":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-legacy-database-plugin plugin.","description_kind":"plain"}},"mysql_rds":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"tls_ca":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.","description_kind":"plain","optional":true},"tls_certificate_key":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the mysql-rds-database-plugin plugin.","description_kind":"plain"}},"oracle":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disconnect_sessions":{"type":"bool","description":"Set to true to disconnect any open sessions prior to running the revocation statements.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"split_statements":{"type":"bool","description":"Set to true in order to split statements after semi-colons.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the oracle-database-plugin plugin.","description_kind":"plain"}},"postgresql":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"auth_type":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"service_account_json":{"type":"string","description":"A JSON encoded credential for use with IAM authorization","description_kind":"plain","optional":true,"sensitive":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the postgresql-database-plugin plugin.","description_kind":"plain"}},"redis":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"host":{"type":"string","description":"Specifies the host to connect to","description_kind":"plain","required":true},"insecure_tls":{"type":"bool","description":"Specifies whether to skip verification of the server certificate when using TLS.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"Specifies the password corresponding to the given username.","description_kind":"plain","required":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"port":{"type":"number","description":"The transport port to use to connect to Redis.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"tls":{"type":"bool","description":"Specifies whether to use TLS when connecting to Redis.","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the username for Vault to use.","description_kind":"plain","required":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-database-plugin plugin.","description_kind":"plain"}},"redis_elasticache":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.","description_kind":"plain","optional":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.","description_kind":"plain","required":true},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.","description_kind":"plain","optional":true,"sensitive":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redis-elasticache-database-plugin plugin.","description_kind":"plain"}},"redshift":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"disable_escaping":{"type":"bool","description":"Disable special character escaping in username and password","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the redshift-database-plugin plugin.","description_kind":"plain"}},"snowflake":{"nesting_mode":"list","block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"A list of roles that are allowed to use this connection.","description_kind":"plain","optional":true},"connection_url":{"type":"string","description":"Connection string to use to connect to the database.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.","description_kind":"plain","optional":true},"max_connection_lifetime":{"type":"number","description":"Maximum number of seconds a connection may be reused.","description_kind":"plain","optional":true},"max_idle_connections":{"type":"number","description":"Maximum number of idle connections to the database.","description_kind":"plain","optional":true},"max_open_connections":{"type":"number","description":"Maximum number of open connections to the database.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the database connection.","description_kind":"plain","required":true},"password":{"type":"string","description":"The root credential password used in the connection URL","description_kind":"plain","optional":true,"sensitive":true},"plugin_name":{"type":"string","description":"Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types.","description_kind":"plain","optional":true,"computed":true},"root_rotation_statements":{"type":["list","string"],"description":"A list of database statements to be executed to rotate the root user's credentials.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The root credential username used in the connection URL","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"Username generation template.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies if the connection is verified during initial configuration.","description_kind":"plain","optional":true}},"description":"Connection parameters for the snowflake-database-plugin plugin.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_egp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"List of paths to which the policy will be applied","description_kind":"plain","required":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend","description_kind":"plain","computed":true},"client_email":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"credentials":{"type":"string","description_kind":"plain","optional":true,"sensitive":true},"description":{"type":"string","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value for plugin identity tokens.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"private_key_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"project_id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"block_types":{"custom_endpoint":{"nesting_mode":"list","block":{"attributes":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to https://www.googleapis.com.","description_kind":"plain","optional":true},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.","description_kind":"plain","optional":true},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.","description_kind":"plain","optional":true},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.","description_kind":"plain","optional":true}},"description":"Specifies overrides to service endpoints used when making API requests to GCP.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"add_group_aliases":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allow_gce_inference":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","optional":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_jwt_exp":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_gcp_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the created GCP mount.","description_kind":"plain","computed":true},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_audience":{"type":"string","description":"The audience claim value for plugin identity tokens.","description_kind":"plain","optional":true},"identity_token_key":{"type":"string","description":"The key to use for signing identity tokens.","description_kind":"plain","optional":true},"identity_token_ttl":{"type":"number","description":"The TTL of generated tokens.","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to mount the backend at.","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_impersonated_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"impersonated_account":{"type":"string","description":"Name of the Impersonated Account to create","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this impersonated account","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) ","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_secret_roleset":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.","description_kind":"plain","required":true},"roleset":{"type":"string","description":"Name of the RoleSet to create","description_kind":"plain","required":true},"secret_type":{"type":"string","description":"Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the service account created by Vault for this Roleset","description_kind":"plain","computed":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"},"min_items":1}},"description_kind":"plain"}},"vault_gcp_secret_static_account":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Path where the GCP secrets engine is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_type":{"type":"string","description":"Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key`","description_kind":"plain","optional":true,"computed":true},"service_account_email":{"type":"string","description":"Email of the GCP service account.","description_kind":"plain","required":true},"service_account_project":{"type":"string","description":"Project of the GCP Service Account managed by this static account","description_kind":"plain","computed":true},"static_account":{"type":"string","description":"Name of the Static Account to create","description_kind":"plain","required":true},"token_scopes":{"type":["set","string"],"description":"List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) ","description_kind":"plain","optional":true}},"block_types":{"binding":{"nesting_mode":"set","block":{"attributes":{"resource":{"type":"string","description":"Resource name","description_kind":"plain","required":true},"roles":{"type":["set","string"],"description":"List of roles to apply to the resource","description_kind":"plain","required":true}},"description_kind":"plain"}}},"description_kind":"plain"}},"vault_generic_endpoint":{"version":1,"block":{"attributes":{"data_json":{"type":"string","description":"JSON-encoded data to write.","description_kind":"plain","required":true,"sensitive":true},"disable_delete":{"type":"bool","description":"Don't attempt to delete the path from Vault if true","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the path from Vault if true; drift won't be detected","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ignore_absent_fields":{"type":"bool","description":"When reading, disregard fields not present in data_json","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where to the endpoint that will be written","description_kind":"plain","required":true},"write_data":{"type":["map","string"],"description":"Map of strings returned by write operation","description_kind":"plain","computed":true},"write_data_json":{"type":"string","description":"JSON data returned by write operation","description_kind":"plain","computed":true},"write_fields":{"type":["list","string"],"description":"Top-level fields returned by write to persist in state","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"Don't attempt to read the token from Vault if true; drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.","description_kind":"plain","optional":true},"description":{"type":"string","description":"Specifies the description of the mount. This overrides the current stored value, if any.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization users must be part of.","description_kind":"plain","required":true},"organization_id":{"type":"number","description":"The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+)","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where the auth backend is mounted","description_kind":"plain","optional":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_github_team":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which team mapping will be configured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this team.","description_kind":"plain","optional":true},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_github_user":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Auth backend to which user mapping will be congigured.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Policies to be assigned to this user.","description_kind":"plain","optional":true},"user":{"type":"string","description":"GitHub user name.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked.","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_entity_policies`.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the entity.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the entity to which this is an alias.","description_kind":"plain","required":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata to be associated with this alias.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs toMount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the entity alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity_policies":{"version":0,"block":{"attributes":{"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","required":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","computed":true},"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the entity.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"external_member_entity_ids":{"type":"bool","description":"Manage member entities externally through `vault_identity_group_member_entity_ids`","description_kind":"plain","optional":true},"external_member_group_ids":{"type":"bool","description":"Manage member groups externally through `vault_identity_group_member_group_ids`","description_kind":"plain","optional":true},"external_policies":{"type":"bool","description":"Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the group.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to internal.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_alias":{"version":0,"block":{"attributes":{"canonical_id":{"type":"string","description":"ID of the group to which this is an alias.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"Mount accessor to which this alias belongs to.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the group alias.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_entity_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member entity ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_entity_ids":{"type":["set","string"],"description":"Entity IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_member_group_ids":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"If set to true, allows the resource to manage member group ids\nexclusively. Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"member_group_ids":{"type":["set","string"],"description":"Group IDs to be assigned as group members.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_group_policies":{"version":0,"block":{"attributes":{"exclusive":{"type":"bool","description":"Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management","description_kind":"plain","optional":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","required":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"Policies to be tied to the group.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_identity_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo","description_kind":"plain","required":true,"sensitive":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo","description_kind":"plain","required":true,"sensitive":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_passcode":{"type":"bool","description":"Require passcode upon MFA validation.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_login_enforcement":{"version":0,"block":{"attributes":{"auth_method_accessors":{"type":["set","string"],"description":"Set of auth method accessor IDs.","description_kind":"plain","optional":true},"auth_method_types":{"type":["set","string"],"description":"Set of auth method types.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_entity_ids":{"type":["set","string"],"description":"Set of identity entity IDs.","description_kind":"plain","optional":true},"identity_group_ids":{"type":["set","string"],"description":"Set of identity group IDs.","description_kind":"plain","optional":true},"mfa_method_ids":{"type":["set","string"],"description":"Set of MFA method UUIDs.","description_kind":"plain","required":true},"name":{"type":"string","description":"Login enforcement name.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API token.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"The base domain to use for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"Only match the primary email for the account.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"The admin URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"A unique identifier of the organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"The IDP URL, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"The name of the PingID client organization, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"Use signature value, derived from \"settings_file_base64\"","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A template string for mapping Identity names to MFA methods.","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"max_validation_attempts":{"type":"number","description":"The maximum number of consecutive failed validation attempts allowed.","description_kind":"plain","optional":true},"method_id":{"type":"string","description":"Method ID.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"Mount accessor.","description_kind":"plain","computed":true},"name":{"type":"string","description":"Method name.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Method's namespace ID.","description_kind":"plain","computed":true},"namespace_path":{"type":"string","description":"Method's namespace path.","description_kind":"plain","computed":true},"period":{"type":"number","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true,"computed":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true},"type":{"type":"string","description":"MFA type.","description_kind":"plain","computed":true},"uuid":{"type":"string","description":"Resource UUID.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_assignment":{"version":0,"block":{"attributes":{"entity_ids":{"type":["set","string"],"description":"A list of Vault entity IDs.","description_kind":"plain","optional":true},"group_ids":{"type":["set","string"],"description":"A list of Vault group IDs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the assignment.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_client":{"version":0,"block":{"attributes":{"access_token_ttl":{"type":"number","description":"The time-to-live for access tokens obtained by the client.","description_kind":"plain","optional":true,"computed":true},"assignments":{"type":["set","string"],"description":"A list of assignment resources associated with the client.","description_kind":"plain","optional":true},"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"client_type":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_ttl":{"type":"number","description":"The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key.","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A reference to a named key resource in Vault. This cannot be modified after creation.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"redirect_uris":{"type":["set","string"],"description":"Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.","description_kind":"plain","optional":true},"allowed_client_ids":{"type":["set","string"],"description":"Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If \"*\", all roles are allowed.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"rotation_period":{"type":"number","description":"How often to generate a new signing key in number of seconds","description_kind":"plain","optional":true},"verification_ttl":{"type":"number","description":"Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_key_allowed_client_id":{"version":0,"block":{"attributes":{"allowed_client_id":{"type":"string","description":"Role Client ID allowed to use the key for signing.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_provider":{"version":0,"block":{"attributes":{"allowed_client_ids":{"type":["set","string"],"description":"The client IDs that are permitted to use the provider. If empty, no clients are allowed. If \"*\", all clients are allowed.","description_kind":"plain","optional":true},"https_enabled":{"type":"bool","description":"Set to true if the issuer endpoint uses HTTPS.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields.","description_kind":"plain","computed":true},"issuer_host":{"type":"string","description":"The host for the issuer. Can be either host or host:port.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"scopes_supported":{"type":["set","string"],"description":"The scopes available for requesting on the provider.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_role":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"A configured named key, the key must already exist.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in string-ified JSON or base64 format.","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"TTL of the tokens generated against the role in number of seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_scope":{"version":0,"block":{"attributes":{"description":{"type":"string","description":"The scope's description.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the scope. The openid scope name is reserved.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the JWT auth backend","description_kind":"plain","computed":true},"bound_issuer":{"type":"string","description":"The value against which to match the iss claim in a JWT","description_kind":"plain","optional":true},"default_role":{"type":"string","description":"The default role to use if none is provided during login","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"jwks_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.","description_kind":"plain","optional":true},"jwks_url":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"jwt_supported_algs":{"type":["list","string"],"description":"A list of supported signing algorithms. Defaults to [RS256]","description_kind":"plain","optional":true},"jwt_validation_pubkeys":{"type":["list","string"],"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. ","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_in_state":{"type":"bool","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.","description_kind":"plain","optional":true},"oidc_client_id":{"type":"string","description":"Client ID used for OIDC","description_kind":"plain","optional":true},"oidc_client_secret":{"type":"string","description":"Client Secret used for OIDC","description_kind":"plain","optional":true,"sensitive":true},"oidc_discovery_ca_pem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used","description_kind":"plain","optional":true},"oidc_discovery_url":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.","description_kind":"plain","optional":true},"oidc_response_mode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.","description_kind":"plain","optional":true},"oidc_response_types":{"type":["list","string"],"description":"The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.","description_kind":"plain","optional":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"provider_config":{"type":["map","string"],"description":"Provider specific handling configuration","description_kind":"plain","optional":true},"tune":{"type":["set",["object",{"allowed_response_headers":["list","string"],"audit_non_hmac_request_keys":["list","string"],"audit_non_hmac_response_keys":["list","string"],"default_lease_ttl":"string","listing_visibility":"string","max_lease_ttl":"string","passthrough_request_headers":["list","string"],"token_type":"string"}]],"description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of backend. Can be either 'jwt' or 'oidc'","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_jwt_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_redirect_uris":{"type":["set","string"],"description":"The list of allowed values for redirect_uri during OIDC logins.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_audiences":{"type":["set","string"],"description":"List of aud claims to match against. Any match is sufficient.","description_kind":"plain","optional":true},"bound_claims":{"type":["map","string"],"description":"Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.","description_kind":"plain","optional":true},"bound_claims_type":{"type":"string","description":"How to interpret values in the claims/values map: can be either \"string\" (exact match) or \"glob\" (wildcard match).","description_kind":"plain","optional":true,"computed":true},"bound_subject":{"type":"string","description":"If set, requires that the sub claim matches this value.","description_kind":"plain","optional":true},"claim_mappings":{"type":["map","string"],"description":"Map of claims (keys) to be copied to specified metadata fields (values).","description_kind":"plain","optional":true},"clock_skew_leeway":{"type":"number","description":"The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"disable_bound_claims_parsing":{"type":"bool","description":"Disable bound claim value parsing. Useful when values contain commas.","description_kind":"plain","optional":true},"expiration_leeway":{"type":"number","description":"The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.","description_kind":"plain","optional":true},"groups_claim":{"type":"string","description":"The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_age":{"type":"number","description":"Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_leeway":{"type":"number","description":"The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ","description_kind":"plain","optional":true},"oidc_scopes":{"type":["set","string"],"description":"List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"role_type":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\"","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"user_claim":{"type":"string","description":"The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.","description_kind":"plain","required":true},"user_claim_json_pointer":{"type":"bool","description":"Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.","description_kind":"plain","optional":true},"verbose_oidc_logging":{"type":"bool","description":"Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_backend":{"version":1,"block":{"attributes":{"default_tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"default_tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"default_tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listen_addrs":{"type":["set","string"],"description":"Addresses the KMIP server should listen on (host:port)","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP secret backend will be mounted","description_kind":"plain","required":true},"server_hostnames":{"type":["set","string"],"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN)","description_kind":"plain","optional":true,"computed":true},"server_ips":{"type":["set","string"],"description":"IPs to include in the server's TLS certificate as SAN IP addresses","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_bits":{"type":"number","description":"CA key bits, valid values depend on key type","description_kind":"plain","optional":true,"computed":true},"tls_ca_key_type":{"type":"string","description":"CA key type, rsa or ec","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description":"Minimum TLS version to accept","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kmip_secret_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"operation_activate":{"type":"bool","description":"Grant permission to use the KMIP Activate operation","description_kind":"plain","optional":true,"computed":true},"operation_add_attribute":{"type":"bool","description":"Grant permission to use the KMIP Add Attribute operation","description_kind":"plain","optional":true,"computed":true},"operation_all":{"type":"bool","description":"Grant all permissions to this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_create":{"type":"bool","description":"Grant permission to use the KMIP Create operation","description_kind":"plain","optional":true,"computed":true},"operation_destroy":{"type":"bool","description":"Grant permission to use the KMIP Destroy operation","description_kind":"plain","optional":true,"computed":true},"operation_discover_versions":{"type":"bool","description":"Grant permission to use the KMIP Discover Version operation","description_kind":"plain","optional":true,"computed":true},"operation_get":{"type":"bool","description":"Grant permission to use the KMIP Get operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attribute_list":{"type":"bool","description":"Grant permission to use the KMIP Get Attribute List operation","description_kind":"plain","optional":true,"computed":true},"operation_get_attributes":{"type":"bool","description":"Grant permission to use the KMIP Get Attributes operation","description_kind":"plain","optional":true,"computed":true},"operation_locate":{"type":"bool","description":"Grant permission to use the KMIP Locate operation","description_kind":"plain","optional":true,"computed":true},"operation_none":{"type":"bool","description":"Remove all permissions from this role. May not be specified with any other operation_* params","description_kind":"plain","optional":true,"computed":true},"operation_register":{"type":"bool","description":"Grant permission to use the KMIP Register operation","description_kind":"plain","optional":true,"computed":true},"operation_rekey":{"type":"bool","description":"Grant permission to use the KMIP Rekey operation","description_kind":"plain","optional":true,"computed":true},"operation_revoke":{"type":"bool","description":"Grant permission to use the KMIP Revoke operation","description_kind":"plain","optional":true,"computed":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"role":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true},"tls_client_key_bits":{"type":"number","description":"Client certificate key bits, valid values depend on key type","description_kind":"plain","optional":true},"tls_client_key_type":{"type":"string","description":"Client certificate key type, rsa or ec","description_kind":"plain","optional":true},"tls_client_ttl":{"type":"number","description":"Client certificate TTL in seconds","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kmip_secret_scope":{"version":0,"block":{"attributes":{"force":{"type":"bool","description":"Force deletion even if there are managed objects in the scope","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where KMIP backend is mounted","description_kind":"plain","required":true},"scope":{"type":"string","description":"Name of the scope","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true},"token_reviewer_jwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name","description_kind":"plain","optional":true,"computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","required":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_local_ca_jwt":{"type":"bool","description":"Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"kubernetes_ca_cert":{"type":"string","description":"A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set.","description_kind":"plain","optional":true},"kubernetes_host":{"type":"string","description":"The Kubernetes API URL to connect to.","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"service_account_jwt":{"type":"string","description":"The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_kubernetes_secret_backend_role":{"version":0,"block":{"attributes":{"allowed_kubernetes_namespace_selector":{"type":"string","description":"A label selector for Kubernetes namespaces in which credentials can begenerated. Accepts either a JSON or YAML object. The value should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.","description_kind":"plain","optional":true},"allowed_kubernetes_namespaces":{"type":["list","string"],"description":"The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. If set with`allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Kubernetes secrets engine.","description_kind":"plain","required":true},"extra_annotations":{"type":["map","string"],"description":"Additional annotations to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"extra_labels":{"type":["map","string"],"description":"Additional labels to apply to all generated Kubernetes objects.","description_kind":"plain","optional":true},"generated_role_rules":{"type":"string","description":"The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_role_name":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.","description_kind":"plain","optional":true},"kubernetes_role_type":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or ClusterRole.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"name_template":{"type":"string","description":"The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_name":{"type":"string","description":"The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested.","description_kind":"plain","optional":true},"token_default_ttl":{"type":"number","description":"The default TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum TTL for generated Kubernetes tokens in seconds.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_backend_v2":{"version":0,"block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true,"computed":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"cas":{"type":"number","description":"This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data to write.","description_kind":"plain","required":true,"sensitive":true},"delete_all_versions":{"type":"bool","description":"If set to true, permanently deletes all versions for the specified key.","description_kind":"plain","optional":true},"disable_read":{"type":"bool","description":"If set to true, disables reading secret from Vault; note: drift won't be detected.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["map","string"],"description":"Metadata associated with this secret read from Vault.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"An object that holds option settings.","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.","description_kind":"plain","computed":true}},"block_types":{"custom_metadata":{"nesting_mode":"list","block":{"attributes":{"cas_required":{"type":"bool","description":"If true, all keys will require the cas parameter to be set on all write requests.","description_kind":"plain","optional":true},"data":{"type":["map","string"],"description":"A map of arbitrary string to string valued user-provided metadata meant to describe the secret.","description_kind":"plain","optional":true},"delete_version_after":{"type":"number","description":"If set, specifies the length of time before a version is deleted.","description_kind":"plain","optional":true},"max_versions":{"type":"number","description":"The number of versions to keep per key.","description_kind":"plain","optional":true}},"description":"Custom metadata to be set for the secret.","description_kind":"plain"},"max_items":1}},"description_kind":"plain"}},"vault_ldap_auth_backend":{"version":2,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the LDAP auth backend","description_kind":"plain","computed":true},"binddn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"bindpass":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"case_sensitive_names":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"certificate":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_cert":{"type":"string","description_kind":"plain","optional":true,"computed":true},"client_tls_key":{"type":"string","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"deny_null_bind":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description_kind":"plain","optional":true,"computed":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"discoverdn":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"groupattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"groupfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"insecure_tls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","optional":true},"max_page_size":{"type":"number","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","optional":true},"starttls":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"tls_max_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"tls_min_version":{"type":"string","description_kind":"plain","optional":true,"computed":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"upndomain":{"type":"string","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description_kind":"plain","required":true},"use_token_groups":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description_kind":"plain","optional":true,"computed":true},"userfilter":{"type":"string","description_kind":"plain","optional":true,"computed":true},"username_as_alias":{"type":"bool","description":"Force the auth method to use the username passed by the user as the alias name.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_group":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groupname":{"type":"string","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_auth_backend_user":{"version":1,"block":{"attributes":{"backend":{"type":"string","description_kind":"plain","optional":true},"groups":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description_kind":"plain","optional":true,"computed":true},"username":{"type":"string","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_ldap_secret_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.","description_kind":"plain","required":true},"bindpass":{"type":"string","description":"LDAP password for searching for the user DN.","description_kind":"plain","required":true,"sensitive":true},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_tls_cert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"client_tls_key":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.","description_kind":"plain","optional":true,"sensitive":true},"connection_timeout":{"type":"number","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"insecure_tls":{"type":"bool","description":"Skip LDAP server SSL Certificate verification - insecure and not recommended for production use.","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"password_policy":{"type":"string","description":"Name of the password policy to use to generate passwords.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"request_timeout":{"type":"number","description":"Timeout, in seconds, for the connection when making requests against the server before returning back an error.","description_kind":"plain","optional":true,"computed":true},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf.","description_kind":"plain","optional":true,"computed":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"skip_static_role_import_rotation":{"type":"bool","description":"Skip rotation of static role secrets on import.","description_kind":"plain","optional":true},"starttls":{"type":"bool","description":"Issue a StartTLS command after establishing unencrypted connection.","description_kind":"plain","optional":true,"computed":true},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.","description_kind":"plain","optional":true,"computed":true},"url":{"type":"string","description":"LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.","description_kind":"plain","optional":true,"computed":true},"userattr":{"type":"string","description":"Attribute used for users (default: cn)","description_kind":"plain","optional":true,"computed":true},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_dynamic_role":{"version":0,"block":{"attributes":{"creation_ldif":{"type":"string","description":"A templatized LDIF string used to create a user account. May contain multiple entries.","description_kind":"plain","required":true},"default_ttl":{"type":"number","description":"Specifies the TTL for the leases associated with this role.","description_kind":"plain","optional":true},"deletion_ldif":{"type":"string","description":"A templatized LDIF string used to delete the user account once its TTL has expired. This may contain multiple LDIF entries.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Specifies the maximum TTL for the leases associated with this role.","description_kind":"plain","optional":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rollback_ldif":{"type":"string","description":"A templatized LDIF string used to attempt to rollback any changes in the event that execution of the creation_ldif results in an error. This may contain multiple LDIF entries.","description_kind":"plain","optional":true},"username_template":{"type":"string","description":"A template used to generate a dynamic username. This will be used to fill in the .Username field within the creation_ldif string.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_library_set":{"version":0,"block":{"attributes":{"disable_check_in_enforcement":{"type":"bool","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"The maximum amount of time a check-out last with renewal before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the set of service accounts.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"service_account_names":{"type":["list","string"],"description":"The names of all the service accounts that can be checked out from this set.","description_kind":"plain","required":true},"ttl":{"type":"number","description":"The maximum amount of time a single check-out lasts before Vault automatically checks it back in. Defaults to 24 hours.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ldap_secret_backend_static_role":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","required":true},"skip_import_rotation":{"type":"bool","description":"Skip rotation of the password on import.","description_kind":"plain","optional":true},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_managed_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"aws":{"nesting_mode":"set","block":{"attributes":{"access_key":{"type":"string","description":"The AWS access key to use","description_kind":"plain","required":true},"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"kms_key":{"type":"string","description":"An identifier for the key","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)","description_kind":"plain","optional":true,"computed":true},"secret_key":{"type":"string","description":"The AWS secret key to use","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for AWS Managed Keys","description_kind":"plain"}},"azure":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs","description_kind":"plain","required":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs","description_kind":"plain","required":true},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_name":{"type":"string","description":"The Key Vault key to use for encryption and decryption","description_kind":"plain","required":true},"key_type":{"type":"string","description":"The type of key to use","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"The tenant id for the Azure Active Directory organization","description_kind":"plain","required":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true},"vault_name":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption","description_kind":"plain","required":true}},"description":"Configuration block for Azure Managed Keys","description_kind":"plain"}},"pkcs":{"nesting_mode":"set","block":{"attributes":{"allow_generate_key":{"type":"bool","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend","description_kind":"plain","optional":true,"computed":true},"allow_replace_key":{"type":"bool","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.","description_kind":"plain","optional":true,"computed":true},"allow_store_key":{"type":"bool","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden","description_kind":"plain","optional":true,"computed":true},"any_mount":{"type":"bool","description":"Allow usage from any mount point within the namespace if 'true'","description_kind":"plain","optional":true,"computed":true},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"force_rw_session":{"type":"string","description":"Force all operations to open up a read-write session to the HSM","description_kind":"plain","optional":true},"key_bits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The id of a PKCS#11 key to use","description_kind":"plain","required":true},"key_label":{"type":"string","description":"The label of the key to use","description_kind":"plain","required":true},"library":{"type":"string","description":"The name of the kms_library stanza to use from Vault's config to lookup the local library path","description_kind":"plain","required":true},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.","description_kind":"plain","required":true},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key","description_kind":"plain","required":true},"pin":{"type":"string","description":"The PIN for login","description_kind":"plain","required":true},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')","description_kind":"plain","optional":true},"token_label":{"type":"string","description":"The slot token label to use","description_kind":"plain","optional":true},"uuid":{"type":"string","description":"ID of the managed key read from Vault","description_kind":"plain","computed":true}},"description":"Configuration block for PKCS Managed Keys","description_kind":"plain"}}},"description_kind":"plain"}},"vault_mfa_duo":{"version":0,"block":{"attributes":{"api_hostname":{"type":"string","description":"API hostname for Duo.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"integration_key":{"type":"string","description":"Integration key for Duo.","description_kind":"plain","required":true,"sensitive":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"push_info":{"type":"string","description":"Push information for Duo.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"Secret key for Duo.","description_kind":"plain","required":true,"sensitive":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_okta":{"version":0,"block":{"attributes":{"api_token":{"type":"string","description":"Okta API key.","description_kind":"plain","required":true,"sensitive":true},"base_url":{"type":"string","description":"If set, will be used as the base domain for API requests.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"org_name":{"type":"string","description":"Name of the organization to be used in the Okta API.","description_kind":"plain","required":true},"primary_email":{"type":"bool","description":"If set to true, the username will only match the primary email for the account.","description_kind":"plain","optional":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_pingid":{"version":0,"block":{"attributes":{"admin_url":{"type":"string","description":"Admin URL computed by Vault.","description_kind":"plain","computed":true},"authenticator_url":{"type":"string","description":"Authenticator URL computed by Vault.","description_kind":"plain","computed":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"idp_url":{"type":"string","description":"IDP URL computed by Vault.","description_kind":"plain","computed":true},"mount_accessor":{"type":"string","description":"The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID computed by Vault.","description_kind":"plain","computed":true},"org_alias":{"type":"string","description":"Org Alias computed by Vault.","description_kind":"plain","computed":true},"settings_file_base64":{"type":"string","description":"A base64-encoded third-party settings file retrieved from PingID's configuration page.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of configuration computed by Vault.","description_kind":"plain","computed":true},"use_signature":{"type":"bool","description":"If set, enables use of PingID signature. Computed by Vault","description_kind":"plain","computed":true},"username_format":{"type":"string","description":"A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mfa_totp":{"version":0,"block":{"attributes":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'.","description_kind":"plain","optional":true},"digits":{"type":"number","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8.","description_kind":"plain","optional":true},"id":{"type":"string","description":"ID computed by Vault.","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"The name of the key's issuing organization.","description_kind":"plain","required":true},"key_size":{"type":"number","description":"Specifies the size in bytes of the generated key.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the MFA method.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"period":{"type":"number","description":"The length of time used to generate a counter for the TOTP token calculation.","description_kind":"plain","optional":true},"qr_size":{"type":"number","description":"The pixel size of the generated square QR code.","description_kind":"plain","optional":true},"skew":{"type":"number","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_backend":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located","description_kind":"plain","computed":true},"private_key":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","description_kind":"plain","required":true},"public_key":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_mongodbatlas_secret_role":{"version":0,"block":{"attributes":{"cidr_blocks":{"type":["list","string"],"description":"Whitelist entry in CIDR notation to be added for the API key","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_addresses":{"type":["list","string"],"description":"IP address to be added to the whitelist for the API key","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role","description_kind":"plain","optional":true},"mount":{"type":"string","description":"Path where MongoDB Atlas secret backend is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the role","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization_id":{"type":"string","description":"ID for the organization to which the target API Key belongs","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"ID for the project to which the target API Key belongs","description_kind":"plain","optional":true},"project_roles":{"type":["list","string"],"description":"Roles assigned when an org API key is assigned to a project API key","description_kind":"plain","optional":true},"roles":{"type":["list","string"],"description":"List of roles that the API Key needs to have","description_kind":"plain","required":true},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_mount":{"version":0,"block":{"attributes":{"accessor":{"type":"string","description":"Accessor of the mount","description_kind":"plain","computed":true},"allowed_managed_keys":{"type":["set","string"],"description":"List of managed key registry entry names that the mount in question is allowed to access","description_kind":"plain","optional":true},"allowed_response_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"audit_non_hmac_request_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.","description_kind":"plain","optional":true,"computed":true},"audit_non_hmac_response_keys":{"type":["list","string"],"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.","description_kind":"plain","optional":true,"computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"delegated_auth_accessors":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount","description_kind":"plain","optional":true},"external_entropy_access":{"type":"bool","description":"Enable the secrets engine to access Vault's external entropy source","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"identity_token_key":{"type":"string","description":"The key to use for signing plugin workload identity tokens","description_kind":"plain","optional":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint","description_kind":"plain","optional":true},"local":{"type":"bool","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for tokens and secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"options":{"type":["map","string"],"description":"Specifies mount type specific options that are passed to the backend","description_kind":"plain","optional":true},"passthrough_request_headers":{"type":["list","string"],"description":"List of headers to allow and pass from the request to the plugin","description_kind":"plain","optional":true},"path":{"type":"string","description":"Where the secret backend will be mounted","description_kind":"plain","required":true},"plugin_version":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'","description_kind":"plain","optional":true},"seal_wrap":{"type":"bool","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of the backend, such as 'aws'","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Custom metadata describing this namespace. Value type is map[string]string.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","required":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided as \"protocol://host:port\" like \"http://127.0.0.1:4646\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","optional":true},"ca_cert":{"type":"string","description":"CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded.","description_kind":"plain","optional":true},"client_cert":{"type":"string","description":"Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.","description_kind":"plain","optional":true,"sensitive":true},"client_key":{"type":"string","description":"Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","description_kind":"plain","optional":true,"sensitive":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"local":{"type":"bool","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time.","description_kind":"plain","optional":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"max_token_name_length":{"type":"number","description":"Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version.","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use.","description_kind":"plain","optional":true,"sensitive":true},"ttl":{"type":"number","description":"Maximum possible lease duration for secrets in seconds.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_nomad_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The mount path for the Nomad backend.","description_kind":"plain","required":true},"global":{"type":"bool","description":"Specifies if the token should be global.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policies":{"type":["list","string"],"description":"Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.","description_kind":"plain","optional":true,"computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid values are \"client\" or \"management\".","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount.","description_kind":"plain","computed":true},"base_url":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com (default)","description_kind":"plain","optional":true},"bypass_okta_mfa":{"type":"bool","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.","description_kind":"plain","optional":true},"description":{"type":"string","description":"The description of the auth backend","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"group":{"type":["set",["object",{"group_name":"string","policies":["set","string"]}]],"description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"string","description":"Maximum duration after which authentication will be expired","description_kind":"plain","deprecated":true,"optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url https://XXX.okta.com.","description_kind":"plain","required":true},"path":{"type":"string","description":"path to mount the backend","description_kind":"plain","optional":true},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled.","description_kind":"plain","optional":true,"sensitive":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Duration after which authentication will be expired","description_kind":"plain","deprecated":true,"optional":true},"user":{"type":["set",["object",{"groups":["set","string"],"policies":["set","string"],"username":"string"}]],"description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_okta_auth_backend_group":{"version":0,"block":{"attributes":{"group_name":{"type":"string","description":"Name of the Okta group","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this group","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_okta_auth_backend_user":{"version":0,"block":{"attributes":{"groups":{"type":["set","string"],"description":"Groups within the Okta auth backend to associate with this user","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the Okta auth backend","description_kind":"plain","required":true},"policies":{"type":["set","string"],"description":"Policies to associate with this user","description_kind":"plain","optional":true},"username":{"type":"string","description":"Name of the user within Okta","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_password_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the password policy.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The password policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_cert":{"version":0,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":"string","description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of the certificate to create.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The serial number.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"user_ids":{"type":["list","string"],"description":"List of Subject User IDs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_ca":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_bundle":{"type":"string","description":"The key and certificate PEM bundle.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_cluster":{"version":0,"block":{"attributes":{"aia_path":{"type":"string","description":"Path to the cluster's AIA distribution point.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to the cluster's API mount path.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_est":{"version":0,"block":{"attributes":{"audit_fields":{"type":["list","string"],"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to","description_kind":"plain","required":true},"default_mount":{"type":"bool","description":"If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster","description_kind":"plain","optional":true},"default_path_policy":{"type":"string","description":"Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e","description_kind":"plain","optional":true},"enable_sentinel_parsing":{"type":"bool","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies","description_kind":"plain","optional":true},"enabled":{"type":"bool","description":"Specifies whether EST is enabled","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"label_to_path_policy":{"type":["map","string"],"description":"Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths","description_kind":"plain","optional":true},"last_updated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"authenticators":{"nesting_mode":"list","block":{"attributes":{"cert":{"type":["map","string"],"description_kind":"plain","optional":true},"userpass":{"type":["map","string"],"description_kind":"plain","optional":true}},"description":"Lists the mount accessors EST should delegate authentication requests towards","description_kind":"plain"},"max_items":1}},"description":"Manages Vault PKI EST configuration","description_kind":"plain"}},"vault_pki_secret_backend_config_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"default":{"type":"string","description":"Specifies the default issuer by ID.","description_kind":"plain","optional":true},"default_follows_latest_issuer":{"type":"bool","description":"Specifies whether a root creation or an issuer import operation updates the default issuer to the newly added issuer.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_urls":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_templating":{"type":"bool","description":"Specifies that templating of AIA fields is allowed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_crl_config":{"version":0,"block":{"attributes":{"auto_rebuild":{"type":"bool","description":"Enables or disables periodic rebuilding of the CRL upon expiry.","description_kind":"plain","optional":true},"auto_rebuild_grace_period":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"cross_cluster_revocation":{"type":"bool","description":"Enable cross-cluster revocation request queues.","description_kind":"plain","optional":true,"computed":true},"delta_rebuild_interval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.","description_kind":"plain","optional":true,"computed":true},"disable":{"type":"bool","description":"Disables or enables CRL building","description_kind":"plain","optional":true},"enable_delta":{"type":"bool","description":"Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL.","description_kind":"plain","optional":true},"expiry":{"type":"string","description":"Specifies the time until expiration.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_disable":{"type":"bool","description":"Disables or enables the OCSP responder in Vault.","description_kind":"plain","optional":true},"ocsp_expiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations.","description_kind":"plain","optional":true,"computed":true},"unified_crl":{"type":"bool","description":"Enables unified CRL and OCSP building.","description_kind":"plain","optional":true,"computed":true},"unified_crl_on_existing_paths":{"type":"bool","description":"Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_cert_request":{"version":0,"block":{"attributes":{"add_basic_constraints":{"type":"bool","description":"Set 'CA: true' in a Basic Constraints extension. Only needed as\na workaround in some compatibility scenarios with Active Directory Certificate Services.","description_kind":"plain","optional":true},"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","computed":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The private key.","description_kind":"plain","computed":true,"sensitive":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"private_key_type":{"type":"string","description":"The private key type.","description_kind":"plain","computed":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_intermediate_set_signed":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"imported_issuers":{"type":["list","string"],"description":"The imported issuers.","description_kind":"plain","computed":true},"imported_keys":{"type":["list","string"],"description":"The imported keys.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"crl_distribution_points":{"type":["list","string"],"description":"Specifies the URL values for the CRL Distribution Points field.","description_kind":"plain","optional":true},"enable_aia_url_templating":{"type":"bool","description":"Specifies that the AIA URL values should be templated.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"issuing_certificates":{"type":["list","string"],"description":"Specifies the URL values for the Issuing Certificate field.","description_kind":"plain","optional":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's 'NotAfter' field during issuance.","description_kind":"plain","optional":true,"computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"ocsp_servers":{"type":["list","string"],"description":"Specifies the URL values for the OCSP Servers field.","description_kind":"plain","optional":true},"revocation_signature_algorithm":{"type":"string","description":"Which signature algorithm to use when building CRLs.","description_kind":"plain","optional":true,"computed":true},"usage":{"type":"string","description":"Comma-separated list of allowed usages for this issuer.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the number of bits to use for the generated keys.","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type; must be 'rsa', 'ed25519' or 'ec'.","description_kind":"plain","optional":true,"computed":true},"managed_key_id":{"type":"string","description":"The managed key's UUID.","description_kind":"plain","optional":true},"managed_key_name":{"type":"string","description":"The managed key's configured name.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"type":{"type":"string","description":"Specifies the type of the key to create.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_pki_secret_backend_role":{"version":0,"block":{"attributes":{"allow_any_name":{"type":"bool","description":"Flag to allow any name","description_kind":"plain","optional":true},"allow_bare_domains":{"type":"bool","description":"Flag to allow certificates matching the actual domain.","description_kind":"plain","optional":true},"allow_glob_domains":{"type":"bool","description":"Flag to allow names containing glob patterns.","description_kind":"plain","optional":true},"allow_ip_sans":{"type":"bool","description":"Flag to allow IP SANs","description_kind":"plain","optional":true},"allow_localhost":{"type":"bool","description":"Flag to allow certificates for localhost.","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description":"Flag to allow certificates matching subdomains.","description_kind":"plain","optional":true},"allow_wildcard_certificates":{"type":"bool","description":"Flag to allow wildcard certificates","description_kind":"plain","optional":true},"allowed_domains":{"type":["list","string"],"description":"The domains of the role.","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description":"Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true},"allowed_other_sans":{"type":["list","string"],"description":"Defines allowed custom SANs","description_kind":"plain","optional":true},"allowed_serial_numbers":{"type":["list","string"],"description":"Defines allowed Subject serial numbers.","description_kind":"plain","optional":true},"allowed_uri_sans":{"type":["list","string"],"description":"Defines allowed URI SANs","description_kind":"plain","optional":true},"allowed_uri_sans_template":{"type":"bool","description":"Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases.\u003cmount accessor\u003e.name}})","description_kind":"plain","optional":true,"computed":true},"allowed_user_ids":{"type":["list","string"],"description":"The allowed User ID's.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The path of the PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"basic_constraints_valid_for_non_ca":{"type":"bool","description":"Flag to mark basic constraints valid when issuing non-CA certificates.","description_kind":"plain","optional":true},"client_flag":{"type":"bool","description":"Flag to specify certificates for client use.","description_kind":"plain","optional":true},"code_signing_flag":{"type":"bool","description":"Flag to specify certificates for code signing use.","description_kind":"plain","optional":true},"country":{"type":["list","string"],"description":"The country of generated certificates.","description_kind":"plain","optional":true},"email_protection_flag":{"type":"bool","description":"Flag to specify certificates for email protection use.","description_kind":"plain","optional":true},"enforce_hostnames":{"type":"bool","description":"Flag to allow only valid host names","description_kind":"plain","optional":true},"ext_key_usage":{"type":["list","string"],"description":"Specify the allowed extended key usage constraint on issued certificates.","description_kind":"plain","optional":true},"ext_key_usage_oids":{"type":["list","string"],"description":"A list of extended key usage OIDs.","description_kind":"plain","optional":true},"generate_lease":{"type":"bool","description":"Flag to generate leases with certificates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"The number of bits of generated keys.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"The generated key type.","description_kind":"plain","optional":true},"key_usage":{"type":["list","string"],"description":"Specify the allowed key usage constraint on issued certificates.","description_kind":"plain","optional":true,"computed":true},"locality":{"type":["list","string"],"description":"The locality of generated certificates.","description_kind":"plain","optional":true},"max_ttl":{"type":"string","description":"The maximum TTL.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_store":{"type":"bool","description":"Flag to not store certificates in the storage backend.","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","description_kind":"plain","optional":true,"computed":true},"organization":{"type":["list","string"],"description":"The organization of generated certificates.","description_kind":"plain","optional":true},"ou":{"type":["list","string"],"description":"The organization unit of generated certificates.","description_kind":"plain","optional":true},"policy_identifiers":{"type":["list","string"],"description":"Specify the list of allowed policies OIDs.","description_kind":"plain","optional":true},"postal_code":{"type":["list","string"],"description":"The postal code of generated certificates.","description_kind":"plain","optional":true},"province":{"type":["list","string"],"description":"The province of generated certificates.","description_kind":"plain","optional":true},"require_cn":{"type":"bool","description":"Flag to force CN usage.","description_kind":"plain","optional":true},"server_flag":{"type":"bool","description":"Flag to specify certificates for server use.","description_kind":"plain","optional":true},"street_address":{"type":["list","string"],"description":"The street address of generated certificates.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL.","description_kind":"plain","optional":true,"computed":true},"use_csr_common_name":{"type":"bool","description":"Flag to use the CN in the CSR.","description_kind":"plain","optional":true},"use_csr_sans":{"type":"bool","description":"Flag to use the SANs in the CSR.","description_kind":"plain","optional":true}},"block_types":{"policy_identifier":{"nesting_mode":"set","block":{"attributes":{"cps":{"type":"string","description":"Optional CPS URL","description_kind":"plain","optional":true},"notice":{"type":"string","description":"Optional notice","description_kind":"plain","optional":true},"oid":{"type":"string","description":"OID","description_kind":"plain","required":true}},"description":"Policy identifier block; can only be used with Vault 1.11+","description_kind":"plain"}}},"description_kind":"plain"}},"vault_pki_secret_backend_root_cert":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of root to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_id":{"type":"string","description":"The ID of the generated issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'.","description_kind":"plain","optional":true,"computed":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"key_bits":{"type":"number","description":"The number of bits to use.","description_kind":"plain","optional":true},"key_id":{"type":"string","description":"The ID of the generated key.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this.","description_kind":"plain","optional":true,"computed":true},"key_ref":{"type":"string","description":"Specifies the key to use for generating this request.","description_kind":"plain","optional":true,"computed":true},"key_type":{"type":"string","description":"The desired key type.","description_kind":"plain","optional":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"managed_key_id":{"type":"string","description":"The ID of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"managed_key_name":{"type":"string","description":"The name of the previously configured managed key.","description_kind":"plain","optional":true,"computed":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"private_key_format":{"type":"string","description":"The private key format.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of root to create. Must be either \"existing\", \"exported\", \"internal\" or \"kms\"","description_kind":"plain","required":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_root_sign_intermediate":{"version":2,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The signed intermediate CA certificate.","description_kind":"plain","computed":true},"certificate_bundle":{"type":"string","description":"The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"country":{"type":"string","description":"The country.","description_kind":"plain","optional":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA certificate.","description_kind":"plain","computed":true},"locality":{"type":"string","description":"The locality.","description_kind":"plain","optional":true},"max_path_length":{"type":"number","description":"The maximum path length to encode in the generated certificate.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"The organization.","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"ou":{"type":"string","description":"The organization unit.","description_kind":"plain","optional":true},"permitted_dns_domains":{"type":["list","string"],"description":"List of domains for which certificates are allowed to be issued.","description_kind":"plain","optional":true},"postal_code":{"type":"string","description":"The postal code.","description_kind":"plain","optional":true},"province":{"type":"string","description":"The province.","description_kind":"plain","optional":true},"revoke":{"type":"bool","description":"Revoke the certificate upon resource destruction.","description_kind":"plain","optional":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"street_address":{"type":"string","description":"The street address.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true},"use_csr_values":{"type":"bool","description":"Preserve CSR values.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_sign":{"version":1,"block":{"attributes":{"alt_names":{"type":["list","string"],"description":"List of alternative names.","description_kind":"plain","optional":true},"auto_renew":{"type":"bool","description":"If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining","description_kind":"plain","optional":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain.","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certicate.","description_kind":"plain","computed":true},"common_name":{"type":"string","description":"CN of intermediate to create.","description_kind":"plain","required":true},"csr":{"type":"string","description":"The CSR.","description_kind":"plain","required":true},"exclude_cn_from_sans":{"type":"bool","description":"Flag to exclude CN from SANs.","description_kind":"plain","optional":true},"expiration":{"type":"number","description":"The certificate expiration as a Unix-style timestamp.","description_kind":"plain","computed":true},"format":{"type":"string","description":"The format of data.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"ip_sans":{"type":["list","string"],"description":"List of alternative IPs.","description_kind":"plain","optional":true},"issuer_ref":{"type":"string","description":"Specifies the default issuer of this request.","description_kind":"plain","optional":true},"issuing_ca":{"type":"string","description":"The issuing CA.","description_kind":"plain","computed":true},"min_seconds_remaining":{"type":"number","description":"Generate a new certificate when the expiration is within this number of seconds","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the role to create the certificate against.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"other_sans":{"type":["list","string"],"description":"List of other SANs.","description_kind":"plain","optional":true},"renew_pending":{"type":"bool","description":"Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future.","description_kind":"plain","computed":true},"serial_number":{"type":"string","description":"The certificate's serial number, hex formatted.","description_kind":"plain","computed":true},"ttl":{"type":"string","description":"Time to live.","description_kind":"plain","optional":true},"uri_sans":{"type":["list","string"],"description":"List of alternative URIs.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_plugin":{"version":0,"block":{"attributes":{"args":{"type":["list","string"],"description":"List of additional arguments to pass to the plugin.","description_kind":"plain","optional":true},"command":{"type":"string","description":"Command to execute the plugin, relative to the plugin_directory.","description_kind":"plain","required":true},"env":{"type":["list","string"],"description":"List of additional environment variables to run the plugin with in KEY=VALUE form.","description_kind":"plain","optional":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the plugin.","description_kind":"plain","required":true},"oci_image":{"type":"string","description":"OCI image to run. If specified, setting command, args, and env will update the container's entrypoint, args, and environment variables (append-only) respectively.","description_kind":"plain","optional":true},"runtime":{"type":"string","description":"Vault plugin runtime to use if oci_image is specified.","description_kind":"plain","optional":true},"sha256":{"type":"string","description":"SHA256 sum of the plugin binary.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".","description_kind":"plain","required":true},"version":{"type":"string","description":"Semantic version of the plugin.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_plugin_pinned_version":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the plugin.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".","description_kind":"plain","required":true},"version":{"type":"string","description":"Semantic pinned plugin version.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_policy":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_quota_lease_count":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inheritable":{"type":"bool","description":"If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default.","description_kind":"plain","optional":true},"max_leases":{"type":"number","description":"The maximum number of leases to be allowed by the quota rule. The max_leases must be positive.","description_kind":"plain","required":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota.","description_kind":"plain","optional":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_quota_rate_limit":{"version":0,"block":{"attributes":{"block_interval":{"type":"number","description":"If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inheritable":{"type":"bool","description":"If set to true on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to true if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default.","description_kind":"plain","optional":true},"interval":{"type":"number","description":"The duration in seconds to enforce rate limiting for.","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the quota.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota.","description_kind":"plain","optional":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive.","description_kind":"plain","required":true},"role":{"type":"string","description":"If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend":{"version":1,"block":{"attributes":{"connection_uri":{"type":"string","description":"Specifies the RabbitMQ connection URI.","description_kind":"plain","required":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password","description_kind":"plain","required":true,"sensitive":true},"password_policy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.","description_kind":"plain","optional":true},"path":{"type":"string","description":"The path of the RabbitMQ Secret Backend where the connection should be configured","description_kind":"plain","optional":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username","description_kind":"plain","required":true,"sensitive":true},"username_template":{"type":"string","description":"Template describing how dynamic usernames are generated.","description_kind":"plain","optional":true},"verify_connection":{"type":"bool","description":"Specifies whether to verify connection URI, username, and password.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_rabbitmq_secret_backend_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Rabbitmq Secret Backend the role belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.","description_kind":"plain","optional":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"configure":{"type":"string","description":"The configure permissions for this vhost.","description_kind":"plain","required":true},"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}},"vhost_topic":{"nesting_mode":"list","block":{"attributes":{"host":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true}},"block_types":{"vhost":{"nesting_mode":"list","block":{"attributes":{"read":{"type":"string","description":"The read permissions for this vhost.","description_kind":"plain","required":true},"topic":{"type":"string","description":"The vhost to set permissions for.","description_kind":"plain","required":true},"write":{"type":"string","description":"The write permissions for this vhost.","description_kind":"plain","required":true}},"description":"Specifies a map of virtual hosts to permissions.","description_kind":"plain"}}},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot":{"version":0,"block":{"attributes":{"cleanup_dead_servers":{"type":"bool","description":"Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set.","description_kind":"plain","optional":true},"dead_server_last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set.","description_kind":"plain","optional":true},"disable_upgrade_migration":{"type":"bool","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_contact_threshold":{"type":"string","description":"Limit the amount of time a server can go without leader contact before being considered unhealthy.","description_kind":"plain","optional":true},"max_trailing_logs":{"type":"number","description":"Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy.","description_kind":"plain","optional":true},"min_quorum":{"type":"number","description":"Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"server_stabilization_time":{"type":"string","description":"Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_raft_snapshot_agent_config":{"version":0,"block":{"attributes":{"aws_access_key_id":{"type":"string","description":"AWS access key ID.","description_kind":"plain","optional":true},"aws_s3_bucket":{"type":"string","description":"S3 bucket to write snapshots to.","description_kind":"plain","optional":true},"aws_s3_disable_tls":{"type":"bool","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes.","description_kind":"plain","optional":true},"aws_s3_enable_kms":{"type":"bool","description":"Use KMS to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_s3_endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio.","description_kind":"plain","optional":true},"aws_s3_force_path_style":{"type":"bool","description":"Use the endpoint/bucket URL style instead of bucket.endpoint.","description_kind":"plain","optional":true},"aws_s3_kms_key":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true","description_kind":"plain","optional":true},"aws_s3_region":{"type":"string","description":"AWS region bucket is in.","description_kind":"plain","optional":true},"aws_s3_server_side_encryption":{"type":"bool","description":"Use AES256 to encrypt bucket contents.","description_kind":"plain","optional":true},"aws_secret_access_key":{"type":"string","description":"AWS secret access key.","description_kind":"plain","optional":true},"aws_session_token":{"type":"string","description":"AWS session token.","description_kind":"plain","optional":true},"azure_account_key":{"type":"string","description":"Azure account key.","description_kind":"plain","optional":true},"azure_account_name":{"type":"string","description":"Azure account name.","description_kind":"plain","optional":true},"azure_blob_environment":{"type":"string","description":"Azure blob environment.","description_kind":"plain","optional":true},"azure_container_name":{"type":"string","description":"Azure container name to write snapshots to.","description_kind":"plain","optional":true},"azure_endpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite.","description_kind":"plain","optional":true},"file_prefix":{"type":"string","description":"The file or object name of snapshot files will start with this string.","description_kind":"plain","optional":true},"google_disable_tls":{"type":"bool","description":"Disable TLS for the GCS endpoint.","description_kind":"plain","optional":true},"google_endpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server.","description_kind":"plain","optional":true},"google_gcs_bucket":{"type":"string","description":"GCS bucket to write snapshots to.","description_kind":"plain","optional":true},"google_service_account_key":{"type":"string","description":"Google service account key in JSON format.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"interval_seconds":{"type":"number","description":"Number of seconds between snapshots.","description_kind":"plain","required":true},"local_max_space":{"type":"number","description":"The maximum space, in bytes, to use for snapshots.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the snapshot agent configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path_prefix":{"type":"string","description":"The directory or bucket prefix to to use.","description_kind":"plain","required":true},"retain":{"type":"number","description":"How many snapshots are to be kept.","description_kind":"plain","optional":true},"storage_type":{"type":"string","description":"What storage service to send snapshots to. One of \"local\", \"azure-blob\", \"aws-s3\", or \"google-gcs\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_rgp_policy":{"version":0,"block":{"attributes":{"enforcement_level":{"type":"string","description":"Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory'","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the policy","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"policy":{"type":"string","description":"The policy document","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_saml_auth_backend":{"version":0,"block":{"attributes":{"acs_urls":{"type":["list","string"],"description":"The well-formatted URLs of your Assertion Consumer Service (ACS) that should receive a response from the identity provider.","description_kind":"plain","required":true},"default_role":{"type":"string","description":"The role to use if no role is provided during login.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"entity_id":{"type":"string","description":"The entity ID of the SAML authentication service provider.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"idp_cert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive with 'idp_metadata_url'","description_kind":"plain","optional":true},"idp_entity_id":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"idp_metadata_url":{"type":"string","description":"The metadata URL of the identity provider.","description_kind":"plain","optional":true},"idp_sso_url":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with 'idp_metadata_url'.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"verbose_logging":{"type":"bool","description":"Log additional, potentially sensitive information during the SAML exchange according to the current logging level. Not recommended for production.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_saml_auth_backend_role":{"version":0,"block":{"attributes":{"bound_attributes":{"type":["map","string"],"description":"Mapping of attribute names to values that are expected to exist in the SAML assertion.","description_kind":"plain","optional":true},"bound_attributes_type":{"type":"string","description":"The type of matching assertion to perform on bound_attributes.","description_kind":"plain","optional":true,"computed":true},"bound_subjects":{"type":["list","string"],"description":"The subject being asserted for SAML authentication.","description_kind":"plain","optional":true},"bound_subjects_type":{"type":"string","description":"The type of matching assertion to perform on bound_subjects.","description_kind":"plain","optional":true,"computed":true},"groups_attribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the user belongs.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path where SAML Auth engine is mounted.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_association":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"metadata":{"type":["list",["object",{"sub_key":"string","sync_status":"string","updated_at":"string"}]],"description":"Metadata for each subkey of the associated secret.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"Specifies the mount where the secret is located.","description_kind":"plain","required":true},"name":{"type":"string","description":"Name of the destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name":{"type":"string","description":"Specifies the name of the secret to synchronize.","description_kind":"plain","required":true},"type":{"type":"string","description":"Type of sync destination.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_secrets_sync_aws_destination":{"version":0,"block":{"attributes":{"access_key_id":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"external_id":{"type":"string","description":"Extra protection that must match the trust policy granting access to the AWS IAM role ARN.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the AWS destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.","description_kind":"plain","optional":true},"role_arn":{"type":"string","description":"Specifies a role to assume when connecting to AWS.","description_kind":"plain","optional":true},"secret_access_key":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.","description_kind":"plain","optional":true,"sensitive":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_azure_destination":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"Client ID of an Azure app registration.","description_kind":"plain","optional":true},"client_secret":{"type":"string","description":"Client Secret of an Azure app registration.","description_kind":"plain","optional":true,"sensitive":true},"cloud":{"type":"string","description":"Specifies a cloud for the client.","description_kind":"plain","optional":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_vault_uri":{"type":"string","description":"URI of an existing Azure Key Vault instance.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the Azure destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"tenant_id":{"type":"string","description":"ID of the target Azure tenant.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_config":{"version":0,"block":{"attributes":{"disabled":{"type":"bool","description":"Disables the syncing process between Vault and external destinations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"queue_capacity":{"type":"number","description":"Maximum number of pending sync operations allowed on the queue.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_secrets_sync_gcp_destination":{"version":0,"block":{"attributes":{"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.","description_kind":"plain","optional":true,"sensitive":true},"custom_tags":{"type":["map","string"],"description":"Custom tags to set on the secret managed at the destination.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the GCP destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"The target project to manage secrets in.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_gh_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Fine-grained or personal access token.","description_kind":"plain","optional":true,"sensitive":true},"app_name":{"type":"string","description":"The user-defined name of the GitHub App configuration.","description_kind":"plain","optional":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"installation_id":{"type":"number","description":"The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user’s GitHub account. Necessary if the app_name field is also provided.","description_kind":"plain","optional":true},"name":{"type":"string","description":"Unique name of the github destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"repository_name":{"type":"string","description":"Name of the repository.","description_kind":"plain","optional":true},"repository_owner":{"type":"string","description":"GitHub organization or username that owns the repository.","description_kind":"plain","optional":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_secrets_sync_github_apps":{"version":0,"block":{"attributes":{"app_id":{"type":"number","description":"The GitHub application ID.","description_kind":"plain","required":true},"fingerprint":{"type":"string","description":"A fingerprint of a private key.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The user-defined name of the GitHub App configuration.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"The content of a PEM formatted private key generated on GitHub for the app.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}},"vault_secrets_sync_vercel_destination":{"version":0,"block":{"attributes":{"access_token":{"type":"string","description":"Vercel API access token with the permissions to manage environment variables.","description_kind":"plain","required":true,"sensitive":true},"deployment_environments":{"type":["list","string"],"description":"Deployment environments where the environment variables are available. Accepts 'development', 'preview' \u0026 'production'.","description_kind":"plain","required":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource at the destination. Can be 'secret-path' or 'secret-key'","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name of the Vercel destination.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"project_id":{"type":"string","description":"Project ID where to manage environment variables.","description_kind":"plain","required":true},"secret_name_template":{"type":"string","description":"Template describing how to generate external secret names.","description_kind":"plain","optional":true,"computed":true},"team_id":{"type":"string","description":"Team ID the project belongs to.","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of secrets destination.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_ca":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"The path of the SSH Secret Backend where the CA should be configured","description_kind":"plain","optional":true},"generate_signing_key":{"type":"bool","description":"Whether Vault should generate the signing key pair internally.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_bits":{"type":"number","description":"Specifies the desired key bits for the generated SSH CA key when `generate_signing_key` is set to `true`.","description_kind":"plain","optional":true},"key_type":{"type":"string","description":"Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"private_key":{"type":"string","description":"Private key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true,"sensitive":true},"public_key":{"type":"string","description":"Public key part the SSH CA key pair; required if generate_signing_key is false.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_ssh_secret_backend_role":{"version":0,"block":{"attributes":{"algorithm_signer":{"type":"string","description_kind":"plain","optional":true,"computed":true},"allow_bare_domains":{"type":"bool","description_kind":"plain","optional":true},"allow_host_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_subdomains":{"type":"bool","description_kind":"plain","optional":true},"allow_user_certificates":{"type":"bool","description_kind":"plain","optional":true},"allow_user_key_ids":{"type":"bool","description_kind":"plain","optional":true},"allowed_critical_options":{"type":"string","description_kind":"plain","optional":true},"allowed_domains":{"type":"string","description_kind":"plain","optional":true},"allowed_domains_template":{"type":"bool","description_kind":"plain","optional":true,"computed":true},"allowed_extensions":{"type":"string","description_kind":"plain","optional":true},"allowed_users":{"type":"string","description_kind":"plain","optional":true},"allowed_users_template":{"type":"bool","description_kind":"plain","optional":true},"backend":{"type":"string","description_kind":"plain","required":true},"cidr_list":{"type":"string","description_kind":"plain","optional":true},"default_critical_options":{"type":["map","string"],"description_kind":"plain","optional":true},"default_extensions":{"type":["map","string"],"description_kind":"plain","optional":true},"default_user":{"type":"string","description_kind":"plain","optional":true},"default_user_template":{"type":"bool","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id_format":{"type":"string","description_kind":"plain","optional":true},"key_type":{"type":"string","description_kind":"plain","required":true},"max_ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Unique name for the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"not_before_duration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.","description_kind":"plain","optional":true,"computed":true},"ttl":{"type":"string","description_kind":"plain","optional":true,"computed":true}},"block_types":{"allowed_user_key_config":{"nesting_mode":"set","block":{"attributes":{"lengths":{"type":["list","number"],"description":"List of allowed key lengths, vault-1.10 and above","description_kind":"plain","required":true},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521","description_kind":"plain","required":true}},"description":"Set of allowed public key types and their relevant configuration","description_kind":"plain"}}},"description_kind":"plain"}},"vault_terraform_cloud_secret_backend":{"version":1,"block":{"attributes":{"address":{"type":"string","description":"Specifies the address of the Terraform Cloud instance, provided as \"host:port\" like \"127.0.0.1:8500\".","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the Vault Terraform Cloud mount to configure","description_kind":"plain","optional":true},"base_path":{"type":"string","description":"Specifies the base path for the Terraform Cloud or Enterprise API.","description_kind":"plain","optional":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration for secrets in seconds","description_kind":"plain","optional":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend.","description_kind":"plain","optional":true},"disable_remount":{"type":"bool","description":"If set, opts out of mount migration on path updates.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration for secrets in seconds","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"token":{"type":"string","description":"Specifies the Terraform Cloud access token to use.","description_kind":"plain","optional":true,"sensitive":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_creds":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Terraform Cloud secret backend to generate tokens from","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_id":{"type":"string","description":"Associated Vault lease ID, if one exists","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","computed":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","computed":true},"token":{"type":"string","description":"Terraform Token provided by the Vault backend","description_kind":"plain","computed":true,"sensitive":true},"token_id":{"type":"string","description":"ID of the Terraform Token provided","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_terraform_cloud_secret_role":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The path of the Terraform Cloud Secret Backend the role belongs to.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"max_ttl":{"type":"number","description":"Maximum allowed lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of an existing role against which to create this Terraform Cloud credential","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"organization":{"type":"string","description":"Name of the Terraform Cloud or Enterprise organization","description_kind":"plain","optional":true},"team_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise team under organization (e.g., settings/teams/team-xxxxxxxxxxxxx)","description_kind":"plain","optional":true},"ttl":{"type":"number","description":"Default lease for generated credentials. If not set or set to 0, will use system default.","description_kind":"plain","optional":true},"user_id":{"type":"string","description":"ID of the Terraform Cloud or Enterprise user (e.g., user-xxxxxxxxxxxxxxxx)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token":{"version":0,"block":{"attributes":{"client_token":{"type":"string","description":"The client token.","description_kind":"plain","computed":true,"sensitive":true},"display_name":{"type":"string","description":"The display name of the token.","description_kind":"plain","optional":true},"explicit_max_ttl":{"type":"string","description":"The explicit max TTL of the token.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"The token lease duration.","description_kind":"plain","computed":true},"lease_started":{"type":"string","description":"The token lease started on.","description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description":"Metadata to be associated with the token.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"no_default_policy":{"type":"bool","description":"Flag to disable the default policy.","description_kind":"plain","optional":true},"no_parent":{"type":"bool","description":"Flag to create a token without parent.","description_kind":"plain","optional":true,"computed":true},"num_uses":{"type":"number","description":"The number of allowed uses of the token.","description_kind":"plain","optional":true,"computed":true},"period":{"type":"string","description":"The period of the token.","description_kind":"plain","optional":true},"policies":{"type":["set","string"],"description":"List of policies.","description_kind":"plain","optional":true},"renew_increment":{"type":"number","description":"The renew increment.","description_kind":"plain","optional":true},"renew_min_lease":{"type":"number","description":"The minimum lease to renew token.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Flag to allow the token to be renewed","description_kind":"plain","optional":true,"computed":true},"role_name":{"type":"string","description":"The token role name.","description_kind":"plain","optional":true},"ttl":{"type":"string","description":"The TTL period of the token.","description_kind":"plain","optional":true},"wrapped_token":{"type":"string","description":"The client wrapped token.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_accessor":{"type":"string","description":"The client wrapping accessor.","description_kind":"plain","computed":true,"sensitive":true},"wrapping_ttl":{"type":"string","description":"The TTL period of the wrapped token.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_token_auth_backend_role":{"version":0,"block":{"attributes":{"allowed_entity_aliases":{"type":["set","string"],"description":"Set of allowed entity aliases for this role.","description_kind":"plain","optional":true},"allowed_policies":{"type":["set","string"],"description":"List of allowed policies for given role.","description_kind":"plain","optional":true},"allowed_policies_glob":{"type":["set","string"],"description":"Set of allowed policies with glob match for given role.","description_kind":"plain","optional":true},"disallowed_policies":{"type":["set","string"],"description":"List of disallowed policies for given role.","description_kind":"plain","optional":true},"disallowed_policies_glob":{"type":["set","string"],"description":"Set of disallowed policies with glob match for given role.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"orphan":{"type":"bool","description":"If true, tokens created against this policy will be orphan tokens.","description_kind":"plain","optional":true},"path_suffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name.","description_kind":"plain","optional":true},"renewable":{"type":"bool","description":"Whether to disable the ability of the token to be renewed past its initial TTL.","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_alphabet":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the alphabet.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_transform_role":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"transformations":{"type":["list","string"],"description":"A comma separated string or slice of transformations to use.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_template":{"version":0,"block":{"attributes":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.","description_kind":"plain","optional":true},"decode_formats":{"type":["map","string"],"description":"The map of regular expression templates used to customize decoded outputs.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"encode_format":{"type":"string","description":"The regular expression template used for encoding values.\nOnly applicable to FPE transformations.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the template.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_transformation":{"version":0,"block":{"attributes":{"allowed_roles":{"type":["list","string"],"description":"The set of roles allowed to perform this transformation.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"masking_character":{"type":"string","description":"The character used to replace data when in masking mode","description_kind":"plain","optional":true},"name":{"type":"string","description":"The name of the transformation.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The mount path for a back-end, for example, the path given in \"$ vault auth enable -path=my-aws aws\".","description_kind":"plain","required":true},"template":{"type":"string","description":"The name of the template to use.","description_kind":"plain","optional":true},"templates":{"type":["list","string"],"description":"Templates configured for transformation.","description_kind":"plain","optional":true,"computed":true},"tweak_source":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.","description_kind":"plain","optional":true},"type":{"type":"string","description":"The type of transformation to perform.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_backend_key":{"version":0,"block":{"attributes":{"allow_plaintext_backup":{"type":"bool","description":"If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"auto_rotate_period":{"type":"number","description":"Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.","description_kind":"plain","optional":true,"computed":true},"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"convergent_encryption":{"type":"bool","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.","description_kind":"plain","optional":true},"deletion_allowed":{"type":"bool","description":"Specifies if the key is allowed to be deleted.","description_kind":"plain","optional":true},"derived":{"type":"bool","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.","description_kind":"plain","optional":true},"exportable":{"type":"bool","description":"Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_size":{"type":"number","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512.","description_kind":"plain","optional":true},"keys":{"type":["list",["map","string"]],"description":"List of key versions in the keyring.","description_kind":"plain","computed":true},"latest_version":{"type":"number","description":"Latest key version in use in the keyring","description_kind":"plain","computed":true},"min_available_version":{"type":"number","description":"Minimum key version available for use.","description_kind":"plain","computed":true},"min_decryption_version":{"type":"number","description":"Minimum key version to use for decryption.","description_kind":"plain","optional":true},"min_encryption_version":{"type":"number","description":"Minimum key version to use for encryption","description_kind":"plain","optional":true},"name":{"type":"string","description":"Name of the encryption key to create.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"supports_decryption":{"type":"bool","description":"Whether or not the key supports decryption, based on key type.","description_kind":"plain","computed":true},"supports_derivation":{"type":"bool","description":"Whether or not the key supports derivation, based on key type.","description_kind":"plain","computed":true},"supports_encryption":{"type":"bool","description":"Whether or not the key supports encryption, based on key type.","description_kind":"plain","computed":true},"supports_signing":{"type":"bool","description":"Whether or not the key supports signing, based on key type.","description_kind":"plain","computed":true},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_secret_cache_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the resource belongs to.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"size":{"type":"number","description":"Number of cache entries. A size of 0 mean unlimited.","description_kind":"plain","required":true}},"description_kind":"plain"}}},"data_source_schemas":{"vault_ad_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"AD Secret Backend to read credentials from.","description_kind":"plain","required":true},"current_password":{"type":"string","description":"Password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the service account.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the service account.","description_kind":"plain","computed":true}},"description_kind":"plain","deprecated":true}},"vault_approle_auth_backend_role_id":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_auth_backend":{"version":1,"block":{"attributes":{"accessor":{"type":"string","description":"The accessor of the auth backend.","description_kind":"plain","computed":true},"default_lease_ttl_seconds":{"type":"number","description":"Default lease duration in seconds","description_kind":"plain","computed":true},"description":{"type":"string","description":"The description of the auth backend.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"listing_visibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint.","description_kind":"plain","computed":true},"local":{"type":"bool","description":"Specifies if the auth method is local only","description_kind":"plain","computed":true},"max_lease_ttl_seconds":{"type":"number","description":"Maximum possible lease duration in seconds","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"The auth backend mount point.","description_kind":"plain","required":true},"type":{"type":"string","description":"The name of the auth backend.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_auth_backends":{"version":0,"block":{"attributes":{"accessors":{"type":["list","string"],"description":"The accessors of the auth backends.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["list","string"],"description":"The auth backend mount points.","description_kind":"plain","computed":true},"type":{"type":"string","description":"The type of the auth backend.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"region":{"type":"string","description":"Region the read credentials belong to.","description_kind":"plain","optional":true},"role":{"type":"string","description":"AWS Secret Role to read credentials from.","description_kind":"plain","required":true},"role_arn":{"type":"string","description":"ARN to use if multiple are available in the role. Required if the role has multiple ARNs.","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"security_token":{"type":"string","description":"AWS security token read from Vault. (Only returned if type is 'sts').","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"User specified Time-To-Live for the STS token. Uses the Role defined default_sts_ttl when not specified","description_kind":"plain","optional":true},"type":{"type":"string","description":"Type of credentials to read. Must be either 'creds' for Access Key and Secret Key, or 'sts' for STS.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_aws_static_access_credentials":{"version":0,"block":{"attributes":{"access_key":{"type":"string","description":"AWS access key ID read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"backend":{"type":"string","description":"AWS Secret Backend to read credentials from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"secret_key":{"type":"string","description":"AWS secret key read from Vault.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_azure_access_credentials":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Azure Secret Backend to read credentials from.","description_kind":"plain","required":true},"client_id":{"type":"string","description":"The client id for credentials to query the Azure APIs.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The client secret for credentials to query the Azure APIs.","description_kind":"plain","computed":true,"sensitive":true},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the Azure Public Cloud.\nSome possible values: AzurePublicCloud, AzureUSGovernmentCloud","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"max_cred_validation_seconds":{"type":"number","description":"If 'validate_creds' is true, the number of seconds after which to give up validating credentials.","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"num_seconds_between_tests":{"type":"number","description":"If 'validate_creds' is true, the number of seconds to wait between each test of generated credentials.","description_kind":"plain","optional":true},"num_sequential_successes":{"type":"number","description":"If 'validate_creds' is true, the number of sequential successes required to validate generated credentials.","description_kind":"plain","optional":true},"role":{"type":"string","description":"Azure Secret Role to read credentials from.","description_kind":"plain","required":true},"subscription_id":{"type":"string","description":"The subscription ID to use during credential validation. Defaults to the subscription ID configured in the Vault backend","description_kind":"plain","optional":true},"tenant_id":{"type":"string","description":"The tenant ID to use during credential validation. Defaults to the tenant ID configured in the Vault backend","description_kind":"plain","optional":true},"validate_creds":{"type":"bool","description":"Whether generated credentials should be validated before being returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_gcp_auth_backend_role":{"version":1,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","description_kind":"plain","optional":true},"bound_instance_groups":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_labels":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_projects":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_regions":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_service_accounts":{"type":["set","string"],"description_kind":"plain","computed":true},"bound_zones":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_id":{"type":"string","description":"The RoleID of the GCP auth role.","description_kind":"plain","computed":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_generic_secret":{"version":1,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds relative to the time in lease_start_time.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"lease_start_time":{"type":"string","description":"Time at which the lease was read, using the clock of the system where Terraform was running","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path from which a secret will be read.","description_kind":"plain","required":true},"version":{"type":"number","description_kind":"plain","optional":true},"with_lease_start_time":{"type":"bool","description":"If set to true, stores 'lease_start_time' in the TF state.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_entity":{"version":0,"block":{"attributes":{"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"aliases":{"type":["set",["object",{"canonical_id":"string","creation_time":"string","id":"string","last_update_time":"string","merged_from_canonical_ids":["set","string"],"metadata":["map","string"],"mount_accessor":"string","mount_path":"string","mount_type":"string","name":"string"}]],"description_kind":"plain","computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Entity data from Vault in JSON String form","description_kind":"plain","computed":true},"direct_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"disabled":{"type":"bool","description_kind":"plain","computed":true},"entity_id":{"type":"string","description":"ID of the entity.","description_kind":"plain","optional":true,"computed":true},"entity_name":{"type":"string","description":"Name of the entity.","description_kind":"plain","optional":true,"computed":true},"group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"inherited_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"merged_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_group":{"version":1,"block":{"attributes":{"alias_canonical_id":{"type":"string","description_kind":"plain","computed":true},"alias_creation_time":{"type":"string","description_kind":"plain","computed":true},"alias_id":{"type":"string","description":"ID of the alias.","description_kind":"plain","optional":true,"computed":true},"alias_last_update_time":{"type":"string","description_kind":"plain","computed":true},"alias_merged_from_canonical_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"alias_metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"alias_mount_accessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.","description_kind":"plain","optional":true,"computed":true},"alias_mount_path":{"type":"string","description_kind":"plain","computed":true},"alias_mount_type":{"type":"string","description_kind":"plain","computed":true},"alias_name":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with `alias_mount_accessor`.","description_kind":"plain","optional":true,"computed":true},"creation_time":{"type":"string","description_kind":"plain","computed":true},"data_json":{"type":"string","description":"Group data from Vault in JSON String form","description_kind":"plain","computed":true},"group_id":{"type":"string","description":"ID of the group.","description_kind":"plain","optional":true,"computed":true},"group_name":{"type":"string","description":"Name of the group.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_update_time":{"type":"string","description_kind":"plain","computed":true},"member_entity_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"member_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"metadata":{"type":["map","string"],"description_kind":"plain","computed":true},"modify_index":{"type":"number","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description_kind":"plain","computed":true},"parent_group_ids":{"type":["set","string"],"description_kind":"plain","computed":true},"policies":{"type":["set","string"],"description_kind":"plain","computed":true},"type":{"type":"string","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_client_creds":{"version":0,"block":{"attributes":{"client_id":{"type":"string","description":"The Client ID from Vault.","description_kind":"plain","computed":true},"client_secret":{"type":"string","description":"The Client Secret from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"name":{"type":"string","description":"The name of the client.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_identity_oidc_openid_config":{"version":0,"block":{"attributes":{"authorization_endpoint":{"type":"string","description":"The Authorization Endpoint for the provider.","description_kind":"plain","computed":true},"grant_types_supported":{"type":["list","string"],"description":"The grant types supported by the provider.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"id_token_signing_alg_values_supported":{"type":["list","string"],"description":"The signing algorithms supported by the provider.","description_kind":"plain","computed":true},"issuer":{"type":"string","description":"The URL of the issuer for the provider.","description_kind":"plain","computed":true},"jwks_uri":{"type":"string","description":"The well known keys URI for the provider.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"request_uri_parameter_supported":{"type":"bool","description":"Specifies whether Request URI Parameter is supported by the provider.","description_kind":"plain","computed":true},"response_types_supported":{"type":["list","string"],"description":"The response types supported by the provider.","description_kind":"plain","computed":true},"scopes_supported":{"type":["list","string"],"description":"The scopes supported by the provider.","description_kind":"plain","computed":true},"subject_types_supported":{"type":["list","string"],"description":"The subject types supported by the provider.","description_kind":"plain","computed":true},"token_endpoint":{"type":"string","description":"The Token Endpoint for the provider.","description_kind":"plain","computed":true},"token_endpoint_auth_methods_supported":{"type":["list","string"],"description":"The token endpoint auth methods supported by the provider.","description_kind":"plain","computed":true},"userinfo_endpoint":{"type":"string","description":"The User Info Endpoint for the provider.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_identity_oidc_public_keys":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"keys":{"type":["list",["map","string"]],"description":"The public portion of keys for an OIDC provider. Clients can use them to validate the authenticity of an identity token.","description_kind":"plain","computed":true},"name":{"type":"string","description":"The name of the provider.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_config":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"disable_iss_validation":{"type":"bool","description":"Optional disable JWT issuer validation. Allows to skip ISS validation.","description_kind":"plain","optional":true,"computed":true},"disable_local_ca_jwt":{"type":"bool","description":"Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.","description_kind":"plain","optional":true,"computed":true},"kubernetes_ca_cert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.","description_kind":"plain","optional":true,"computed":true},"kubernetes_host":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"pem_keys":{"type":["list","string"],"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.","description_kind":"plain","optional":true,"computed":true}},"description_kind":"plain"}},"vault_kubernetes_auth_backend_role":{"version":0,"block":{"attributes":{"alias_name_source":{"type":"string","description":"Method used for generating identity aliases.","description_kind":"plain","computed":true},"audience":{"type":"string","description":"Optional Audience claim to verify in the JWT.","description_kind":"plain","optional":true},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","description_kind":"plain","optional":true},"bound_service_account_names":{"type":["set","string"],"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and bound_service_account_namespaces can not be \"*\".","description_kind":"plain","computed":true},"bound_service_account_namespaces":{"type":["set","string"],"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and bound_service_account_names can not be set to \"*\".","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"token_bound_cidrs":{"type":["set","string"],"description":"Specifies the blocks of IP addresses which are allowed to use the generated token","description_kind":"plain","optional":true},"token_explicit_max_ttl":{"type":"number","description":"Generated Token's Explicit Maximum TTL in seconds","description_kind":"plain","optional":true},"token_max_ttl":{"type":"number","description":"The maximum lifetime of the generated token","description_kind":"plain","optional":true},"token_no_default_policy":{"type":"bool","description":"If true, the 'default' policy will not automatically be added to generated tokens","description_kind":"plain","optional":true},"token_num_uses":{"type":"number","description":"The maximum number of times a token may be used, a value of zero means unlimited","description_kind":"plain","optional":true},"token_period":{"type":"number","description":"Generated Token's Period","description_kind":"plain","optional":true},"token_policies":{"type":["set","string"],"description":"Generated Token's Policies","description_kind":"plain","optional":true},"token_ttl":{"type":"number","description":"The initial ttl of the token to generate in seconds","description_kind":"plain","optional":true},"token_type":{"type":"string","description":"The type of token to generate, service or batch","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kubernetes_service_account_token":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account tokens from.","description_kind":"plain","required":true},"cluster_role_binding":{"type":"bool","description":"If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"kubernetes_namespace":{"type":"string","description":"The name of the Kubernetes namespace in which to generate the credentials.","description_kind":"plain","required":true},"lease_duration":{"type":"number","description":"The duration of the lease in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"The lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"service_account_name":{"type":"string","description":"The name of the service account associated with the token.","description_kind":"plain","computed":true},"service_account_namespace":{"type":"string","description":"The Kubernetes namespace that the service account resides in.","description_kind":"plain","computed":true},"service_account_token":{"type":"string","description":"The Kubernetes service account token.","description_kind":"plain","computed":true,"sensitive":true},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secret_subkeys_v2":{"version":0,"block":{"attributes":{"data":{"type":["map","string"],"description":"Subkeys stored as a map of strings.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"Subkeys for the KV-V2 secret read from Vault.","description_kind":"plain","computed":true},"depth":{"type":"number","description":"Specifies the deepest nesting level to provide in the output.If non-zero, keys that reside at the specified depth value will be artificially treated as leaves and will thus be 'null' even if further underlying sub-keys exist.","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the generic secret will be written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Specifies the version to return. If not set the latest version is returned.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secret_v2":{"version":0,"block":{"attributes":{"created_time":{"type":"string","description":"Time at which the secret was created","description_kind":"plain","computed":true},"custom_metadata":{"type":["map","string"],"description":"Custom metadata for the secret","description_kind":"plain","computed":true},"data":{"type":["map","string"],"description":"Map of strings read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"data_json":{"type":"string","description":"JSON-encoded secret data read from Vault.","description_kind":"plain","computed":true,"sensitive":true},"deletion_time":{"type":"string","description":"Deletion time for the secret","description_kind":"plain","computed":true},"destroyed":{"type":"bool","description":"Indicates whether the secret has been destroyed","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KVV2 secret is written.","description_kind":"plain","computed":true},"version":{"type":"number","description":"Version of the secret to retrieve","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_kv_secrets_list":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.","description_kind":"plain","required":true}},"description_kind":"plain"}},"vault_kv_secrets_list_v2":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted","description_kind":"plain","required":true},"name":{"type":"string","description":"Full named path of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz'","description_kind":"plain","optional":true},"names":{"type":["list","string"],"description":"List of all secret names.","description_kind":"plain","computed":true,"sensitive":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Full path where the KV-V2 secrets are listed.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_dynamic_credentials":{"version":0,"block":{"attributes":{"distinguished_names":{"type":["list","string"],"description":"List of the distinguished names (DN) created.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"lease_duration":{"type":"number","description":"Lease duration in seconds.","description_kind":"plain","computed":true},"lease_id":{"type":"string","description":"Lease identifier assigned by Vault.","description_kind":"plain","computed":true},"lease_renewable":{"type":"bool","description":"True if the duration of this lease can be extended through renewal.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the dynamic role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"username":{"type":"string","description":"Name of the dynamic role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_ldap_static_credentials":{"version":0,"block":{"attributes":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage password rotation for.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"last_password":{"type":"string","description":"Last known password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"last_vault_rotation":{"type":"string","description":"Last time Vault rotated this static role's password.","description_kind":"plain","computed":true},"mount":{"type":"string","description":"LDAP Secret Backend to read credentials from.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"password":{"type":"string","description":"Password for the static role.","description_kind":"plain","computed":true,"sensitive":true},"role_name":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"rotation_period":{"type":"number","description":"How often Vault should rotate the password of the user entry.","description_kind":"plain","computed":true},"ttl":{"type":"number","description":"Duration in seconds after which the issued credential should expire.","description_kind":"plain","computed":true},"username":{"type":"string","description":"Name of the static role.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_namespace":{"version":0,"block":{"attributes":{"custom_metadata":{"type":["map","string"],"description":"Metadata associated with this namespace.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"namespace_id":{"type":"string","description":"Namespace ID.","description_kind":"plain","computed":true},"path":{"type":"string","description":"Namespace path.","description_kind":"plain","optional":true},"path_fq":{"type":"string","description":"The fully qualified namespace path.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_namespaces":{"version":0,"block":{"attributes":{"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"paths":{"type":["set","string"],"description":"Namespace paths.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_nomad_access_token":{"version":0,"block":{"attributes":{"accessor_id":{"type":"string","description":"The public identifier for a specific token. It can be used to look up information about a token or to revoke a token.","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Nomad secret backend to generate tokens from.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"role":{"type":"string","description":"Name of the role.","description_kind":"plain","required":true},"secret_id":{"type":"string","description":"Used to make requests to Nomad and should be kept private.","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_pki_secret_backend_config_est":{"version":0,"block":{"attributes":{"audit_fields":{"type":["list","string"],"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies","description_kind":"plain","computed":true},"authenticators":{"type":["list",["object",{"cert":["map","string"],"userpass":["map","string"]}]],"description":"Lists the mount accessors EST should delegate authentication requests towards","description_kind":"plain","computed":true},"backend":{"type":"string","description":"Path where PKI engine is mounted","description_kind":"plain","required":true},"default_mount":{"type":"bool","description":"If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster","description_kind":"plain","computed":true},"default_path_policy":{"type":"string","description":"Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e","description_kind":"plain","computed":true},"enable_sentinel_parsing":{"type":"bool","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies","description_kind":"plain","computed":true},"enabled":{"type":"bool","description":"Specifies whether EST is enabled","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"label_to_path_policy":{"type":["map","string"],"description":"A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths","description_kind":"plain","computed":true},"last_updated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description":"Reads Vault PKI EST configuration","description_kind":"plain"}},"vault_pki_secret_backend_issuer":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"ca_chain":{"type":["list","string"],"description":"The CA chain as a list of format specific certificates","description_kind":"plain","computed":true},"certificate":{"type":"string","description":"The certificate.","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"issuer_id":{"type":"string","description":"ID of the issuer.","description_kind":"plain","computed":true},"issuer_name":{"type":"string","description":"Name of the issuer.","description_kind":"plain","computed":true},"issuer_ref":{"type":"string","description":"Reference to an existing issuer.","description_kind":"plain","required":true},"key_id":{"type":"string","description":"ID of the key used by the issuer.","description_kind":"plain","computed":true},"leaf_not_after_behavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during issuance.","description_kind":"plain","computed":true},"manual_chain":{"type":["list","string"],"description":"Chain of issuer references to build this issuer's computed CAChain field from, when non-empty","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"usage":{"type":"string","description":"Allowed usages for this issuer.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_pki_secret_backend_issuers":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of issuer strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key info data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used by issuers under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_key":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_id":{"type":"string","description":"ID of the key used.","description_kind":"plain","computed":true},"key_name":{"type":"string","description":"Name of the key.","description_kind":"plain","computed":true},"key_ref":{"type":"string","description":"Reference to an existing key.","description_kind":"plain","required":true},"key_type":{"type":"string","description":"Type of the key.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_pki_secret_backend_keys":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"Full path where PKI backend is mounted.","description_kind":"plain","required":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key_info":{"type":["map","string"],"description":"Map of key strings read from Vault.","description_kind":"plain","computed":true},"key_info_json":{"type":"string","description":"JSON-encoded key data read from Vault.","description_kind":"plain","computed":true},"keys":{"type":["list","string"],"description":"Keys used under the backend path.","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_policy_document":{"version":0,"block":{"attributes":{"hcl":{"type":"string","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true}},"block_types":{"rule":{"nesting_mode":"list","block":{"attributes":{"capabilities":{"type":["list","string"],"description_kind":"plain","required":true},"description":{"type":"string","description_kind":"plain","optional":true},"max_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"min_wrapping_ttl":{"type":"string","description_kind":"plain","optional":true},"path":{"type":"string","description_kind":"plain","required":true},"required_parameters":{"type":["list","string"],"description_kind":"plain","optional":true}},"block_types":{"allowed_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}},"denied_parameter":{"nesting_mode":"list","block":{"attributes":{"key":{"type":"string","description_kind":"plain","required":true},"value":{"type":["list","string"],"description_kind":"plain","required":true}},"description_kind":"plain"}}},"description":"The policy rule","description_kind":"plain"}}},"description_kind":"plain"}},"vault_raft_autopilot_state":{"version":0,"block":{"attributes":{"failure_tolerance":{"type":"number","description":"How many nodes could fail before the cluster becomes unhealthy","description_kind":"plain","computed":true},"healthy":{"type":"bool","description":"Health status","description_kind":"plain","computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"leader":{"type":"string","description":"Current leader of Vault","description_kind":"plain","computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"optimistic_failure_tolerance":{"type":"number","description":"The cluster-level optimistic failure tolerance.","description_kind":"plain","computed":true},"redundancy_zones":{"type":["map","string"],"description":"Additional output related to redundancy zones stored as a map of strings.","description_kind":"plain","computed":true},"redundancy_zones_json":{"type":"string","description":"Subkeys for the redundancy zones read from Vault.","description_kind":"plain","computed":true},"servers":{"type":["map","string"],"description":"Additional output related to servers stored as a map of strings.","description_kind":"plain","computed":true},"servers_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"upgrade_info":{"type":["map","string"],"description":"Additional output related to upgrade info stored as a map of strings.","description_kind":"plain","computed":true},"upgrade_info_json":{"type":"string","description":"Subkeys for the servers read from Vault.","description_kind":"plain","computed":true},"voters":{"type":["list","string"],"description":"The voters in the Vault cluster.","description_kind":"plain","computed":true}},"description_kind":"plain"}},"vault_transform_decode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of decoding batch_input.","description_kind":"plain","optional":true,"computed":true},"decoded_value":{"type":"string","description":"The result of decoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to decode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transform_encode":{"version":0,"block":{"attributes":{"batch_input":{"type":["list",["map","string"]],"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.","description_kind":"plain","optional":true},"batch_results":{"type":["list",["map","string"]],"description":"The result of encoding batch_input.","description_kind":"plain","optional":true,"computed":true},"encoded_value":{"type":"string","description":"The result of encoding a value.","description_kind":"plain","optional":true,"computed":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"path":{"type":"string","description":"Path to backend from which to retrieve data.","description_kind":"plain","required":true},"role_name":{"type":"string","description":"The name of the role.","description_kind":"plain","required":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.","description_kind":"plain","optional":true},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations","description_kind":"plain","optional":true},"value":{"type":"string","description":"The value in which to encode.","description_kind":"plain","optional":true}},"description_kind":"plain"}},"vault_transit_decrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","required":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the decryption key to use.","description_kind":"plain","required":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Decrypted plain text","description_kind":"plain","computed":true,"sensitive":true}},"description_kind":"plain"}},"vault_transit_encrypt":{"version":0,"block":{"attributes":{"backend":{"type":"string","description":"The Transit secret backend the key belongs to.","description_kind":"plain","required":true},"ciphertext":{"type":"string","description":"Transit encrypted cipher text.","description_kind":"plain","computed":true},"context":{"type":"string","description":"Specifies the context for key derivation","description_kind":"plain","optional":true},"id":{"type":"string","description_kind":"plain","optional":true,"computed":true},"key":{"type":"string","description":"Name of the encryption key to use.","description_kind":"plain","required":true},"key_version":{"type":"number","description":"The version of the key to use for encryption","description_kind":"plain","optional":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","description_kind":"plain","optional":true},"plaintext":{"type":"string","description":"Map of strings read from Vault.","description_kind":"plain","required":true,"sensitive":true}},"description_kind":"plain"}}}}}} diff --git a/examples-generated/aws/authbackendclient.yaml b/examples-generated/aws/authbackendclient.yaml index 530e18e4..d776e81a 100644 --- a/examples-generated/aws/authbackendclient.yaml +++ b/examples-generated/aws/authbackendclient.yaml @@ -8,15 +8,9 @@ metadata: name: example spec: forProvider: - accessKeySecretRef: - key: example-key - name: example-secret - namespace: upbound-system - backend: cert - secretKeySecretRef: - key: example-key - name: example-secret - namespace: upbound-system + identityTokenAudience: + identityTokenTtl: + roleArn: --- diff --git a/examples-generated/azure/authbackendconfig.yaml b/examples-generated/azure/authbackendconfig.yaml index 084ddbc3..92144e06 100644 --- a/examples-generated/azure/authbackendconfig.yaml +++ b/examples-generated/azure/authbackendconfig.yaml @@ -13,11 +13,8 @@ spec: key: example-key name: example-secret namespace: upbound-system - clientSecretSecretRef: - key: example-key - name: example-secret - namespace: upbound-system - resource: https://vault.hashicorp.com + identityTokenAudience: + identityTokenTtl: tenantIdSecretRef: key: example-key name: example-secret @@ -35,4 +32,5 @@ metadata: name: example spec: forProvider: + identityTokenKey: example-key type: azure diff --git a/examples-generated/azure/secretbackend.yaml b/examples-generated/azure/secretbackend.yaml index 235437c3..2c3b1661 100644 --- a/examples-generated/azure/secretbackend.yaml +++ b/examples-generated/azure/secretbackend.yaml @@ -12,11 +12,8 @@ spec: key: example-key name: example-secret namespace: upbound-system - clientSecretSecretRef: - key: example-key - name: example-secret - namespace: upbound-system - environment: AzurePublicCloud + identityTokenAudience: + identityTokenTtl: subscriptionIdSecretRef: key: example-key name: example-secret @@ -25,4 +22,3 @@ spec: key: example-key name: example-secret namespace: upbound-system - useMicrosoftGraphApi: true diff --git a/examples-generated/gcp/secretbackend.yaml b/examples-generated/gcp/secretbackend.yaml index d5265886..728dbc85 100644 --- a/examples-generated/gcp/secretbackend.yaml +++ b/examples-generated/gcp/secretbackend.yaml @@ -8,7 +8,7 @@ metadata: name: gcp spec: forProvider: - credentialsSecretRef: - key: attribute.credentials.json - name: example-secret - namespace: upbound-system + identityTokenAudience: + identityTokenKey: example-key + identityTokenTtl: 1800 + serviceAccountEmail: diff --git a/examples-generated/mongodbatlas/secretbackend.yaml b/examples-generated/mongodbatlas/secretbackend.yaml index 41e0b4cc..71b9698e 100644 --- a/examples-generated/mongodbatlas/secretbackend.yaml +++ b/examples-generated/mongodbatlas/secretbackend.yaml @@ -8,7 +8,7 @@ metadata: name: config spec: forProvider: - mount: vault_mount.mongo.path + mount: dummy privateKey: privateKey publicKey: publicKey diff --git a/examples-generated/mongodbatlas/secretrole.yaml b/examples-generated/mongodbatlas/secretrole.yaml index e9cf0b86..2d544efc 100644 --- a/examples-generated/mongodbatlas/secretrole.yaml +++ b/examples-generated/mongodbatlas/secretrole.yaml @@ -15,8 +15,10 @@ spec: name: tf-test-role organizationId: 7cf5a45a9ccf6400e60981b7 projectId: 5cf5a45a9ccf6400e60981b6 - projectRoles: GROUP_READ_ONLY - roles: ORG_READ_ONLY + projectRoles: + - GROUP_READ_ONLY + roles: + - ORG_READ_ONLY ttl: "60" --- @@ -31,7 +33,7 @@ metadata: name: config spec: forProvider: - mount: vault_mount.mongo.path + mount: '%s' privateKey: privateKey publicKey: publicKey diff --git a/examples/aws/authbackendclient.yaml b/examples/aws/authbackendclient.yaml new file mode 100644 index 00000000..1e51894c --- /dev/null +++ b/examples/aws/authbackendclient.yaml @@ -0,0 +1,19 @@ +apiVersion: aws.vault.upbound.io/v1alpha1 +kind: AuthBackendClient +metadata: + annotations: + meta.upbound.io/example-id: aws/v1alpha1/authbackendclient + labels: + testing.upbound.io/example-name: example + name: authbackendclient-accesskey/secretkey +spec: + forProvider: + accessKeySecretRef: + key: example-key + name: example-secret + namespace: upbound-system + backend: cert + secretKeySecretRef: + key: example-key + name: example-secret + namespace: upbound-system diff --git a/examples/azure/authbackendconfig.yaml b/examples/azure/authbackendconfig.yaml new file mode 100644 index 00000000..c3526006 --- /dev/null +++ b/examples/azure/authbackendconfig.yaml @@ -0,0 +1,38 @@ +apiVersion: azure.vault.upbound.io/v1alpha1 +kind: AuthBackendConfig +metadata: + annotations: + meta.upbound.io/example-id: azure/v1alpha1/authbackendconfig + labels: + testing.upbound.io/example-name: example + name: azure-authbackendconfig-secretref +spec: + forProvider: + backend: cert + clientIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + clientSecretSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + resource: https://vault.hashicorp.com + tenantIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + +--- + +apiVersion: auth.vault.upbound.io/v1alpha1 +kind: Backend +metadata: + annotations: + meta.upbound.io/example-id: azure/v1alpha1/authbackendconfig + labels: + testing.upbound.io/example-name: example + name: example +spec: + forProvider: + type: azure diff --git a/examples/azure/secretbackend.yaml b/examples/azure/secretbackend.yaml new file mode 100644 index 00000000..9680b355 --- /dev/null +++ b/examples/azure/secretbackend.yaml @@ -0,0 +1,28 @@ +apiVersion: azure.vault.upbound.io/v1alpha1 +kind: SecretBackend +metadata: + annotations: + meta.upbound.io/example-id: azure/v1alpha1/secretbackend + labels: + testing.upbound.io/example-name: azure + name: azure-secretbackend-secretref +spec: + forProvider: + clientIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + clientSecretSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + environment: AzurePublicCloud + subscriptionIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + tenantIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + useMicrosoftGraphApi: true diff --git a/examples/gcp/secretbackend.yaml b/examples/gcp/secretbackend.yaml new file mode 100644 index 00000000..d7918475 --- /dev/null +++ b/examples/gcp/secretbackend.yaml @@ -0,0 +1,14 @@ +apiVersion: gcp.vault.upbound.io/v1alpha1 +kind: SecretBackend +metadata: + annotations: + meta.upbound.io/example-id: gcp/v1alpha1/secretbackend + labels: + testing.upbound.io/example-name: gcp + name: gcp-credentials +spec: + forProvider: + credentialsSecretRef: + key: attribute.credentials.json + name: example-secret + namespace: upbound-system diff --git a/go.mod b/go.mod index 5efdf78c..90d3be78 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/upbound/provider-vault -go 1.20 +go 1.21 require ( github.com/crossplane/crossplane-runtime v0.20.0 diff --git a/go.sum b/go.sum index 7af8765f..9f196017 100644 --- a/go.sum +++ b/go.sum @@ -56,6 +56,7 @@ github.com/antchfx/xpath v1.2.0/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwq github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0 h1:MzVXffFUye+ZcSR6opIgz9Co7WcDx6ZcY+RjfFHoA0I= +github.com/apparentlymart/go-dump v0.0.0-20190214190832-042adf3cf4a0/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= @@ -103,6 +104,7 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= @@ -132,6 +134,7 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= @@ -208,6 +211,7 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 h1:n6vlPhxsA+BW/XsS5+uqi7GyzaLa5MH7qlSLBZtRdiA= +github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -289,6 +293,7 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -339,10 +344,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7 h1:CxRHKnh1YJXgNKxcos9rrKL6AcmOl1AS/fygmxFDzh4= github.com/muvaf/typewriter v0.0.0-20220131201631-921e94e8e8d7/go.mod h1:SAAdeMEiFXR8LcHffvIdiLI1w243DCH2DuHq7UrA5YQ= github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k+Mg7cowZ8yv4Trqw9UsJby758= +github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce/go.mod h1:uFMI8w+ref4v2r9jz+c9i1IfIttS/OkmLfrk1jne5hs= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= +github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= +github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -362,6 +372,7 @@ github.com/prometheus/procfs v0.10.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= @@ -429,6 +440,7 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= @@ -542,6 +554,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -781,6 +794,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/package/crds/ad.vault.upbound.io_secretbackends.yaml b/package/crds/ad.vault.upbound.io_secretbackends.yaml index 1268ea9c..05429117 100644 --- a/package/crds/ad.vault.upbound.io_secretbackends.yaml +++ b/package/crds/ad.vault.upbound.io_secretbackends.yaml @@ -178,11 +178,6 @@ spec: Name of a user. Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: description: 'LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, @@ -217,11 +212,6 @@ spec: if Active Directory shows a later rotation, it should be considered out-of-band. type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. - type: number local: description: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration @@ -246,8 +236,8 @@ spec: Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: description: Timeout, in seconds, for the connection when making @@ -389,11 +379,6 @@ spec: Name of a user. Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: description: 'LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, @@ -428,11 +413,6 @@ spec: if Active Directory shows a later rotation, it should be considered out-of-band. type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. - type: number local: description: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration @@ -457,8 +437,8 @@ spec: Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: description: Timeout, in seconds, for the connection when making @@ -797,11 +777,6 @@ spec: Name of a user. Use anonymous bind to discover the bind DN of a user. type: boolean - formatter: - description: Deprecated use password_policy. Text to insert the - password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text - to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". - type: string groupattr: description: 'LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, @@ -838,11 +813,6 @@ spec: if Active Directory shows a later rotation, it should be considered out-of-band. type: number - length: - description: Deprecated use password_policy. The desired length - of passwords that Vault generates. Mutually exclusive with The - desired length of passwords that Vault generates. - type: number local: description: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration @@ -867,8 +837,8 @@ spec: Enterprise) type: string passwordPolicy: - description: 1.11+ Name of the password policy to use to generate - passwords. + description: Name of the password policy to use to generate passwords. + Name of the password policy to use to generate passwords. type: string requestTimeout: description: Timeout, in seconds, for the connection when making diff --git a/package/crds/auth.vault.upbound.io_backends.yaml b/package/crds/auth.vault.upbound.io_backends.yaml index 245e6899..b6fed123 100644 --- a/package/crds/auth.vault.upbound.io_backends.yaml +++ b/package/crds/auth.vault.upbound.io_backends.yaml @@ -73,6 +73,9 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean @@ -145,6 +148,9 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean @@ -416,6 +422,9 @@ spec: type: boolean id: type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string local: description: Specifies if the auth method is local only type: boolean diff --git a/package/crds/aws.vault.upbound.io_authbackendclients.yaml b/package/crds/aws.vault.upbound.io_authbackendclients.yaml index ed4cf37c..49618f5b 100644 --- a/package/crds/aws.vault.upbound.io_authbackendclients.yaml +++ b/package/crds/aws.vault.upbound.io_authbackendclients.yaml @@ -69,7 +69,8 @@ spec: properties: accessKeySecretRef: description: The AWS access key that Vault should use for the - auth backend. AWS Access key with permissions to query AWS APIs. + auth backend. Mutually exclusive with identity_token_audience. + AWS Access key with permissions to query AWS APIs. properties: key: description: The key to select. @@ -107,6 +108,22 @@ spec: header as part of GetCallerIdentity requests that are used in the iam auth method. type: string + identityTokenAudience: + description: The audience claim value. Mutually exclusive with + access_key. Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: Number of max retries the client should use for recoverable + errors. The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable + errors. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -114,6 +131,11 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.17+. Available only for Vault Enterprise Role + ARN to assume for plugin identity token federation. + type: string secretKeySecretRef: description: The AWS secret key that Vault should use for the auth backend. AWS Secret key with permissions to query AWS APIs. @@ -188,6 +210,22 @@ spec: header as part of GetCallerIdentity requests that are used in the iam auth method. type: string + identityTokenAudience: + description: The audience claim value. Mutually exclusive with + access_key. Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: Number of max retries the client should use for recoverable + errors. The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable + errors. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -195,6 +233,11 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.17+. Available only for Vault Enterprise Role + ARN to assume for plugin identity token federation. + type: string stsEndpoint: description: Override the URL Vault uses when making STS API calls. URL to override the default generated endpoint for making AWS @@ -442,6 +485,22 @@ spec: type: string id: type: string + identityTokenAudience: + description: The audience claim value. Mutually exclusive with + access_key. Requires Vault 1.17+. Available only for Vault Enterprise + The audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number + maxRetries: + description: Number of max retries the client should use for recoverable + errors. The default -1 falls back to the AWS SDK's default behavior. + Number of max retries the client should use for recoverable + errors. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -449,6 +508,11 @@ spec: Available only for Vault Enterprise. Target namespace. (requires Enterprise) type: string + roleArn: + description: Role ARN to assume for plugin identity token federation. + Requires Vault 1.17+. Available only for Vault Enterprise Role + ARN to assume for plugin identity token federation. + type: string stsEndpoint: description: Override the URL Vault uses when making STS API calls. URL to override the default generated endpoint for making AWS diff --git a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml index 757bcde2..bb1e3540 100644 --- a/package/crds/aws.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/aws.vault.upbound.io_secretbackendroles.yaml @@ -88,6 +88,11 @@ spec: TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: External ID to set for assume role creds. Valid only + when credential_type is set to assumed_role. External ID to + set for assume role creds. + type: string iamGroups: description: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential @@ -104,6 +109,14 @@ spec: items: type: string type: array + iamTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for + any IAM user created by this role. + type: object maxStsTtl: description: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when @@ -161,6 +174,14 @@ spec: items: type: string type: array + sessionTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be set during assume role creds creation. Valid only when credential_type + is set to assumed_role. Session tags to be set for assume role + creds created. + type: object userPath: description: The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid @@ -201,6 +222,11 @@ spec: TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: External ID to set for assume role creds. Valid only + when credential_type is set to assumed_role. External ID to + set for assume role creds. + type: string iamGroups: description: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential @@ -217,6 +243,14 @@ spec: items: type: string type: array + iamTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for + any IAM user created by this role. + type: object maxStsTtl: description: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when @@ -274,6 +308,14 @@ spec: items: type: string type: array + sessionTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be set during assume role creds creation. Valid only when credential_type + is set to assumed_role. Session tags to be set for assume role + creds created. + type: object userPath: description: The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid @@ -516,6 +558,11 @@ spec: TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. type: number + externalId: + description: External ID to set for assume role creds. Valid only + when credential_type is set to assumed_role. External ID to + set for assume role creds. + type: string iamGroups: description: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential @@ -532,6 +579,14 @@ spec: items: type: string type: array + iamTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be used as tags for any IAM user that is created by this role. + A map of strings representing key/value pairs used as tags for + any IAM user created by this role. + type: object id: type: string maxStsTtl: @@ -591,6 +646,14 @@ spec: items: type: string type: array + sessionTags: + additionalProperties: + type: string + description: A map of strings representing key/value pairs to + be set during assume role creds creation. Valid only when credential_type + is set to assumed_role. Session tags to be set for assume role + creds created. + type: object userPath: description: The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid diff --git a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml index 1d62b464..aa99f18a 100644 --- a/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml +++ b/package/crds/azure.vault.upbound.io_authbackendconfigs.yaml @@ -117,6 +117,17 @@ spec: to AzurePublicCloud. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise The + audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. Requires Vault + 1.17+. Available only for Vault Enterprise The TTL of generated + identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -172,6 +183,17 @@ spec: to AzurePublicCloud. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise The + audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. Requires Vault + 1.17+. Available only for Vault Enterprise The TTL of generated + identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -408,6 +430,17 @@ spec: type: string id: type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise The + audience claim value. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Defaults to 1 hour. Uses duration format strings. Requires Vault + 1.17+. Available only for Vault Enterprise The TTL of generated + identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The diff --git a/package/crds/azure.vault.upbound.io_secretbackends.yaml b/package/crds/azure.vault.upbound.io_secretbackends.yaml index 49fd0edb..5dae05b0 100644 --- a/package/crds/azure.vault.upbound.io_secretbackends.yaml +++ b/package/crds/azure.vault.upbound.io_secretbackends.yaml @@ -117,6 +117,20 @@ spec: Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.17+. Available + only for Vault Enterprise The audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.17+. Available only for Vault Enterprise The key to + use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -198,6 +212,20 @@ spec: Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.' type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.17+. Available + only for Vault Enterprise The audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.17+. Available only for Vault Enterprise The key to + use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -441,6 +469,20 @@ spec: type: string id: type: string + identityTokenAudience: + description: The audience claim value. Requires Vault 1.17+. Available + only for Vault Enterprise The audience claim value. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. Requires + Vault 1.17+. Available only for Vault Enterprise The key to + use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated identity tokens in seconds. + Requires Vault 1.17+. Available only for Vault Enterprise The + TTL of generated identity tokens in seconds. + type: number namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The diff --git a/package/crds/cert.vault.upbound.io_authbackendroles.yaml b/package/crds/cert.vault.upbound.io_authbackendroles.yaml index 90933629..f4e31370 100644 --- a/package/crds/cert.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/cert.vault.upbound.io_authbackendroles.yaml @@ -83,10 +83,6 @@ spec: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array allowedOrganizationalUnits: items: type: string @@ -199,10 +195,6 @@ spec: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array allowedOrganizationalUnits: items: type: string @@ -513,10 +505,6 @@ spec: items: type: string type: array - allowedOrganizationUnits: - items: - type: string - type: array allowedOrganizationalUnits: items: type: string diff --git a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml index c0495c66..8a76dd14 100644 --- a/package/crds/consul.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/consul.vault.upbound.io_secretbackendroles.yaml @@ -148,13 +148,6 @@ spec: items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string ttl: description: Specifies the TTL for this role. Specifies the TTL for this role. @@ -254,13 +247,6 @@ spec: items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string ttl: description: Specifies the TTL for this role. Specifies the TTL for this role. @@ -556,13 +542,6 @@ spec: items: type: string type: array - tokenType: - description: 'Specifies the type of token to create when using - this role. Valid values are "client" or "management". Deprecated: - Consul 1.11 and later removed the legacy ACL system which supported - this field. Specifies the type of token to create when using - this role. Valid values are "client" or "management".' - type: string ttl: description: Specifies the TTL for this role. Specifies the TTL for this role. diff --git a/package/crds/database.vault.upbound.io_secretsmounts.yaml b/package/crds/database.vault.upbound.io_secretsmounts.yaml index 702dc155..57610ad7 100644 --- a/package/crds/database.vault.upbound.io_secretsmounts.yaml +++ b/package/crds/database.vault.upbound.io_secretsmounts.yaml @@ -74,6 +74,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -348,6 +354,12 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -558,6 +570,10 @@ spec: type: boolean type: object type: array + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: description: A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin @@ -695,6 +711,10 @@ spec: - passwordSecretRef type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -1629,10 +1649,20 @@ spec: type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string postgresql: description: A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin @@ -2148,6 +2178,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -2323,6 +2359,12 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -2495,6 +2537,10 @@ spec: type: boolean type: object type: array + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: description: A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin @@ -2572,6 +2618,10 @@ spec: type: boolean type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -3203,10 +3253,20 @@ spec: type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string postgresql: description: A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin @@ -3789,6 +3849,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -3964,6 +4030,12 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -4143,6 +4215,10 @@ spec: type: array id: type: string + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string influxdb: description: A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin @@ -4220,6 +4296,10 @@ spec: type: boolean type: object type: array + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -4851,10 +4931,20 @@ spec: type: boolean type: object type: array + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string postgresql: description: A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin diff --git a/package/crds/gcp.vault.upbound.io_authbackends.yaml b/package/crds/gcp.vault.upbound.io_authbackends.yaml index 3b94a222..0ae599b1 100644 --- a/package/crds/gcp.vault.upbound.io_authbackends.yaml +++ b/package/crds/gcp.vault.upbound.io_authbackends.yaml @@ -116,6 +116,15 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -128,6 +137,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: @@ -203,6 +216,15 @@ spec: disableRemount: description: If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -215,6 +237,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: @@ -484,6 +510,15 @@ spec: type: boolean id: type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. + type: number local: description: Specifies if the auth method is local only type: boolean @@ -496,6 +531,10 @@ spec: type: string projectId: type: string + serviceAccountEmail: + description: Service Account to impersonate for plugin workload + identity federation. + type: string tune: items: properties: diff --git a/package/crds/gcp.vault.upbound.io_secretbackends.yaml b/package/crds/gcp.vault.upbound.io_secretbackends.yaml index 4719ae78..230772b9 100644 --- a/package/crds/gcp.vault.upbound.io_secretbackends.yaml +++ b/package/crds/gcp.vault.upbound.io_secretbackends.yaml @@ -98,6 +98,23 @@ spec: See here for more info on Mount Migration If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Must match an allowed audience configured for the target Workload + Identity Pool. Mutually exclusive with credentials. Requires + Vault 1.17+. Available only for Vault Enterprise. The audience + claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise. The + key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. Defaults to 1 hour. + Uses duration format strings. Requires Vault 1.17+. Available + only for Vault Enterprise. The TTL of generated tokens. + type: number local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -120,6 +137,12 @@ spec: Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. type: string + serviceAccountEmail: + description: – Service Account to impersonate for plugin workload + identity federation. Required with identity_token_audience. + Requires Vault 1.17+. Available only for Vault Enterprise. Service + Account to impersonate for plugin workload identity federation. + type: string type: object initProvider: description: THIS IS AN ALPHA FIELD. Do not use it in production. @@ -147,6 +170,23 @@ spec: See here for more info on Mount Migration If set, opts out of mount migration on path updates. type: boolean + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Must match an allowed audience configured for the target Workload + Identity Pool. Mutually exclusive with credentials. Requires + Vault 1.17+. Available only for Vault Enterprise. The audience + claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise. The + key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. Defaults to 1 hour. + Uses duration format strings. Requires Vault 1.17+. Available + only for Vault Enterprise. The TTL of generated tokens. + type: number local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -169,6 +209,12 @@ spec: Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. type: string + serviceAccountEmail: + description: – Service Account to impersonate for plugin workload + identity federation. Required with identity_token_audience. + Requires Vault 1.17+. Available only for Vault Enterprise. Service + Account to impersonate for plugin workload identity federation. + type: string type: object managementPolicies: default: @@ -372,6 +418,10 @@ spec: properties: atProvider: properties: + accessor: + description: The accessor of the created GCP mount. Accessor of + the created GCP mount. + type: string defaultLeaseTtlSeconds: description: The default TTL for credentials issued by this backend. Defaults to '0'. Default lease duration for secrets in seconds @@ -387,6 +437,23 @@ spec: type: boolean id: type: string + identityTokenAudience: + description: The audience claim value for plugin identity tokens. + Must match an allowed audience configured for the target Workload + Identity Pool. Mutually exclusive with credentials. Requires + Vault 1.17+. Available only for Vault Enterprise. The audience + claim value for plugin identity tokens. + type: string + identityTokenKey: + description: The key to use for signing plugin identity tokens. + Requires Vault 1.17+. Available only for Vault Enterprise. The + key to use for signing identity tokens. + type: string + identityTokenTtl: + description: The TTL of generated tokens. Defaults to 1 hour. + Uses duration format strings. Requires Vault 1.17+. Available + only for Vault Enterprise. The TTL of generated tokens. + type: number local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -409,6 +476,12 @@ spec: Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. type: string + serviceAccountEmail: + description: – Service Account to impersonate for plugin workload + identity federation. Required with identity_token_audience. + Requires Vault 1.17+. Available only for Vault Enterprise. Service + Account to impersonate for plugin workload identity federation. + type: string type: object conditions: description: Conditions of the resource. diff --git a/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml index 7803181e..0cc3d78f 100644 --- a/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml +++ b/package/crds/identity.vault.upbound.io_groupmemberentityidsidses.yaml @@ -343,12 +343,6 @@ spec: description: Group ID to assign member entities to. ID of the group. type: string - groupName: - description: 'The name of the group that are assigned the member - entities. Deprecated: The value for group_name may not always - be accurate use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name - instead. Name of the group.' - type: string id: type: string memberEntityIds: diff --git a/package/crds/identity.vault.upbound.io_oidcclients.yaml b/package/crds/identity.vault.upbound.io_oidcclients.yaml index c51d1003..b2830da7 100644 --- a/package/crds/identity.vault.upbound.io_oidcclients.yaml +++ b/package/crds/identity.vault.upbound.io_oidcclients.yaml @@ -396,7 +396,8 @@ spec: type: string type: array clientId: - description: The Client ID from Vault. + description: The Client ID returned by Vault. The Client ID from + Vault. type: string clientType: description: 'The client type based on its ability to maintain diff --git a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml index 9b74d214..e4139402 100644 --- a/package/crds/jwt.vault.upbound.io_authbackendroles.yaml +++ b/package/crds/jwt.vault.upbound.io_authbackendroles.yaml @@ -79,11 +79,9 @@ spec: Defaults to jwt. Unique name of the auth backend to configure. type: string boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: List of aud claims to match against. Any match is + sufficient. List of aud claims to match against. Any match is + sufficient. items: type: string type: array @@ -129,11 +127,11 @@ spec: type: boolean expirationLeeway: description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. + to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: @@ -161,7 +159,7 @@ spec: type: string notBeforeLeeway: description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults @@ -290,11 +288,9 @@ spec: Defaults to jwt. Unique name of the auth backend to configure. type: string boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: List of aud claims to match against. Any match is + sufficient. List of aud claims to match against. Any match is + sufficient. items: type: string type: array @@ -340,11 +336,11 @@ spec: type: boolean expirationLeeway: description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. + to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: @@ -372,7 +368,7 @@ spec: type: string notBeforeLeeway: description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults @@ -699,11 +695,9 @@ spec: Defaults to jwt. Unique name of the auth backend to configure. type: string boundAudiences: - description: (For "jwt" roles, at least one of bound_audiences, - bound_subject, bound_claims or token_bound_cidrs is required. - Optional for "oidc" roles.) List of aud claims to match against. - Any match is sufficient. List of aud claims to match against. - Any match is sufficient. + description: List of aud claims to match against. Any match is + sufficient. List of aud claims to match against. Any match is + sufficient. items: type: string type: array @@ -749,11 +743,11 @@ spec: type: boolean expirationLeeway: description: The amount of leeway to add to expiration (exp) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults - to 60 seconds if set to 0 and can be disabled if set to -1. + to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. type: number groupsClaim: @@ -783,7 +777,7 @@ spec: type: string notBeforeLeeway: description: The amount of leeway to add to not before (nbf) claims - to account for clock skew, in seconds. Defaults to 60 seconds + to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml index 51e1605a..626cf9b5 100644 --- a/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/kubernetes.vault.upbound.io_secretbackendroles.yaml @@ -67,11 +67,24 @@ spec: type: string forProvider: properties: + allowedKubernetesNamespaceSelector: + description: A label selector for Kubernetes namespaces in which + credentials can be generated. Accepts either a JSON or YAML + object. The value should be of type LabelSelector. If set with + allowed_kubernetes_namespace, the conditions are ORed. A label + selector for Kubernetes namespaces in which credentials can + begenerated. Accepts either a JSON or YAML object. The value + should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, + the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + credentials for. If set to * all namespaces are allowed. If + set with allowed_kubernetes_namespace_selector, the conditions + are ORed. The list of Kubernetes namespaces this role can generate + credentials for. If set to '*' all namespaces are allowed. If + set with`allowed_kubernetes_namespace_selector`, the conditions + are `OR`ed. items: type: string type: array @@ -170,11 +183,24 @@ spec: creation, for example because of an external controller is managing them, like an autoscaler. properties: + allowedKubernetesNamespaceSelector: + description: A label selector for Kubernetes namespaces in which + credentials can be generated. Accepts either a JSON or YAML + object. The value should be of type LabelSelector. If set with + allowed_kubernetes_namespace, the conditions are ORed. A label + selector for Kubernetes namespaces in which credentials can + begenerated. Accepts either a JSON or YAML object. The value + should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, + the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + credentials for. If set to * all namespaces are allowed. If + set with allowed_kubernetes_namespace_selector, the conditions + are ORed. The list of Kubernetes namespaces this role can generate + credentials for. If set to '*' all namespaces are allowed. If + set with`allowed_kubernetes_namespace_selector`, the conditions + are `OR`ed. items: type: string type: array @@ -458,10 +484,6 @@ spec: - forProvider type: object x-kubernetes-validations: - - message: allowedKubernetesNamespaces is a required parameter - rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies - || ''Update'' in self.managementPolicies) || has(self.forProvider.allowedKubernetesNamespaces) - || has(self.initProvider.allowedKubernetesNamespaces)' - message: backend is a required parameter rule: '!(''*'' in self.managementPolicies || ''Create'' in self.managementPolicies || ''Update'' in self.managementPolicies) || has(self.forProvider.backend) @@ -475,11 +497,24 @@ spec: properties: atProvider: properties: + allowedKubernetesNamespaceSelector: + description: A label selector for Kubernetes namespaces in which + credentials can be generated. Accepts either a JSON or YAML + object. The value should be of type LabelSelector. If set with + allowed_kubernetes_namespace, the conditions are ORed. A label + selector for Kubernetes namespaces in which credentials can + begenerated. Accepts either a JSON or YAML object. The value + should be of typeLabelSelector. If set with `allowed_kubernetes_namespace`, + the conditions are `OR`ed. + type: string allowedKubernetesNamespaces: description: The list of Kubernetes namespaces this role can generate - credentials for. If set to * all namespaces are allowed. The - list of Kubernetes namespaces this role can generate credentials - for. If set to '*' all namespaces are allowed. + credentials for. If set to * all namespaces are allowed. If + set with allowed_kubernetes_namespace_selector, the conditions + are ORed. The list of Kubernetes namespaces this role can generate + credentials for. If set to '*' all namespaces are allowed. If + set with`allowed_kubernetes_namespace_selector`, the conditions + are `OR`ed. items: type: string type: array diff --git a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml index 51d3e4f6..00763c35 100644 --- a/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml +++ b/package/crds/kubernetes.vault.upbound.io_secretbackends.yaml @@ -73,6 +73,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -89,6 +95,12 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string @@ -102,6 +114,10 @@ spec: description: Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: description: A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults @@ -117,6 +133,10 @@ spec: or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Local mount flag that can be explicitly set to true to enforce local mount in HA environment @@ -138,9 +158,19 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability @@ -187,6 +217,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -203,6 +239,12 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string @@ -216,6 +258,10 @@ spec: description: Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: description: A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults @@ -231,6 +277,10 @@ spec: or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Local mount flag that can be explicitly set to true to enforce local mount in HA environment @@ -252,9 +302,19 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability @@ -476,6 +536,12 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. @@ -492,6 +558,12 @@ spec: description: Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount type: string @@ -507,6 +579,10 @@ spec: type: boolean id: type: string + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens + type: string kubernetesCaCert: description: A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults @@ -522,6 +598,10 @@ spec: or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint + type: string local: description: Local mount flag that can be explicitly set to true to enforce local mount in HA environment @@ -543,9 +623,19 @@ spec: description: Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. 'v1.0.0' + type: string sealWrap: description: Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability diff --git a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml index 38711200..1d970d69 100644 --- a/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml +++ b/package/crds/mongodbatlas.vault.upbound.io_secretroles.yaml @@ -111,14 +111,17 @@ spec: type: string projectRoles: description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + a project API key. Possible values are GROUP_CLUSTER_MANAGER, + GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, + GROUP_OWNER and GROUP_READ_ONLY. Roles assigned when an org + API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: List of roles that the API Key needs to have. Possible + values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN + and ORG_READ_ONLY. List of roles that the API Key needs to have items: type: string type: array @@ -185,14 +188,17 @@ spec: type: string projectRoles: description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + a project API key. Possible values are GROUP_CLUSTER_MANAGER, + GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, + GROUP_OWNER and GROUP_READ_ONLY. Roles assigned when an org + API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: List of roles that the API Key needs to have. Possible + values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN + and ORG_READ_ONLY. List of roles that the API Key needs to have items: type: string type: array @@ -463,14 +469,17 @@ spec: type: string projectRoles: description: Roles assigned when an org API key is assigned to - a project API key. Roles assigned when an org API key is assigned - to a project API key + a project API key. Possible values are GROUP_CLUSTER_MANAGER, + GROUP_DATA_ACCESS_ADMIN, GROUP_DATA_ACCESS_READ_ONLY, GROUP_DATA_ACCESS_READ_WRITE, + GROUP_OWNER and GROUP_READ_ONLY. Roles assigned when an org + API key is assigned to a project API key items: type: string type: array roles: - description: List of roles that the API Key needs to have. List - of roles that the API Key needs to have + description: List of roles that the API Key needs to have. Possible + values are ORG_OWNER, ORG_MEMBER, ORG_GROUP_CREATOR, ORG_BILLING_ADMIN + and ORG_READ_ONLY. List of roles that the API Key needs to have items: type: string type: array diff --git a/package/crds/okta.vault.upbound.io_authbackends.yaml b/package/crds/okta.vault.upbound.io_authbackends.yaml index 4fdc1224..daf2ef5e 100644 --- a/package/crds/okta.vault.upbound.io_authbackends.yaml +++ b/package/crds/okta.vault.upbound.io_authbackends.yaml @@ -106,6 +106,34 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array tokenSecretRef: description: The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally @@ -125,6 +153,12 @@ spec: - name - namespace type: object + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string @@ -197,6 +231,40 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string @@ -468,6 +536,40 @@ spec: path: description: path to mount the backend type: string + tokenBoundCidrs: + description: Specifies the blocks of IP addresses which are allowed + to use the generated token + items: + type: string + type: array + tokenExplicitMaxTtl: + description: Generated Token's Explicit Maximum TTL in seconds + type: number + tokenMaxTtl: + description: The maximum lifetime of the generated token + type: number + tokenNoDefaultPolicy: + description: If true, the 'default' policy will not automatically + be added to generated tokens + type: boolean + tokenNumUses: + description: The maximum number of times a token may be used, + a value of zero means unlimited + type: number + tokenPeriod: + description: Generated Token's Period + type: number + tokenPolicies: + description: Generated Token's Policies + items: + type: string + type: array + tokenTtl: + description: The initial ttl of the token to generate in seconds + type: number + tokenType: + description: The type of token to generate, service or batch + type: string ttl: description: Duration after which authentication will be expired type: string diff --git a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml index a910d047..37d98aab 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendconfigurls.yaml @@ -80,6 +80,10 @@ spec: items: type: string type: array + enableTemplating: + description: Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean issuingCertificates: description: Specifies the URL values for the Issuing Certificate field. Specifies the URL values for the Issuing Certificate @@ -126,6 +130,10 @@ spec: items: type: string type: array + enableTemplating: + description: Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean issuingCertificates: description: Specifies the URL values for the Issuing Certificate field. Specifies the URL values for the Issuing Certificate @@ -367,6 +375,10 @@ spec: items: type: string type: array + enableTemplating: + description: Specifies that templating of AIA fields is allowed. + Specifies that templating of AIA fields is allowed. + type: boolean id: type: string issuingCertificates: diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml index 2782170f..36397c6d 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootcerts.yaml @@ -661,10 +661,6 @@ spec: province: description: The province The province. type: string - serial: - description: Deprecated, use serial_number instead. The serial - number. - type: string serialNumber: description: The certificate's serial number, hex formatted. The certificate's serial number, hex formatted. diff --git a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml index 7c6ca8a4..da60165f 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendrootsignintermediates.yaml @@ -547,9 +547,6 @@ spec: revoke: description: Revoke the certificate upon resource destruction. type: boolean - serial: - description: The serial number. - type: string serialNumber: description: The certificate's serial number, hex formatted. type: string diff --git a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml index 60fe6a69..10aff78f 100644 --- a/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml +++ b/package/crds/pki.vault.upbound.io_secretbackendsigns.yaml @@ -531,9 +531,6 @@ spec: Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. type: boolean - serial: - description: Use serial_number instead. The serial number. - type: string serialNumber: description: The certificate's serial number, hex formatted. The certificate's serial number, hex formatted. diff --git a/package/crds/quota.vault.upbound.io_leasecounts.yaml b/package/crds/quota.vault.upbound.io_leasecounts.yaml index bf7615e2..b0839531 100644 --- a/package/crds/quota.vault.upbound.io_leasecounts.yaml +++ b/package/crds/quota.vault.upbound.io_leasecounts.yaml @@ -67,6 +67,19 @@ spec: type: string forProvider: properties: + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean maxLeases: description: The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number @@ -118,6 +131,19 @@ spec: creation, for example because of an external controller is managing them, like an autoscaler. properties: + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean maxLeases: description: The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number @@ -369,6 +395,19 @@ spec: properties: id: type: string + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean maxLeases: description: The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number diff --git a/package/crds/quota.vault.upbound.io_ratelimits.yaml b/package/crds/quota.vault.upbound.io_ratelimits.yaml index c6d36a02..7949221c 100644 --- a/package/crds/quota.vault.upbound.io_ratelimits.yaml +++ b/package/crds/quota.vault.upbound.io_ratelimits.yaml @@ -75,6 +75,19 @@ spec: prohibited from any further requests until after the 'block_interval' in seconds has elapsed. type: number + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean interval: description: The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. @@ -138,6 +151,19 @@ spec: prohibited from any further requests until after the 'block_interval' in seconds has elapsed. type: number + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean interval: description: The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. @@ -401,6 +427,19 @@ spec: type: number id: type: string + inheritable: + description: If set to true on a quota where path is set to a + namespace, the same quota will be cumulatively applied to all + child namespace. The inheritable parameter cannot be set to + true if the path does not specify a namespace. Only the quotas + associated with the root namespace are inheritable by default. + Requires Vault 1.15+. If set to true on a quota where path is + set to a namespace, the same quota will be cumulatively applied + to all child namespace. The inheritable parameter cannot be + set to true if the path does not specify a namespace. Only the + quotas associated with the root namespace are inheritable by + default. + type: boolean interval: description: The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. diff --git a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml index 9108a981..759b2858 100644 --- a/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml +++ b/package/crds/ssh.vault.upbound.io_secretbackendcas.yaml @@ -77,6 +77,18 @@ spec: internally. Defaults to true Whether Vault should generate the signing key pair internally. type: boolean + keyBits: + description: Specifies the desired key bits for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key bits for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: number + keyType: + description: Specifies the desired key type for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key type for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: string namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -132,6 +144,18 @@ spec: internally. Defaults to true Whether Vault should generate the signing key pair internally. type: boolean + keyBits: + description: Specifies the desired key bits for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key bits for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: number + keyType: + description: Specifies the desired key type for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key type for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: string namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The @@ -359,6 +383,18 @@ spec: type: boolean id: type: string + keyBits: + description: Specifies the desired key bits for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key bits for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: number + keyType: + description: Specifies the desired key type for the generated + SSH CA key when generate_signing_key is set to true. Specifies + the desired key type for the generated SSH CA key when `generate_signing_key` + is set to `true`. + type: string namespace: description: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The diff --git a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml index 2391d922..f559641f 100644 --- a/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml +++ b/package/crds/ssh.vault.upbound.io_secretbackendroles.yaml @@ -134,13 +134,6 @@ spec: type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. @@ -288,13 +281,6 @@ spec: type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. @@ -644,13 +630,6 @@ spec: type: string type: object type: array - allowedUserKeyLengths: - additionalProperties: - type: number - description: 'Specifies a map of ssh key types and their expected - sizes which are allowed to be signed by the CA type. Deprecated: - use allowed_user_key_config instead' - type: object allowedUsers: description: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. diff --git a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml index efac628e..857b2bd3 100644 --- a/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml +++ b/package/crds/terraform.vault.upbound.io_cloudsecretbackends.yaml @@ -68,7 +68,7 @@ spec: forProvider: properties: address: - description: 0.0.1:8500". + description: The default is https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted @@ -134,7 +134,7 @@ spec: them, like an autoscaler. properties: address: - description: 0.0.1:8500". + description: The default is https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted @@ -371,7 +371,7 @@ spec: atProvider: properties: address: - description: 0.0.1:8500". + description: The default is https://app.0.0.1:8500". type: string backend: description: The unique location this backend should be mounted diff --git a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml index 5f1c7a61..884e0a6a 100644 --- a/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml +++ b/package/crds/transit.vault.upbound.io_secretbackendkeys.yaml @@ -73,11 +73,6 @@ spec: backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: description: Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation @@ -171,11 +166,6 @@ spec: backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: description: Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation @@ -467,11 +457,6 @@ spec: backup of named key in the plaintext format. Once set, this cannot be disabled. type: boolean - autoRotateInterval: - description: Replaced by auto_rotate_period. Amount of time the - key should live before being automatically rotated. A value - of 0 disables automatic rotation for the key. - type: number autoRotatePeriod: description: Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation diff --git a/package/crds/vault.vault.upbound.io_mounts.yaml b/package/crds/vault.vault.upbound.io_mounts.yaml index d5b79208..7a7a42ad 100644 --- a/package/crds/vault.vault.upbound.io_mounts.yaml +++ b/package/crds/vault.vault.upbound.io_mounts.yaml @@ -74,6 +74,13 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow, allowing a plugin to include + them in the response. List of headers to allow and pass from + the request to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -94,6 +101,13 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of allowed authentication mount accessors the + backend can request delegated authentication for. List of headers + to allow and pass from the request to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -104,6 +118,17 @@ spec: source Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens. If not provided, this will default to Vault's OIDC default + key. The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not + set, behaves like hidden. Specifies whether to show this mount + in the UI-specific listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -128,10 +153,25 @@ spec: to the backend Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin. List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. "v1.0.0". If unspecified, the server will select any matching + unversioned plugin that may have been registered, the latest + versioned plugin registered, or a built-in plugin in that order + of precedence. Specifies the semantic version of the plugin + to use, e.g. 'v1.0.0' + type: string sealWrap: description: Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by @@ -164,6 +204,13 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow, allowing a plugin to include + them in the response. List of headers to allow and pass from + the request to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -184,6 +231,13 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of allowed authentication mount accessors the + backend can request delegated authentication for. List of headers + to allow and pass from the request to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -194,6 +248,17 @@ spec: source Enable the secrets engine to access Vault's external entropy source type: boolean + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens. If not provided, this will default to Vault's OIDC default + key. The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not + set, behaves like hidden. Specifies whether to show this mount + in the UI-specific listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -218,10 +283,25 @@ spec: to the backend Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin. List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. "v1.0.0". If unspecified, the server will select any matching + unversioned plugin that may have been registered, the latest + versioned plugin registered, or a built-in plugin in that order + of precedence. Specifies the semantic version of the plugin + to use, e.g. 'v1.0.0' + type: string sealWrap: description: Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by @@ -455,6 +535,13 @@ spec: items: type: string type: array + allowedResponseHeaders: + description: List of headers to allow, allowing a plugin to include + them in the response. List of headers to allow and pass from + the request to the plugin + items: + type: string + type: array auditNonHmacRequestKeys: description: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list @@ -475,6 +562,13 @@ spec: description: Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds type: number + delegatedAuthAccessors: + description: List of allowed authentication mount accessors the + backend can request delegated authentication for. List of headers + to allow and pass from the request to the plugin + items: + type: string + type: array description: description: Human-friendly description of the mount Human-friendly description of the mount @@ -487,6 +581,17 @@ spec: type: boolean id: type: string + identityTokenKey: + description: The key to use for signing plugin workload identity + tokens. If not provided, this will default to Vault's OIDC default + key. The key to use for signing plugin workload identity tokens + type: string + listingVisibility: + description: Specifies whether to show this mount in the UI-specific + listing endpoint. Valid values are unauth or hidden. If not + set, behaves like hidden. Specifies whether to show this mount + in the UI-specific listing endpoint + type: string local: description: Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that @@ -511,10 +616,25 @@ spec: to the backend Specifies mount type specific options that are passed to the backend type: object + passthroughRequestHeaders: + description: List of headers to allow and pass from the request + to the plugin. List of headers to allow and pass from the request + to the plugin + items: + type: string + type: array path: description: Where the secret backend will be mounted Where the secret backend will be mounted type: string + pluginVersion: + description: Specifies the semantic version of the plugin to use, + e.g. "v1.0.0". If unspecified, the server will select any matching + unversioned plugin that may have been registered, the latest + versioned plugin registered, or a built-in plugin in that order + of precedence. Specifies the semantic version of the plugin + to use, e.g. 'v1.0.0' + type: string sealWrap: description: Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by