Backend
Allows setting the ACME server configuration used by specified mount.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
path: "pki",
type: "pki",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
const pkiConfigCluster = new vault.pkisecret.BackendConfigCluster("pki_config_cluster", {
backend: pki.path,
path: "http://127.0.0.1:8200/v1/pki",
aiaPath: "http://127.0.0.1:8200/v1/pki",
});
const example = new vault.pkisecret.BackendConfigAcme("example", {
backend: pki.path,
enabled: true,
allowedIssuers: ["*"],
allowedRoles: ["*"],
allowRoleExtKeyUsage: false,
defaultDirectoryPolicy: "sign-verbatim",
dnsResolver: "",
eabPolicy: "not-required",
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
path="pki",
type="pki",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
pki_config_cluster = vault.pki_secret.BackendConfigCluster("pki_config_cluster",
backend=pki.path,
path="http://127.0.0.1:8200/v1/pki",
aia_path="http://127.0.0.1:8200/v1/pki")
example = vault.pki_secret.BackendConfigAcme("example",
backend=pki.path,
enabled=True,
allowed_issuers=["*"],
allowed_roles=["*"],
allow_role_ext_key_usage=False,
default_directory_policy="sign-verbatim",
dns_resolver="",
eab_policy="not-required")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki = new Vault.Mount("pki", new()
{
Path = "pki",
Type = "pki",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
var pkiConfigCluster = new Vault.PkiSecret.BackendConfigCluster("pki_config_cluster", new()
{
Backend = pki.Path,
Path = "http://127.0.0.1:8200/v1/pki",
AiaPath = "http://127.0.0.1:8200/v1/pki",
});
var example = new Vault.PkiSecret.BackendConfigAcme("example", new()
{
Backend = pki.Path,
Enabled = true,
AllowedIssuers = new[]
{
"*",
},
AllowedRoles = new[]
{
"*",
},
AllowRoleExtKeyUsage = false,
DefaultDirectoryPolicy = "sign-verbatim",
DnsResolver = "",
EabPolicy = "not-required",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki"),
Type: pulumi.String("pki"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
_, err = pkisecret.NewBackendConfigCluster(ctx, "pki_config_cluster", &pkisecret.BackendConfigClusterArgs{
Backend: pki.Path,
Path: pulumi.String("http://127.0.0.1:8200/v1/pki"),
AiaPath: pulumi.String("http://127.0.0.1:8200/v1/pki"),
})
if err != nil {
return err
}
_, err = pkisecret.NewBackendConfigAcme(ctx, "example", &pkisecret.BackendConfigAcmeArgs{
Backend: pki.Path,
Enabled: pulumi.Bool(true),
AllowedIssuers: pulumi.StringArray{
pulumi.String("*"),
},
AllowedRoles: pulumi.StringArray{
pulumi.String("*"),
},
AllowRoleExtKeyUsage: pulumi.Bool(false),
DefaultDirectoryPolicy: pulumi.String("sign-verbatim"),
DnsResolver: pulumi.String(""),
EabPolicy: pulumi.String("not-required"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.BackendConfigCluster;
import com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;
import com.pulumi.vault.pkiSecret.BackendConfigAcme;
import com.pulumi.vault.pkiSecret.BackendConfigAcmeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki = new Mount("pki", MountArgs.builder()
.path("pki")
.type("pki")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
var pkiConfigCluster = new BackendConfigCluster("pkiConfigCluster", BackendConfigClusterArgs.builder()
.backend(pki.path())
.path("http://127.0.0.1:8200/v1/pki")
.aiaPath("http://127.0.0.1:8200/v1/pki")
.build());
var example = new BackendConfigAcme("example", BackendConfigAcmeArgs.builder()
.backend(pki.path())
.enabled(true)
.allowedIssuers("*")
.allowedRoles("*")
.allowRoleExtKeyUsage(false)
.defaultDirectoryPolicy("sign-verbatim")
.dnsResolver("")
.eabPolicy("not-required")
.build());
}
}Content copied to clipboard
resources:
pki:
type: vault:Mount
properties:
path: pki
type: pki
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
pkiConfigCluster:
type: vault:pkiSecret:BackendConfigCluster
name: pki_config_cluster
properties:
backend: ${pki.path}
path: http://127.0.0.1:8200/v1/pki
aiaPath: http://127.0.0.1:8200/v1/pki
example:
type: vault:pkiSecret:BackendConfigAcme
properties:
backend: ${pki.path}
enabled: true
allowedIssuers:
- '*'
allowedRoles:
- '*'
allowRoleExtKeyUsage: false
defaultDirectoryPolicy: sign-verbatim
dnsResolver: ""
eabPolicy: not-requiredContent copied to clipboard
Import
The ACME configuration can be imported using the resource's id. In the case of the example above the id would be pki/config/acme, where the pki component is the resource's backend, e.g.
$ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acmeContent copied to clipboard
Properties
Link copied to clipboard
Specifies which issuers are allowed for use with ACME.
Link copied to clipboard
Specifies which roles are allowed for use with ACME.
Link copied to clipboard
Specifies whether the ExtKeyUsage field from a role is used. Vault 1.14.1+
Link copied to clipboard
Specifies the policy to be used for non-role-qualified ACME requests. Allowed values are forbid, sign-verbatim, role:<role_name>, external-policy or external-policy:<policy>.
Link copied to clipboard
DNS resolver to use for domain resolution on this mount. Must be in the format <host>:<port>, with both parts mandatory.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard