pulumi-vault-kotlin/com.pulumi.vault.secrets.kotlin/SyncAwsDestinationArgs

SyncAwsDestinationArgs

data class SyncAwsDestinationArgs(val accessKeyId: Output<String>? = null, val customTags: Output<Map<String, String>>? = null, val externalId: Output<String>? = null, val granularity: Output<String>? = null, val name: Output<String>? = null, val namespace: Output<String>? = null, val region: Output<String>? = null, val roleArn: Output<String>? = null, val secretAccessKey: Output<String>? = null, val secretNameTemplate: Output<String>? = null) : ConvertibleToJava<SyncAwsDestinationArgs>

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.secrets.SyncAwsDestination("aws", {
    name: "aws-dest",
    accessKeyId: accessKeyId,
    secretAccessKey: secretAccessKey,
    region: "us-east-1",
    roleArn: "role-arn",
    externalId: "external-id",
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    customTags: {
        foo: "bar",
    },
});
Content copied to clipboard
import pulumi
import pulumi_vault as vault
aws = vault.secrets.SyncAwsDestination("aws",
    name="aws-dest",
    access_key_id=access_key_id,
    secret_access_key=secret_access_key,
    region="us-east-1",
    role_arn="role-arn",
    external_id="external-id",
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    custom_tags={
        "foo": "bar",
    })
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
    {
        Name = "aws-dest",
        AccessKeyId = accessKeyId,
        SecretAccessKey = secretAccessKey,
        Region = "us-east-1",
        RoleArn = "role-arn",
        ExternalId = "external-id",
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        CustomTags =
        {
            { "foo", "bar" },
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
			Name:               pulumi.String("aws-dest"),
			AccessKeyId:        pulumi.Any(accessKeyId),
			SecretAccessKey:    pulumi.Any(secretAccessKey),
			Region:             pulumi.String("us-east-1"),
			RoleArn:            pulumi.String("role-arn"),
			ExternalId:         pulumi.String("external-id"),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			CustomTags: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncAwsDestination;
import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
            .name("aws-dest")
            .accessKeyId(accessKeyId)
            .secretAccessKey(secretAccessKey)
            .region("us-east-1")
            .roleArn("role-arn")
            .externalId("external-id")
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .customTags(Map.of("foo", "bar"))
            .build());
    }
}
Content copied to clipboard
resources:
  aws:
    type: vault:secrets:SyncAwsDestination
    properties:
      name: aws-dest
      accessKeyId: ${accessKeyId}
      secretAccessKey: ${secretAccessKey}
      region: us-east-1
      roleArn: role-arn
      externalId: external-id
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      customTags:
        foo: bar
Content copied to clipboard

Import

AWS Secrets sync destinations can be imported using the name, e.g.

$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(accessKeyId: Output<String>? = null, customTags: Output<Map<String, String>>? = null, externalId: Output<String>? = null, granularity: Output<String>? = null, name: Output<String>? = null, namespace: Output<String>? = null, region: Output<String>? = null, roleArn: Output<String>? = null, secretAccessKey: Output<String>? = null, secretNameTemplate: Output<String>? = null)

Properties

Link copied to clipboard
val accessKeyId: Output<String>? = null

Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.

Link copied to clipboard
val customTags: Output<Map<String, String>>? = null

Custom tags to set on the secret managed at the destination.

Link copied to clipboard
val externalId: Output<String>? = null

Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.

Link copied to clipboard
val granularity: Output<String>? = null

Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.

Link copied to clipboard
val name: Output<String>? = null

Unique name of the AWS destination.

Link copied to clipboard
val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.

Link copied to clipboard
val region: Output<String>? = null

Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.

Link copied to clipboard
val roleArn: Output<String>? = null

Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.

Link copied to clipboard
val secretAccessKey: Output<String>? = null

Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.

Link copied to clipboard
val secretNameTemplate: Output<String>? = null

Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

Functions

Link copied to clipboard
open override fun toJava(): SyncAwsDestinationArgs