Backend
Allows setting the Auto Tidy configuration on a PKI Secret Backend
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
path: "pki",
type: "pki",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
const test = new vault.pkisecret.BackendConfigAutoTidy("test", {
backend: pki.path,
enabled: true,
tidyCertStore: true,
intervalDuration: "1h",
});import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
path="pki",
type="pki",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
test = vault.pki_secret.BackendConfigAutoTidy("test",
backend=pki.path,
enabled=True,
tidy_cert_store=True,
interval_duration="1h")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki = new Vault.Mount("pki", new()
{
Path = "pki",
Type = "pki",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
var test = new Vault.PkiSecret.BackendConfigAutoTidy("test", new()
{
Backend = pki.Path,
Enabled = true,
TidyCertStore = true,
IntervalDuration = "1h",
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki"),
Type: pulumi.String("pki"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
_, err = pkisecret.NewBackendConfigAutoTidy(ctx, "test", &pkisecret.BackendConfigAutoTidyArgs{
Backend: pki.Path,
Enabled: pulumi.Bool(true),
TidyCertStore: pulumi.Bool(true),
IntervalDuration: pulumi.String("1h"),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.BackendConfigAutoTidy;
import com.pulumi.vault.pkiSecret.BackendConfigAutoTidyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki = new Mount("pki", MountArgs.builder()
.path("pki")
.type("pki")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
var test = new BackendConfigAutoTidy("test", BackendConfigAutoTidyArgs.builder()
.backend(pki.path())
.enabled(true)
.tidyCertStore(true)
.intervalDuration("1h")
.build());
}
}resources:
pki:
type: vault:Mount
properties:
path: pki
type: pki
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
test:
type: vault:pkiSecret:BackendConfigAutoTidy
properties:
backend: ${pki.path}
enabled: true
tidyCertStore: true
intervalDuration: 1hConstructors
Properties
The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.
Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next).
The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage.
This configures whether stored certificate are counted upon initialization of the backend, and whether during normal operation, a running count of certificates stored is maintained.
The maximum amount of time auto-tidy will be delayed after startup.
The minimum amount of time auto-tidy will be delayed after startup.
The amount of time to wait between processing certificates.
This configures whether the stored certificate count is published to the metrics consumer.
The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal.
The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list.
Set to true to enable tidying up certificate metadata.
Set to true to enable tidying up the certificate store
Set to true to enable tidying up the CMPv2 nonce store.
Set to true to enable tidying up the cross-cluster revoked certificate store.
Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation.
Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak.
Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster.
Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses.
Set to true to remove all invalid and expired certificates from storage. A revoked storage entry is considered invalid if the entry is empty, or the value within the entry is empty. If a certificate is removed due to expiry, the entry will also be removed from the CRL, and the CRL will be rotated.