pulumi-vault-kotlin/com.pulumi.vault.pkiSecret.kotlin/SecretBackendRoleArgs

SecretBackendRoleArgs

data class SecretBackendRoleArgs(val allowAnyName: Output<Boolean>? = null, val allowBareDomains: Output<Boolean>? = null, val allowGlobDomains: Output<Boolean>? = null, val allowIpSans: Output<Boolean>? = null, val allowLocalhost: Output<Boolean>? = null, val allowSubdomains: Output<Boolean>? = null, val allowWildcardCertificates: Output<Boolean>? = null, val allowedDomains: Output<List<String>>? = null, val allowedDomainsTemplate: Output<Boolean>? = null, val allowedOtherSans: Output<List<String>>? = null, val allowedSerialNumbers: Output<List<String>>? = null, val allowedUriSans: Output<List<String>>? = null, val allowedUriSansTemplate: Output<Boolean>? = null, val allowedUserIds: Output<List<String>>? = null, val backend: Output<String>? = null, val basicConstraintsValidForNonCa: Output<Boolean>? = null, val clientFlag: Output<Boolean>? = null, val cnValidations: Output<List<String>>? = null, val codeSigningFlag: Output<Boolean>? = null, val countries: Output<List<String>>? = null, val emailProtectionFlag: Output<Boolean>? = null, val enforceHostnames: Output<Boolean>? = null, val extKeyUsageOids: Output<List<String>>? = null, val extKeyUsages: Output<List<String>>? = null, val generateLease: Output<Boolean>? = null, val issuerRef: Output<String>? = null, val keyBits: Output<Int>? = null, val keyType: Output<String>? = null, val keyUsages: Output<List<String>>? = null, val localities: Output<List<String>>? = null, val maxTtl: Output<String>? = null, val name: Output<String>? = null, val namespace: Output<String>? = null, val noStore: Output<Boolean>? = null, val noStoreMetadata: Output<Boolean>? = null, val notAfter: Output<String>? = null, val notBeforeDuration: Output<String>? = null, val organizationUnit: Output<List<String>>? = null, val organizations: Output<List<String>>? = null, val policyIdentifier: Output<List<SecretBackendRolePolicyIdentifierArgs>>? = null, val policyIdentifiers: Output<List<String>>? = null, val postalCodes: Output<List<String>>? = null, val provinces: Output<List<String>>? = null, val requireCn: Output<Boolean>? = null, val serialNumberSource: Output<String>? = null, val serverFlag: Output<Boolean>? = null, val signatureBits: Output<Int>? = null, val streetAddresses: Output<List<String>>? = null, val ttl: Output<String>? = null, val useCsrCommonName: Output<Boolean>? = null, val useCsrSans: Output<Boolean>? = null, val usePss: Output<Boolean>? = null) : ConvertibleToJava<SecretBackendRoleArgs>

Creates a role on an PKI Secret Backend for Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
    path: "pki",
    type: "pki",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkisecret.SecretBackendRole("role", {
    backend: pki.path,
    name: "my_role",
    ttl: "3600",
    allowIpSans: true,
    keyType: "rsa",
    keyBits: 4096,
    allowedDomains: [
        "example.com",
        "my.domain",
    ],
    allowSubdomains: true,
});
Content copied to clipboard
import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
    path="pki",
    type="pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
    backend=pki.path,
    name="my_role",
    ttl="3600",
    allow_ip_sans=True,
    key_type="rsa",
    key_bits=4096,
    allowed_domains=[
        "example.com",
        "my.domain",
    ],
    allow_subdomains=True)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var pki = new Vault.Mount("pki", new()
    {
        Path = "pki",
        Type = "pki",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });
    var role = new Vault.PkiSecret.SecretBackendRole("role", new()
    {
        Backend = pki.Path,
        Name = "my_role",
        Ttl = "3600",
        AllowIpSans = true,
        KeyType = "rsa",
        KeyBits = 4096,
        AllowedDomains = new[]
        {
            "example.com",
            "my.domain",
        },
        AllowSubdomains = true,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
			Path:                   pulumi.String("pki"),
			Type:                   pulumi.String("pki"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = pkisecret.NewSecretBackendRole(ctx, "role", &pkisecret.SecretBackendRoleArgs{
			Backend:     pki.Path,
			Name:        pulumi.String("my_role"),
			Ttl:         pulumi.String("3600"),
			AllowIpSans: pulumi.Bool(true),
			KeyType:     pulumi.String("rsa"),
			KeyBits:     pulumi.Int(4096),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
				pulumi.String("my.domain"),
			},
			AllowSubdomains: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pki = new Mount("pki", MountArgs.builder()
            .path("pki")
            .type("pki")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(pki.path())
            .name("my_role")
            .ttl("3600")
            .allowIpSans(true)
            .keyType("rsa")
            .keyBits(4096)
            .allowedDomains(
                "example.com",
                "my.domain")
            .allowSubdomains(true)
            .build());
    }
}
Content copied to clipboard
resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
Content copied to clipboard

Import

PKI secret backend roles can be imported using the path, e.g.

$ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(allowAnyName: Output<Boolean>? = null, allowBareDomains: Output<Boolean>? = null, allowGlobDomains: Output<Boolean>? = null, allowIpSans: Output<Boolean>? = null, allowLocalhost: Output<Boolean>? = null, allowSubdomains: Output<Boolean>? = null, allowWildcardCertificates: Output<Boolean>? = null, allowedDomains: Output<List<String>>? = null, allowedDomainsTemplate: Output<Boolean>? = null, allowedOtherSans: Output<List<String>>? = null, allowedSerialNumbers: Output<List<String>>? = null, allowedUriSans: Output<List<String>>? = null, allowedUriSansTemplate: Output<Boolean>? = null, allowedUserIds: Output<List<String>>? = null, backend: Output<String>? = null, basicConstraintsValidForNonCa: Output<Boolean>? = null, clientFlag: Output<Boolean>? = null, cnValidations: Output<List<String>>? = null, codeSigningFlag: Output<Boolean>? = null, countries: Output<List<String>>? = null, emailProtectionFlag: Output<Boolean>? = null, enforceHostnames: Output<Boolean>? = null, extKeyUsageOids: Output<List<String>>? = null, extKeyUsages: Output<List<String>>? = null, generateLease: Output<Boolean>? = null, issuerRef: Output<String>? = null, keyBits: Output<Int>? = null, keyType: Output<String>? = null, keyUsages: Output<List<String>>? = null, localities: Output<List<String>>? = null, maxTtl: Output<String>? = null, name: Output<String>? = null, namespace: Output<String>? = null, noStore: Output<Boolean>? = null, noStoreMetadata: Output<Boolean>? = null, notAfter: Output<String>? = null, notBeforeDuration: Output<String>? = null, organizationUnit: Output<List<String>>? = null, organizations: Output<List<String>>? = null, policyIdentifier: Output<List<SecretBackendRolePolicyIdentifierArgs>>? = null, policyIdentifiers: Output<List<String>>? = null, postalCodes: Output<List<String>>? = null, provinces: Output<List<String>>? = null, requireCn: Output<Boolean>? = null, serialNumberSource: Output<String>? = null, serverFlag: Output<Boolean>? = null, signatureBits: Output<Int>? = null, streetAddresses: Output<List<String>>? = null, ttl: Output<String>? = null, useCsrCommonName: Output<Boolean>? = null, useCsrSans: Output<Boolean>? = null, usePss: Output<Boolean>? = null)

Properties

Link copied to clipboard
val allowAnyName: Output<Boolean>? = null

Flag to allow any name

Link copied to clipboard
val allowBareDomains: Output<Boolean>? = null

Flag to allow certificates matching the actual domain

Link copied to clipboard
val allowedDomains: Output<List<String>>? = null

List of allowed domains for certificates

Link copied to clipboard
val allowedDomainsTemplate: Output<Boolean>? = null

Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.

Link copied to clipboard
val allowedOtherSans: Output<List<String>>? = null

Defines allowed custom SANs

Link copied to clipboard
val allowedSerialNumbers: Output<List<String>>? = null

An array of allowed serial numbers to put in Subject

Link copied to clipboard
val allowedUriSans: Output<List<String>>? = null

Defines allowed URI SANs

Link copied to clipboard
val allowedUriSansTemplate: Output<Boolean>? = null

Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.

Link copied to clipboard
val allowedUserIds: Output<List<String>>? = null

Defines allowed User IDs

Link copied to clipboard
val allowGlobDomains: Output<Boolean>? = null

Flag to allow names containing glob patterns.

Link copied to clipboard
val allowIpSans: Output<Boolean>? = null

Flag to allow IP SANs

Link copied to clipboard
val allowLocalhost: Output<Boolean>? = null

Flag to allow certificates for localhost

Link copied to clipboard
val allowSubdomains: Output<Boolean>? = null

Flag to allow certificates matching subdomains

Link copied to clipboard
val allowWildcardCertificates: Output<Boolean>? = null

Flag to allow wildcard certificates.

Link copied to clipboard
val backend: Output<String>? = null

The path the PKI secret backend is mounted at, with no leading or trailing /s.

Link copied to clipboard
val basicConstraintsValidForNonCa: Output<Boolean>? = null

Flag to mark basic constraints valid when issuing non-CA certificates

Link copied to clipboard
val clientFlag: Output<Boolean>? = null

Flag to specify certificates for client use

Link copied to clipboard
val cnValidations: Output<List<String>>? = null

Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled

Link copied to clipboard
val codeSigningFlag: Output<Boolean>? = null

Flag to specify certificates for code signing use

Link copied to clipboard
val countries: Output<List<String>>? = null

The country of generated certificates

Link copied to clipboard
val emailProtectionFlag: Output<Boolean>? = null

Flag to specify certificates for email protection use

Link copied to clipboard
val enforceHostnames: Output<Boolean>? = null

Flag to allow only valid host names

Link copied to clipboard
val extKeyUsageOids: Output<List<String>>? = null

Specify the allowed extended key usage OIDs constraint on issued certificates

Link copied to clipboard
val extKeyUsages: Output<List<String>>? = null

Specify the allowed extended key usage constraint on issued certificates

Link copied to clipboard
val generateLease: Output<Boolean>? = null

Flag to generate leases with certificates

Link copied to clipboard
val issuerRef: Output<String>? = null

Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.

Link copied to clipboard
val keyBits: Output<Int>? = null

The number of bits of generated keys

Link copied to clipboard
val keyType: Output<String>? = null

The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa

Link copied to clipboard
val keyUsages: Output<List<String>>? = null

Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].

Link copied to clipboard
val localities: Output<List<String>>? = null

The locality of generated certificates

Link copied to clipboard
val maxTtl: Output<String>? = null

The maximum lease TTL, in seconds, for the role.

Link copied to clipboard
val name: Output<String>? = null

The name to identify this role within the backend. Must be unique within the backend.

Link copied to clipboard
val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Link copied to clipboard
val noStore: Output<Boolean>? = null

Flag to not store certificates in the storage backend

Link copied to clipboard
val noStoreMetadata: Output<Boolean>? = null

Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs

Link copied to clipboard
val notAfter: Output<String>? = null

Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.

Link copied to clipboard
val notBeforeDuration: Output<String>? = null

Specifies the duration by which to backdate the NotBefore property.

Link copied to clipboard
val organizations: Output<List<String>>? = null

The organization of generated certificates

Link copied to clipboard
val organizationUnit: Output<List<String>>? = null

The organization unit of generated certificates

Link copied to clipboard
val policyIdentifier: Output<List<SecretBackendRolePolicyIdentifierArgs>>? = null

(Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:

Link copied to clipboard
val policyIdentifiers: Output<List<String>>? = null

Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead

Link copied to clipboard
val postalCodes: Output<List<String>>? = null

The postal code of generated certificates

Link copied to clipboard
val provinces: Output<List<String>>? = null

The province of generated certificates

Link copied to clipboard
val requireCn: Output<Boolean>? = null

Flag to force CN usage

Link copied to clipboard
val serialNumberSource: Output<String>? = null

Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior. Example usage:

Link copied to clipboard
val serverFlag: Output<Boolean>? = null

Flag to specify certificates for server use

Link copied to clipboard
val signatureBits: Output<Int>? = null

The number of bits to use in the signature algorithm

Link copied to clipboard
val streetAddresses: Output<List<String>>? = null

The street address of generated certificates

Link copied to clipboard
val ttl: Output<String>? = null

The TTL, in seconds, for any certificate issued against this role.

Link copied to clipboard
val useCsrCommonName: Output<Boolean>? = null

Flag to use the CN in the CSR

Link copied to clipboard
val useCsrSans: Output<Boolean>? = null

Flag to use the SANs in the CSR

Link copied to clipboard
val usePss: Output<Boolean>? = null

Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

Functions

Link copied to clipboard
open override fun toJava(): SecretBackendRoleArgs