pulumi-vault-kotlin/com.pulumi.vault.pkiSecret.kotlin/SecretBackendRole

SecretBackendRole

class SecretBackendRole : KotlinCustomResource

Creates a role on an PKI Secret Backend for Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
    path: "pki",
    type: "pki",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkisecret.SecretBackendRole("role", {
    backend: pki.path,
    name: "my_role",
    ttl: "3600",
    allowIpSans: true,
    keyType: "rsa",
    keyBits: 4096,
    allowedDomains: [
        "example.com",
        "my.domain",
    ],
    allowSubdomains: true,
});

import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
    path="pki",
    type="pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
    backend=pki.path,
    name="my_role",
    ttl="3600",
    allow_ip_sans=True,
    key_type="rsa",
    key_bits=4096,
    allowed_domains=[
        "example.com",
        "my.domain",
    ],
    allow_subdomains=True)

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var pki = new Vault.Mount("pki", new()
    {
        Path = "pki",
        Type = "pki",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });
    var role = new Vault.PkiSecret.SecretBackendRole("role", new()
    {
        Backend = pki.Path,
        Name = "my_role",
        Ttl = "3600",
        AllowIpSans = true,
        KeyType = "rsa",
        KeyBits = 4096,
        AllowedDomains = new[]
        {
            "example.com",
            "my.domain",
        },
        AllowSubdomains = true,
    });
});

package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
			Path:                   pulumi.String("pki"),
			Type:                   pulumi.String("pki"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = pkisecret.NewSecretBackendRole(ctx, "role", &pkisecret.SecretBackendRoleArgs{
			Backend:     pki.Path,
			Name:        pulumi.String("my_role"),
			Ttl:         pulumi.String("3600"),
			AllowIpSans: pulumi.Bool(true),
			KeyType:     pulumi.String("rsa"),
			KeyBits:     pulumi.Int(4096),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
				pulumi.String("my.domain"),
			},
			AllowSubdomains: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pki = new Mount("pki", MountArgs.builder()
            .path("pki")
            .type("pki")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(pki.path())
            .name("my_role")
            .ttl("3600")
            .allowIpSans(true)
            .keyType("rsa")
            .keyBits(4096)
            .allowedDomains(
                "example.com",
                "my.domain")
            .allowSubdomains(true)
            .build());
    }
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true

Import

PKI secret backend roles can be imported using the path, e.g.

$ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role

Properties

allowAnyName

val allowAnyName: Output<Boolean>?

Flag to allow any name

allowBareDomains

val allowBareDomains: Output<Boolean>?

Flag to allow certificates matching the actual domain

allowedDomains

val allowedDomains: Output<List<String>>?

List of allowed domains for certificates

allowedDomainsTemplate

val allowedDomainsTemplate: Output<Boolean>?

Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.

allowedOtherSans

val allowedOtherSans: Output<List<String>>?

Defines allowed custom SANs

allowedSerialNumbers

val allowedSerialNumbers: Output<List<String>>?

An array of allowed serial numbers to put in Subject

allowedUriSans

val allowedUriSans: Output<List<String>>?

Defines allowed URI SANs

allowedUriSansTemplate

val allowedUriSansTemplate: Output<Boolean>

Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.

allowedUserIds

val allowedUserIds: Output<List<String>>?

Defines allowed User IDs

allowGlobDomains

val allowGlobDomains: Output<Boolean>?

Flag to allow names containing glob patterns.

allowIpSans

val allowIpSans: Output<Boolean>?

Flag to allow IP SANs

allowLocalhost

val allowLocalhost: Output<Boolean>?

Flag to allow certificates for localhost

allowSubdomains

val allowSubdomains: Output<Boolean>?

Flag to allow certificates matching subdomains

allowWildcardCertificates

val allowWildcardCertificates: Output<Boolean>?

Flag to allow wildcard certificates.

backend

val backend: Output<String>

The path the PKI secret backend is mounted at, with no leading or trailing /s.

basicConstraintsValidForNonCa

val basicConstraintsValidForNonCa: Output<Boolean>?

Flag to mark basic constraints valid when issuing non-CA certificates

clientFlag

val clientFlag: Output<Boolean>?

Flag to specify certificates for client use

cnValidations

val cnValidations: Output<List<String>>

Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled

codeSigningFlag

val codeSigningFlag: Output<Boolean>?

Flag to specify certificates for code signing use

countries

val countries: Output<List<String>>?

The country of generated certificates

emailProtectionFlag

val emailProtectionFlag: Output<Boolean>?

Flag to specify certificates for email protection use

enforceHostnames

val enforceHostnames: Output<Boolean>?

Flag to allow only valid host names

extKeyUsageOids

val extKeyUsageOids: Output<List<String>>?

Specify the allowed extended key usage OIDs constraint on issued certificates

extKeyUsages

val extKeyUsages: Output<List<String>>?

Specify the allowed extended key usage constraint on issued certificates

generateLease

val generateLease: Output<Boolean>?

Flag to generate leases with certificates

val id: Output<String>

issuerRef

val issuerRef: Output<String>

Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.

keyBits

val keyBits: Output<Int>?

The number of bits of generated keys

keyType

val keyType: Output<String>?

The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa

keyUsages

val keyUsages: Output<List<String>>

Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].

localities

val localities: Output<List<String>>?

The locality of generated certificates

maxTtl

val maxTtl: Output<String>

The maximum lease TTL, in seconds, for the role.

name

val name: Output<String>

The name to identify this role within the backend. Must be unique within the backend.

namespace

val namespace: Output<String>?

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

noStore

val noStore: Output<Boolean>?

Flag to not store certificates in the storage backend

noStoreMetadata

val noStoreMetadata: Output<Boolean>?

Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs

notAfter

val notAfter: Output<String>?

Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.

notBeforeDuration

val notBeforeDuration: Output<String>

Specifies the duration by which to backdate the NotBefore property.

organizations

val organizations: Output<List<String>>?

The organization of generated certificates

organizationUnit

val organizationUnit: Output<List<String>>?

The organization unit of generated certificates

policyIdentifier

val policyIdentifier: Output<List<SecretBackendRolePolicyIdentifier>>?

(Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:

policyIdentifiers

val policyIdentifiers: Output<List<String>>?

Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead

postalCodes

val postalCodes: Output<List<String>>?

The postal code of generated certificates

provinces

val provinces: Output<List<String>>?

The province of generated certificates

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

requireCn

val requireCn: Output<Boolean>?

Flag to force CN usage

serialNumberSource

val serialNumberSource: Output<String>

Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior. Example usage:

serverFlag

val serverFlag: Output<Boolean>?

Flag to specify certificates for server use

signatureBits

val signatureBits: Output<Int>

The number of bits to use in the signature algorithm

streetAddresses