import * as pulumi from "@pulumi/pulumi"; /** * Provides a resource to create a role in an [Cert auth backend within Vault](https://www.vaultproject.io/docs/auth/cert.html). * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as std from "@pulumi/std"; * import * as vault from "@pulumi/vault"; * * const cert = new vault.AuthBackend("cert", { * path: "cert", * type: "cert", * }); * const certCertAuthBackendRole = new vault.CertAuthBackendRole("cert", { * name: "foo", * certificate: std.file({ * input: "/path/to/certs/ca-cert.pem", * }).then(invoke => invoke.result), * backend: cert.path, * allowedNames: [ * "foo.example.org", * "baz.example.org", * ], * tokenTtl: 300, * tokenMaxTtl: 600, * tokenPolicies: ["foo"], * }); * ``` */ export declare class CertAuthBackendRole extends pulumi.CustomResource { /** * Get an existing CertAuthBackendRole resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CertAuthBackendRoleState, opts?: pulumi.CustomResourceOptions): CertAuthBackendRole; /** * Returns true if the given object is an instance of CertAuthBackendRole. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CertAuthBackendRole; /** * Allowed the common names for authenticated client certificates */ readonly allowedCommonNames: pulumi.Output; /** * Allowed alternative dns names for authenticated client certificates */ readonly allowedDnsSans: pulumi.Output; /** * Allowed emails for authenticated client certificates */ readonly allowedEmailSans: pulumi.Output; /** * DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates */ readonly allowedNames: pulumi.Output; /** * Allowed organization units for authenticated client certificates. */ readonly allowedOrganizationalUnits: pulumi.Output; /** * Allowed URIs for authenticated client certificates */ readonly allowedUriSans: pulumi.Output; /** * Path to the mounted Cert auth backend */ readonly backend: pulumi.Output; /** * CA certificate used to validate client certificates */ readonly certificate: pulumi.Output; /** * The name to display on tokens issued under this role. */ readonly displayName: pulumi.Output; /** * Name of the role */ readonly name: pulumi.Output; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ readonly namespace: pulumi.Output; /** * Any additional CA certificates * needed to verify OCSP responses. Provided as base64 encoded PEM data. * Requires Vault version 1.13+. */ readonly ocspCaCertificates: pulumi.Output; /** * If enabled, validate certificates' * revocation status using OCSP. Requires Vault version 1.13+. */ readonly ocspEnabled: pulumi.Output; /** * If true and an OCSP response cannot * be fetched or is of an unknown status, the login will proceed as if the * certificate has not been revoked. * Requires Vault version 1.13+. */ readonly ocspFailOpen: pulumi.Output; /** * If set to true, rather than * accepting the first successful OCSP response, query all servers and consider * the certificate valid only if all servers agree. * Requires Vault version 1.13+. */ readonly ocspQueryAllServers: pulumi.Output; /** * : A comma-separated list of OCSP * server addresses. If unset, the OCSP server is determined from the * AuthorityInformationAccess extension on the certificate being inspected. * Requires Vault version 1.13+. */ readonly ocspServersOverrides: pulumi.Output; /** * TLS extensions required on * client certificates */ readonly requiredExtensions: pulumi.Output; /** * Specifies the blocks of IP addresses which are allowed to use the generated token */ readonly tokenBoundCidrs: pulumi.Output; /** * Generated Token's Explicit Maximum TTL in seconds */ readonly tokenExplicitMaxTtl: pulumi.Output; /** * The maximum lifetime of the generated token */ readonly tokenMaxTtl: pulumi.Output; /** * If true, the 'default' policy will not automatically be added to generated tokens */ readonly tokenNoDefaultPolicy: pulumi.Output; /** * The maximum number of times a token may be used, a value of zero means unlimited */ readonly tokenNumUses: pulumi.Output; /** * Generated Token's Period */ readonly tokenPeriod: pulumi.Output; /** * Generated Token's Policies */ readonly tokenPolicies: pulumi.Output; /** * The initial ttl of the token to generate in seconds */ readonly tokenTtl: pulumi.Output; /** * The type of token to generate, service or batch */ readonly tokenType: pulumi.Output; /** * Create a CertAuthBackendRole resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CertAuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CertAuthBackendRole resources. */ export interface CertAuthBackendRoleState { /** * Allowed the common names for authenticated client certificates */ allowedCommonNames?: pulumi.Input[]>; /** * Allowed alternative dns names for authenticated client certificates */ allowedDnsSans?: pulumi.Input[]>; /** * Allowed emails for authenticated client certificates */ allowedEmailSans?: pulumi.Input[]>; /** * DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates */ allowedNames?: pulumi.Input[]>; /** * Allowed organization units for authenticated client certificates. */ allowedOrganizationalUnits?: pulumi.Input[]>; /** * Allowed URIs for authenticated client certificates */ allowedUriSans?: pulumi.Input[]>; /** * Path to the mounted Cert auth backend */ backend?: pulumi.Input; /** * CA certificate used to validate client certificates */ certificate?: pulumi.Input; /** * The name to display on tokens issued under this role. */ displayName?: pulumi.Input; /** * Name of the role */ name?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Any additional CA certificates * needed to verify OCSP responses. Provided as base64 encoded PEM data. * Requires Vault version 1.13+. */ ocspCaCertificates?: pulumi.Input; /** * If enabled, validate certificates' * revocation status using OCSP. Requires Vault version 1.13+. */ ocspEnabled?: pulumi.Input; /** * If true and an OCSP response cannot * be fetched or is of an unknown status, the login will proceed as if the * certificate has not been revoked. * Requires Vault version 1.13+. */ ocspFailOpen?: pulumi.Input; /** * If set to true, rather than * accepting the first successful OCSP response, query all servers and consider * the certificate valid only if all servers agree. * Requires Vault version 1.13+. */ ocspQueryAllServers?: pulumi.Input; /** * : A comma-separated list of OCSP * server addresses. If unset, the OCSP server is determined from the * AuthorityInformationAccess extension on the certificate being inspected. * Requires Vault version 1.13+. */ ocspServersOverrides?: pulumi.Input[]>; /** * TLS extensions required on * client certificates */ requiredExtensions?: pulumi.Input[]>; /** * Specifies the blocks of IP addresses which are allowed to use the generated token */ tokenBoundCidrs?: pulumi.Input[]>; /** * Generated Token's Explicit Maximum TTL in seconds */ tokenExplicitMaxTtl?: pulumi.Input; /** * The maximum lifetime of the generated token */ tokenMaxTtl?: pulumi.Input; /** * If true, the 'default' policy will not automatically be added to generated tokens */ tokenNoDefaultPolicy?: pulumi.Input; /** * The maximum number of times a token may be used, a value of zero means unlimited */ tokenNumUses?: pulumi.Input; /** * Generated Token's Period */ tokenPeriod?: pulumi.Input; /** * Generated Token's Policies */ tokenPolicies?: pulumi.Input[]>; /** * The initial ttl of the token to generate in seconds */ tokenTtl?: pulumi.Input; /** * The type of token to generate, service or batch */ tokenType?: pulumi.Input; } /** * The set of arguments for constructing a CertAuthBackendRole resource. */ export interface CertAuthBackendRoleArgs { /** * Allowed the common names for authenticated client certificates */ allowedCommonNames?: pulumi.Input[]>; /** * Allowed alternative dns names for authenticated client certificates */ allowedDnsSans?: pulumi.Input[]>; /** * Allowed emails for authenticated client certificates */ allowedEmailSans?: pulumi.Input[]>; /** * DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates */ allowedNames?: pulumi.Input[]>; /** * Allowed organization units for authenticated client certificates. */ allowedOrganizationalUnits?: pulumi.Input[]>; /** * Allowed URIs for authenticated client certificates */ allowedUriSans?: pulumi.Input[]>; /** * Path to the mounted Cert auth backend */ backend?: pulumi.Input; /** * CA certificate used to validate client certificates */ certificate: pulumi.Input; /** * The name to display on tokens issued under this role. */ displayName?: pulumi.Input; /** * Name of the role */ name?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Any additional CA certificates * needed to verify OCSP responses. Provided as base64 encoded PEM data. * Requires Vault version 1.13+. */ ocspCaCertificates?: pulumi.Input; /** * If enabled, validate certificates' * revocation status using OCSP. Requires Vault version 1.13+. */ ocspEnabled?: pulumi.Input; /** * If true and an OCSP response cannot * be fetched or is of an unknown status, the login will proceed as if the * certificate has not been revoked. * Requires Vault version 1.13+. */ ocspFailOpen?: pulumi.Input; /** * If set to true, rather than * accepting the first successful OCSP response, query all servers and consider * the certificate valid only if all servers agree. * Requires Vault version 1.13+. */ ocspQueryAllServers?: pulumi.Input; /** * : A comma-separated list of OCSP * server addresses. If unset, the OCSP server is determined from the * AuthorityInformationAccess extension on the certificate being inspected. * Requires Vault version 1.13+. */ ocspServersOverrides?: pulumi.Input[]>; /** * TLS extensions required on * client certificates */ requiredExtensions?: pulumi.Input[]>; /** * Specifies the blocks of IP addresses which are allowed to use the generated token */ tokenBoundCidrs?: pulumi.Input[]>; /** * Generated Token's Explicit Maximum TTL in seconds */ tokenExplicitMaxTtl?: pulumi.Input; /** * The maximum lifetime of the generated token */ tokenMaxTtl?: pulumi.Input; /** * If true, the 'default' policy will not automatically be added to generated tokens */ tokenNoDefaultPolicy?: pulumi.Input; /** * The maximum number of times a token may be used, a value of zero means unlimited */ tokenNumUses?: pulumi.Input; /** * Generated Token's Period */ tokenPeriod?: pulumi.Input; /** * Generated Token's Policies */ tokenPolicies?: pulumi.Input[]>; /** * The initial ttl of the token to generate in seconds */ tokenTtl?: pulumi.Input; /** * The type of token to generate, service or batch */ tokenType?: pulumi.Input; }