import * as pulumi from "@pulumi/pulumi"; /** * This resource enables a new secrets engine at the given path. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as vault from "@pulumi/vault"; * * const example = new vault.Mount("example", { * path: "dummy", * type: "generic", * description: "This is an example mount", * }); * ``` * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as vault from "@pulumi/vault"; * * const kvv2_example = new vault.Mount("kvv2-example", { * path: "version2-example", * type: "kv-v2", * options: { * version: "2", * type: "kv-v2", * }, * description: "This is an example KV Version 2 secret engine mount", * }); * ``` * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as vault from "@pulumi/vault"; * * const transit_example = new vault.Mount("transit-example", { * path: "transit-example", * type: "transit", * description: "This is an example transit secret engine mount", * options: { * convergent_encryption: "false", * }, * }); * ``` * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as vault from "@pulumi/vault"; * * const pki_example = new vault.Mount("pki-example", { * path: "pki-example", * type: "pki", * description: "This is an example PKI mount", * defaultLeaseTtlSeconds: 3600, * maxLeaseTtlSeconds: 86400, * }); * ``` * * ## Import * * Mounts can be imported using the `path`, e.g. * * ```sh * $ pulumi import vault:index/mount:Mount example dummy * ``` */ export declare class Mount extends pulumi.CustomResource { /** * Get an existing Mount resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: MountState, opts?: pulumi.CustomResourceOptions): Mount; /** * Returns true if the given object is an instance of Mount. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Mount; /** * The accessor for this mount. */ readonly accessor: pulumi.Output; /** * Set of managed key registry entry names that the mount in question is allowed to access */ readonly allowedManagedKeys: pulumi.Output; /** * List of headers to allow, allowing a plugin to include * them in the response. */ readonly allowedResponseHeaders: pulumi.Output; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. */ readonly auditNonHmacRequestKeys: pulumi.Output; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. */ readonly auditNonHmacResponseKeys: pulumi.Output; /** * Default lease duration for tokens and secrets in seconds */ readonly defaultLeaseTtlSeconds: pulumi.Output; /** * List of allowed authentication mount accessors the * backend can request delegated authentication for. */ readonly delegatedAuthAccessors: pulumi.Output; /** * Human-friendly description of the mount */ readonly description: pulumi.Output; /** * Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source */ readonly externalEntropyAccess: pulumi.Output; /** * The key to use for signing plugin workload identity tokens. If * not provided, this will default to Vault's OIDC default key. */ readonly identityTokenKey: pulumi.Output; /** * Specifies whether to show this mount in the UI-specific * listing endpoint. Valid values are `unauth` or `hidden`. If not set, behaves like `hidden`. */ readonly listingVisibility: pulumi.Output; /** * Boolean flag that can be explicitly set to true to enforce local mount in HA environment */ readonly local: pulumi.Output; /** * Maximum possible lease duration for tokens and secrets in seconds */ readonly maxLeaseTtlSeconds: pulumi.Output; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ readonly namespace: pulumi.Output; /** * Specifies mount type specific options that are passed to the backend */ readonly options: pulumi.Output<{ [key: string]: string; } | undefined>; /** * List of headers to allow and pass from the request to * the plugin. */ readonly passthroughRequestHeaders: pulumi.Output; /** * Where the secret backend will be mounted */ readonly path: pulumi.Output; /** * Specifies the semantic version of the plugin to use, e.g. "v1.0.0". * If unspecified, the server will select any matching unversioned plugin that may have been * registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. */ readonly pluginVersion: pulumi.Output; /** * Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability */ readonly sealWrap: pulumi.Output; /** * Type of the backend, such as "aws" */ readonly type: pulumi.Output; /** * Create a Mount resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: MountArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Mount resources. */ export interface MountState { /** * The accessor for this mount. */ accessor?: pulumi.Input; /** * Set of managed key registry entry names that the mount in question is allowed to access */ allowedManagedKeys?: pulumi.Input[]>; /** * List of headers to allow, allowing a plugin to include * them in the response. */ allowedResponseHeaders?: pulumi.Input[]>; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. */ auditNonHmacRequestKeys?: pulumi.Input[]>; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. */ auditNonHmacResponseKeys?: pulumi.Input[]>; /** * Default lease duration for tokens and secrets in seconds */ defaultLeaseTtlSeconds?: pulumi.Input; /** * List of allowed authentication mount accessors the * backend can request delegated authentication for. */ delegatedAuthAccessors?: pulumi.Input[]>; /** * Human-friendly description of the mount */ description?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source */ externalEntropyAccess?: pulumi.Input; /** * The key to use for signing plugin workload identity tokens. If * not provided, this will default to Vault's OIDC default key. */ identityTokenKey?: pulumi.Input; /** * Specifies whether to show this mount in the UI-specific * listing endpoint. Valid values are `unauth` or `hidden`. If not set, behaves like `hidden`. */ listingVisibility?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enforce local mount in HA environment */ local?: pulumi.Input; /** * Maximum possible lease duration for tokens and secrets in seconds */ maxLeaseTtlSeconds?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Specifies mount type specific options that are passed to the backend */ options?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * List of headers to allow and pass from the request to * the plugin. */ passthroughRequestHeaders?: pulumi.Input[]>; /** * Where the secret backend will be mounted */ path?: pulumi.Input; /** * Specifies the semantic version of the plugin to use, e.g. "v1.0.0". * If unspecified, the server will select any matching unversioned plugin that may have been * registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. */ pluginVersion?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability */ sealWrap?: pulumi.Input; /** * Type of the backend, such as "aws" */ type?: pulumi.Input; } /** * The set of arguments for constructing a Mount resource. */ export interface MountArgs { /** * Set of managed key registry entry names that the mount in question is allowed to access */ allowedManagedKeys?: pulumi.Input[]>; /** * List of headers to allow, allowing a plugin to include * them in the response. */ allowedResponseHeaders?: pulumi.Input[]>; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. */ auditNonHmacRequestKeys?: pulumi.Input[]>; /** * Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. */ auditNonHmacResponseKeys?: pulumi.Input[]>; /** * Default lease duration for tokens and secrets in seconds */ defaultLeaseTtlSeconds?: pulumi.Input; /** * List of allowed authentication mount accessors the * backend can request delegated authentication for. */ delegatedAuthAccessors?: pulumi.Input[]>; /** * Human-friendly description of the mount */ description?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source */ externalEntropyAccess?: pulumi.Input; /** * The key to use for signing plugin workload identity tokens. If * not provided, this will default to Vault's OIDC default key. */ identityTokenKey?: pulumi.Input; /** * Specifies whether to show this mount in the UI-specific * listing endpoint. Valid values are `unauth` or `hidden`. If not set, behaves like `hidden`. */ listingVisibility?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enforce local mount in HA environment */ local?: pulumi.Input; /** * Maximum possible lease duration for tokens and secrets in seconds */ maxLeaseTtlSeconds?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Specifies mount type specific options that are passed to the backend */ options?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * List of headers to allow and pass from the request to * the plugin. */ passthroughRequestHeaders?: pulumi.Input[]>; /** * Where the secret backend will be mounted */ path: pulumi.Input; /** * Specifies the semantic version of the plugin to use, e.g. "v1.0.0". * If unspecified, the server will select any matching unversioned plugin that may have been * registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence. */ pluginVersion?: pulumi.Input; /** * Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability */ sealWrap?: pulumi.Input; /** * Type of the backend, such as "aws" */ type: pulumi.Input; }