import * as pulumi from "@pulumi/pulumi"; /** * Manage rate limit quotas which enforce API rate limiting using a token bucket algorithm. * A rate limit quota can be created at the root level or defined on a namespace or mount by * specifying a path when creating the quota. * * See [Vault's Documentation](https://www.vaultproject.io/docs/concepts/resource-quotas) for more * information. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as vault from "@pulumi/vault"; * * const global = new vault.QuotaRateLimit("global", { * name: "global", * path: "", * rate: 100, * }); * ``` * * ## Import * * Rate limit quotas can be imported using their names * * ```sh * $ pulumi import vault:index/quotaRateLimit:QuotaRateLimit global global * ``` */ export declare class QuotaRateLimit extends pulumi.CustomResource { /** * Get an existing QuotaRateLimit resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: QuotaRateLimitState, opts?: pulumi.CustomResourceOptions): QuotaRateLimit; /** * Returns true if the given object is an instance of QuotaRateLimit. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is QuotaRateLimit; /** * If set, when a client reaches a rate limit threshold, the client will * be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. */ readonly blockInterval: pulumi.Output; /** * Attribute used to group requests for rate limiting. Limits are enforced independently for each * group. Valid `groupBy` modes are: 1) `ip` that groups requests by their source IP address (**`groupBy` defaults to * `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests * that match the rate limit quota rule; 3) `entityThenIp` that groups requests by their entity ID for authenticated * requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not * connected to an entity); and 4) `entityThenNone` which also groups requests by their entity ID when available, but * the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity). */ readonly groupBy: pulumi.Output; /** * If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. */ readonly inheritable: pulumi.Output; /** * The duration in seconds to enforce rate limiting for. */ readonly interval: pulumi.Output; /** * Name of the rate limit quota */ readonly name: pulumi.Output; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured namespace. * *Available only for Vault Enterprise*. */ readonly namespace: pulumi.Output; /** * Path of the mount or namespace to apply the quota. A blank path configures a * global rate limit quota. For example `namespace1/` adds a quota to a full namespace, * `namespace1/auth/userpass` adds a `quota` to `userpass` in `namespace1`. * Updating this field on an existing quota can have "moving" effects. For example, updating * `auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to * a namespace specific mount quota. **Note, namespaces are supported in Enterprise only.** */ readonly path: pulumi.Output; /** * The maximum number of requests at any given second to be allowed by the quota * rule. The `rate` must be positive. */ readonly rate: pulumi.Output; /** * If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. */ readonly role: pulumi.Output; /** * Can only be set for the `groupBy` modes `entityThenIp` or `entityThenNone`. This is * the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests * that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`. */ readonly secondaryRate: pulumi.Output; /** * Create a QuotaRateLimit resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: QuotaRateLimitArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering QuotaRateLimit resources. */ export interface QuotaRateLimitState { /** * If set, when a client reaches a rate limit threshold, the client will * be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. */ blockInterval?: pulumi.Input; /** * Attribute used to group requests for rate limiting. Limits are enforced independently for each * group. Valid `groupBy` modes are: 1) `ip` that groups requests by their source IP address (**`groupBy` defaults to * `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests * that match the rate limit quota rule; 3) `entityThenIp` that groups requests by their entity ID for authenticated * requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not * connected to an entity); and 4) `entityThenNone` which also groups requests by their entity ID when available, but * the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity). */ groupBy?: pulumi.Input; /** * If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. */ inheritable?: pulumi.Input; /** * The duration in seconds to enforce rate limiting for. */ interval?: pulumi.Input; /** * Name of the rate limit quota */ name?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured namespace. * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Path of the mount or namespace to apply the quota. A blank path configures a * global rate limit quota. For example `namespace1/` adds a quota to a full namespace, * `namespace1/auth/userpass` adds a `quota` to `userpass` in `namespace1`. * Updating this field on an existing quota can have "moving" effects. For example, updating * `auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to * a namespace specific mount quota. **Note, namespaces are supported in Enterprise only.** */ path?: pulumi.Input; /** * The maximum number of requests at any given second to be allowed by the quota * rule. The `rate` must be positive. */ rate?: pulumi.Input; /** * If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. */ role?: pulumi.Input; /** * Can only be set for the `groupBy` modes `entityThenIp` or `entityThenNone`. This is * the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests * that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`. */ secondaryRate?: pulumi.Input; } /** * The set of arguments for constructing a QuotaRateLimit resource. */ export interface QuotaRateLimitArgs { /** * If set, when a client reaches a rate limit threshold, the client will * be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. */ blockInterval?: pulumi.Input; /** * Attribute used to group requests for rate limiting. Limits are enforced independently for each * group. Valid `groupBy` modes are: 1) `ip` that groups requests by their source IP address (**`groupBy` defaults to * `ip` if unset, which is the only supported mode in community edition**); 2) `none` that groups together all requests * that match the rate limit quota rule; 3) `entityThenIp` that groups requests by their entity ID for authenticated * requests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not * connected to an entity); and 4) `entityThenNone` which also groups requests by their entity ID when available, but * the rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity). */ groupBy?: pulumi.Input; /** * If set to `true` on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to `true` if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+. */ inheritable?: pulumi.Input; /** * The duration in seconds to enforce rate limiting for. */ interval?: pulumi.Input; /** * Name of the rate limit quota */ name?: pulumi.Input; /** * The namespace to provision the resource in. * The value should not contain leading or trailing forward slashes. * The `namespace` is always relative to the provider's configured namespace. * *Available only for Vault Enterprise*. */ namespace?: pulumi.Input; /** * Path of the mount or namespace to apply the quota. A blank path configures a * global rate limit quota. For example `namespace1/` adds a quota to a full namespace, * `namespace1/auth/userpass` adds a `quota` to `userpass` in `namespace1`. * Updating this field on an existing quota can have "moving" effects. For example, updating * `auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to * a namespace specific mount quota. **Note, namespaces are supported in Enterprise only.** */ path?: pulumi.Input; /** * The maximum number of requests at any given second to be allowed by the quota * rule. The `rate` must be positive. */ rate: pulumi.Input; /** * If set on a quota where `path` is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. */ role?: pulumi.Input; /** * Can only be set for the `groupBy` modes `entityThenIp` or `entityThenNone`. This is * the rate limit applied to the requests that fall under the "ip" or "none" groupings, while the authenticated requests * that contain an entity ID are subject to the `rate` field instead. Defaults to the same value as `rate`. */ secondaryRate?: pulumi.Input; }