com.pulumi.vault.kubernetes.kotlin.SecretBackendRoleArgs.kt Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of pulumi-vault-kotlin Show documentation
Show all versions of pulumi-vault-kotlin Show documentation
Build cloud applications and infrastructure by combining the safety and reliability of infrastructure as code with the power of the Kotlin programming language.
@file:Suppress("NAME_SHADOWING", "DEPRECATION")
package com.pulumi.vault.kubernetes.kotlin
import com.pulumi.core.Output
import com.pulumi.core.Output.of
import com.pulumi.kotlin.ConvertibleToJava
import com.pulumi.kotlin.PulumiTagMarker
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs.builder
import kotlin.Int
import kotlin.Pair
import kotlin.String
import kotlin.Suppress
import kotlin.collections.List
import kotlin.collections.Map
import kotlin.jvm.JvmName
/**
* ## Example Usage
* Example using `service_account_name` mode:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as std from "@pulumi/std";
* import * as vault from "@pulumi/vault";
* const config = new vault.kubernetes.SecretBackend("config", {
* path: "kubernetes",
* description: "kubernetes secrets engine description",
* kubernetesHost: "https://127.0.0.1:61233",
* kubernetesCaCert: std.file({
* input: "/path/to/cert",
* }).then(invoke => invoke.result),
* serviceAccountJwt: std.file({
* input: "/path/to/token",
* }).then(invoke => invoke.result),
* disableLocalCaJwt: false,
* });
* const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
* backend: config.path,
* name: "service-account-name-role",
* allowedKubernetesNamespaces: ["*"],
* tokenMaxTtl: 43200,
* tokenDefaultTtl: 21600,
* serviceAccountName: "test-service-account-with-generated-token",
* extraLabels: {
* id: "abc123",
* name: "some_name",
* },
* extraAnnotations: {
* env: "development",
* location: "earth",
* },
* });
* ```
* ```python
* import pulumi
* import pulumi_std as std
* import pulumi_vault as vault
* config = vault.kubernetes.SecretBackend("config",
* path="kubernetes",
* description="kubernetes secrets engine description",
* kubernetes_host="https://127.0.0.1:61233",
* kubernetes_ca_cert=std.file(input="/path/to/cert").result,
* service_account_jwt=std.file(input="/path/to/token").result,
* disable_local_ca_jwt=False)
* sa_example = vault.kubernetes.SecretBackendRole("sa-example",
* backend=config.path,
* name="service-account-name-role",
* allowed_kubernetes_namespaces=["*"],
* token_max_ttl=43200,
* token_default_ttl=21600,
* service_account_name="test-service-account-with-generated-token",
* extra_labels={
* "id": "abc123",
* "name": "some_name",
* },
* extra_annotations={
* "env": "development",
* "location": "earth",
* })
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Std = Pulumi.Std;
* using Vault = Pulumi.Vault;
* return await Deployment.RunAsync(() =>
* {
* var config = new Vault.Kubernetes.SecretBackend("config", new()
* {
* Path = "kubernetes",
* Description = "kubernetes secrets engine description",
* KubernetesHost = "https://127.0.0.1:61233",
* KubernetesCaCert = Std.File.Invoke(new()
* {
* Input = "/path/to/cert",
* }).Apply(invoke => invoke.Result),
* ServiceAccountJwt = Std.File.Invoke(new()
* {
* Input = "/path/to/token",
* }).Apply(invoke => invoke.Result),
* DisableLocalCaJwt = false,
* });
* var sa_example = new Vault.Kubernetes.SecretBackendRole("sa-example", new()
* {
* Backend = config.Path,
* Name = "service-account-name-role",
* AllowedKubernetesNamespaces = new[]
* {
* "*",
* },
* TokenMaxTtl = 43200,
* TokenDefaultTtl = 21600,
* ServiceAccountName = "test-service-account-with-generated-token",
* ExtraLabels =
* {
* { "id", "abc123" },
* { "name", "some_name" },
* },
* ExtraAnnotations =
* {
* { "env", "development" },
* { "location", "earth" },
* },
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-std/sdk/go/std"
* "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* invokeFile, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/cert",
* }, nil)
* if err != nil {
* return err
* }
* invokeFile1, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/token",
* }, nil)
* if err != nil {
* return err
* }
* config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
* Path: pulumi.String("kubernetes"),
* Description: pulumi.String("kubernetes secrets engine description"),
* KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
* KubernetesCaCert: pulumi.String(invokeFile.Result),
* ServiceAccountJwt: pulumi.String(invokeFile1.Result),
* DisableLocalCaJwt: pulumi.Bool(false),
* })
* if err != nil {
* return err
* }
* _, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
* Backend: config.Path,
* Name: pulumi.String("service-account-name-role"),
* AllowedKubernetesNamespaces: pulumi.StringArray{
* pulumi.String("*"),
* },
* TokenMaxTtl: pulumi.Int(43200),
* TokenDefaultTtl: pulumi.Int(21600),
* ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
* ExtraLabels: pulumi.StringMap{
* "id": pulumi.String("abc123"),
* "name": pulumi.String("some_name"),
* },
* ExtraAnnotations: pulumi.StringMap{
* "env": pulumi.String("development"),
* "location": pulumi.String("earth"),
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.vault.kubernetes.SecretBackend;
* import com.pulumi.vault.kubernetes.SecretBackendArgs;
* import com.pulumi.vault.kubernetes.SecretBackendRole;
* import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var config = new SecretBackend("config", SecretBackendArgs.builder()
* .path("kubernetes")
* .description("kubernetes secrets engine description")
* .kubernetesHost("https://127.0.0.1:61233")
* .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
* .input("/path/to/cert")
* .build()).result())
* .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
* .input("/path/to/token")
* .build()).result())
* .disableLocalCaJwt(false)
* .build());
* var sa_example = new SecretBackendRole("sa-example", SecretBackendRoleArgs.builder()
* .backend(config.path())
* .name("service-account-name-role")
* .allowedKubernetesNamespaces("*")
* .tokenMaxTtl(43200)
* .tokenDefaultTtl(21600)
* .serviceAccountName("test-service-account-with-generated-token")
* .extraLabels(Map.ofEntries(
* Map.entry("id", "abc123"),
* Map.entry("name", "some_name")
* ))
* .extraAnnotations(Map.ofEntries(
* Map.entry("env", "development"),
* Map.entry("location", "earth")
* ))
* .build());
* }
* }
* ```
* ```yaml
* resources:
* config:
* type: vault:kubernetes:SecretBackend
* properties:
* path: kubernetes
* description: kubernetes secrets engine description
* kubernetesHost: https://127.0.0.1:61233
* kubernetesCaCert:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/cert
* Return: result
* serviceAccountJwt:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/token
* Return: result
* disableLocalCaJwt: false
* sa-example:
* type: vault:kubernetes:SecretBackendRole
* properties:
* backend: ${config.path}
* name: service-account-name-role
* allowedKubernetesNamespaces:
* - '*'
* tokenMaxTtl: 43200
* tokenDefaultTtl: 21600
* serviceAccountName: test-service-account-with-generated-token
* extraLabels:
* id: abc123
* name: some_name
* extraAnnotations:
* env: development
* location: earth
* ```
*
* Example using `kubernetes_role_name` mode:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as std from "@pulumi/std";
* import * as vault from "@pulumi/vault";
* const config = new vault.kubernetes.SecretBackend("config", {
* path: "kubernetes",
* description: "kubernetes secrets engine description",
* kubernetesHost: "https://127.0.0.1:61233",
* kubernetesCaCert: std.file({
* input: "/path/to/cert",
* }).then(invoke => invoke.result),
* serviceAccountJwt: std.file({
* input: "/path/to/token",
* }).then(invoke => invoke.result),
* disableLocalCaJwt: false,
* });
* const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
* backend: config.path,
* name: "service-account-name-role",
* allowedKubernetesNamespaces: ["*"],
* tokenMaxTtl: 43200,
* tokenDefaultTtl: 21600,
* kubernetesRoleName: "vault-k8s-secrets-role",
* extraLabels: {
* id: "abc123",
* name: "some_name",
* },
* extraAnnotations: {
* env: "development",
* location: "earth",
* },
* });
* ```
* ```python
* import pulumi
* import pulumi_std as std
* import pulumi_vault as vault
* config = vault.kubernetes.SecretBackend("config",
* path="kubernetes",
* description="kubernetes secrets engine description",
* kubernetes_host="https://127.0.0.1:61233",
* kubernetes_ca_cert=std.file(input="/path/to/cert").result,
* service_account_jwt=std.file(input="/path/to/token").result,
* disable_local_ca_jwt=False)
* name_example = vault.kubernetes.SecretBackendRole("name-example",
* backend=config.path,
* name="service-account-name-role",
* allowed_kubernetes_namespaces=["*"],
* token_max_ttl=43200,
* token_default_ttl=21600,
* kubernetes_role_name="vault-k8s-secrets-role",
* extra_labels={
* "id": "abc123",
* "name": "some_name",
* },
* extra_annotations={
* "env": "development",
* "location": "earth",
* })
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Std = Pulumi.Std;
* using Vault = Pulumi.Vault;
* return await Deployment.RunAsync(() =>
* {
* var config = new Vault.Kubernetes.SecretBackend("config", new()
* {
* Path = "kubernetes",
* Description = "kubernetes secrets engine description",
* KubernetesHost = "https://127.0.0.1:61233",
* KubernetesCaCert = Std.File.Invoke(new()
* {
* Input = "/path/to/cert",
* }).Apply(invoke => invoke.Result),
* ServiceAccountJwt = Std.File.Invoke(new()
* {
* Input = "/path/to/token",
* }).Apply(invoke => invoke.Result),
* DisableLocalCaJwt = false,
* });
* var name_example = new Vault.Kubernetes.SecretBackendRole("name-example", new()
* {
* Backend = config.Path,
* Name = "service-account-name-role",
* AllowedKubernetesNamespaces = new[]
* {
* "*",
* },
* TokenMaxTtl = 43200,
* TokenDefaultTtl = 21600,
* KubernetesRoleName = "vault-k8s-secrets-role",
* ExtraLabels =
* {
* { "id", "abc123" },
* { "name", "some_name" },
* },
* ExtraAnnotations =
* {
* { "env", "development" },
* { "location", "earth" },
* },
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-std/sdk/go/std"
* "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* invokeFile, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/cert",
* }, nil)
* if err != nil {
* return err
* }
* invokeFile1, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/token",
* }, nil)
* if err != nil {
* return err
* }
* config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
* Path: pulumi.String("kubernetes"),
* Description: pulumi.String("kubernetes secrets engine description"),
* KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
* KubernetesCaCert: pulumi.String(invokeFile.Result),
* ServiceAccountJwt: pulumi.String(invokeFile1.Result),
* DisableLocalCaJwt: pulumi.Bool(false),
* })
* if err != nil {
* return err
* }
* _, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
* Backend: config.Path,
* Name: pulumi.String("service-account-name-role"),
* AllowedKubernetesNamespaces: pulumi.StringArray{
* pulumi.String("*"),
* },
* TokenMaxTtl: pulumi.Int(43200),
* TokenDefaultTtl: pulumi.Int(21600),
* KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
* ExtraLabels: pulumi.StringMap{
* "id": pulumi.String("abc123"),
* "name": pulumi.String("some_name"),
* },
* ExtraAnnotations: pulumi.StringMap{
* "env": pulumi.String("development"),
* "location": pulumi.String("earth"),
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.vault.kubernetes.SecretBackend;
* import com.pulumi.vault.kubernetes.SecretBackendArgs;
* import com.pulumi.vault.kubernetes.SecretBackendRole;
* import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var config = new SecretBackend("config", SecretBackendArgs.builder()
* .path("kubernetes")
* .description("kubernetes secrets engine description")
* .kubernetesHost("https://127.0.0.1:61233")
* .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
* .input("/path/to/cert")
* .build()).result())
* .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
* .input("/path/to/token")
* .build()).result())
* .disableLocalCaJwt(false)
* .build());
* var name_example = new SecretBackendRole("name-example", SecretBackendRoleArgs.builder()
* .backend(config.path())
* .name("service-account-name-role")
* .allowedKubernetesNamespaces("*")
* .tokenMaxTtl(43200)
* .tokenDefaultTtl(21600)
* .kubernetesRoleName("vault-k8s-secrets-role")
* .extraLabels(Map.ofEntries(
* Map.entry("id", "abc123"),
* Map.entry("name", "some_name")
* ))
* .extraAnnotations(Map.ofEntries(
* Map.entry("env", "development"),
* Map.entry("location", "earth")
* ))
* .build());
* }
* }
* ```
* ```yaml
* resources:
* config:
* type: vault:kubernetes:SecretBackend
* properties:
* path: kubernetes
* description: kubernetes secrets engine description
* kubernetesHost: https://127.0.0.1:61233
* kubernetesCaCert:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/cert
* Return: result
* serviceAccountJwt:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/token
* Return: result
* disableLocalCaJwt: false
* name-example:
* type: vault:kubernetes:SecretBackendRole
* properties:
* backend: ${config.path}
* name: service-account-name-role
* allowedKubernetesNamespaces:
* - '*'
* tokenMaxTtl: 43200
* tokenDefaultTtl: 21600
* kubernetesRoleName: vault-k8s-secrets-role
* extraLabels:
* id: abc123
* name: some_name
* extraAnnotations:
* env: development
* location: earth
* ```
*
* Example using `generated_role_rules` mode:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as std from "@pulumi/std";
* import * as vault from "@pulumi/vault";
* const config = new vault.kubernetes.SecretBackend("config", {
* path: "kubernetes",
* description: "kubernetes secrets engine description",
* kubernetesHost: "https://127.0.0.1:61233",
* kubernetesCaCert: std.file({
* input: "/path/to/cert",
* }).then(invoke => invoke.result),
* serviceAccountJwt: std.file({
* input: "/path/to/token",
* }).then(invoke => invoke.result),
* disableLocalCaJwt: false,
* });
* const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
* backend: config.path,
* name: "service-account-name-role",
* allowedKubernetesNamespaces: ["*"],
* tokenMaxTtl: 43200,
* tokenDefaultTtl: 21600,
* kubernetesRoleType: "Role",
* generatedRoleRules: `rules:
* - apiGroups: [""]
* resources: ["pods"]
* verbs: ["list"]
* `,
* extraLabels: {
* id: "abc123",
* name: "some_name",
* },
* extraAnnotations: {
* env: "development",
* location: "earth",
* },
* });
* ```
* ```python
* import pulumi
* import pulumi_std as std
* import pulumi_vault as vault
* config = vault.kubernetes.SecretBackend("config",
* path="kubernetes",
* description="kubernetes secrets engine description",
* kubernetes_host="https://127.0.0.1:61233",
* kubernetes_ca_cert=std.file(input="/path/to/cert").result,
* service_account_jwt=std.file(input="/path/to/token").result,
* disable_local_ca_jwt=False)
* rules_example = vault.kubernetes.SecretBackendRole("rules-example",
* backend=config.path,
* name="service-account-name-role",
* allowed_kubernetes_namespaces=["*"],
* token_max_ttl=43200,
* token_default_ttl=21600,
* kubernetes_role_type="Role",
* generated_role_rules="""rules:
* - apiGroups: [""]
* resources: ["pods"]
* verbs: ["list"]
* """,
* extra_labels={
* "id": "abc123",
* "name": "some_name",
* },
* extra_annotations={
* "env": "development",
* "location": "earth",
* })
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Std = Pulumi.Std;
* using Vault = Pulumi.Vault;
* return await Deployment.RunAsync(() =>
* {
* var config = new Vault.Kubernetes.SecretBackend("config", new()
* {
* Path = "kubernetes",
* Description = "kubernetes secrets engine description",
* KubernetesHost = "https://127.0.0.1:61233",
* KubernetesCaCert = Std.File.Invoke(new()
* {
* Input = "/path/to/cert",
* }).Apply(invoke => invoke.Result),
* ServiceAccountJwt = Std.File.Invoke(new()
* {
* Input = "/path/to/token",
* }).Apply(invoke => invoke.Result),
* DisableLocalCaJwt = false,
* });
* var rules_example = new Vault.Kubernetes.SecretBackendRole("rules-example", new()
* {
* Backend = config.Path,
* Name = "service-account-name-role",
* AllowedKubernetesNamespaces = new[]
* {
* "*",
* },
* TokenMaxTtl = 43200,
* TokenDefaultTtl = 21600,
* KubernetesRoleType = "Role",
* GeneratedRoleRules = @"rules:
* - apiGroups: [""""]
* resources: [""pods""]
* verbs: [""list""]
* ",
* ExtraLabels =
* {
* { "id", "abc123" },
* { "name", "some_name" },
* },
* ExtraAnnotations =
* {
* { "env", "development" },
* { "location", "earth" },
* },
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-std/sdk/go/std"
* "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* invokeFile, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/cert",
* }, nil)
* if err != nil {
* return err
* }
* invokeFile1, err := std.File(ctx, &std.FileArgs{
* Input: "/path/to/token",
* }, nil)
* if err != nil {
* return err
* }
* config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
* Path: pulumi.String("kubernetes"),
* Description: pulumi.String("kubernetes secrets engine description"),
* KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
* KubernetesCaCert: pulumi.String(invokeFile.Result),
* ServiceAccountJwt: pulumi.String(invokeFile1.Result),
* DisableLocalCaJwt: pulumi.Bool(false),
* })
* if err != nil {
* return err
* }
* _, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
* Backend: config.Path,
* Name: pulumi.String("service-account-name-role"),
* AllowedKubernetesNamespaces: pulumi.StringArray{
* pulumi.String("*"),
* },
* TokenMaxTtl: pulumi.Int(43200),
* TokenDefaultTtl: pulumi.Int(21600),
* KubernetesRoleType: pulumi.String("Role"),
* GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"list\"]\n"),
* ExtraLabels: pulumi.StringMap{
* "id": pulumi.String("abc123"),
* "name": pulumi.String("some_name"),
* },
* ExtraAnnotations: pulumi.StringMap{
* "env": pulumi.String("development"),
* "location": pulumi.String("earth"),
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.vault.kubernetes.SecretBackend;
* import com.pulumi.vault.kubernetes.SecretBackendArgs;
* import com.pulumi.vault.kubernetes.SecretBackendRole;
* import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var config = new SecretBackend("config", SecretBackendArgs.builder()
* .path("kubernetes")
* .description("kubernetes secrets engine description")
* .kubernetesHost("https://127.0.0.1:61233")
* .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
* .input("/path/to/cert")
* .build()).result())
* .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
* .input("/path/to/token")
* .build()).result())
* .disableLocalCaJwt(false)
* .build());
* var rules_example = new SecretBackendRole("rules-example", SecretBackendRoleArgs.builder()
* .backend(config.path())
* .name("service-account-name-role")
* .allowedKubernetesNamespaces("*")
* .tokenMaxTtl(43200)
* .tokenDefaultTtl(21600)
* .kubernetesRoleType("Role")
* .generatedRoleRules("""
* rules:
* - apiGroups: [""]
* resources: ["pods"]
* verbs: ["list"]
* """)
* .extraLabels(Map.ofEntries(
* Map.entry("id", "abc123"),
* Map.entry("name", "some_name")
* ))
* .extraAnnotations(Map.ofEntries(
* Map.entry("env", "development"),
* Map.entry("location", "earth")
* ))
* .build());
* }
* }
* ```
* ```yaml
* resources:
* config:
* type: vault:kubernetes:SecretBackend
* properties:
* path: kubernetes
* description: kubernetes secrets engine description
* kubernetesHost: https://127.0.0.1:61233
* kubernetesCaCert:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/cert
* Return: result
* serviceAccountJwt:
* fn::invoke:
* Function: std:file
* Arguments:
* input: /path/to/token
* Return: result
* disableLocalCaJwt: false
* rules-example:
* type: vault:kubernetes:SecretBackendRole
* properties:
* backend: ${config.path}
* name: service-account-name-role
* allowedKubernetesNamespaces:
* - '*'
* tokenMaxTtl: 43200
* tokenDefaultTtl: 21600
* kubernetesRoleType: Role
* generatedRoleRules: |
* rules:
* - apiGroups: [""]
* resources: ["pods"]
* verbs: ["list"]
* extraLabels:
* id: abc123
* name: some_name
* extraAnnotations:
* env: development
* location: earth
* ```
*
* ## Import
* The Kubernetes secret backend role can be imported using the full path to the role
* of the form: `/roles/` e.g.
* ```sh
* $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
* ```
* @property allowedKubernetesNamespaceSelector A label selector for Kubernetes namespaces
* in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
* of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
* If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
* @property allowedKubernetesNamespaces The list of Kubernetes namespaces this role
* can generate credentials for. If set to `*` all namespaces are allowed. If set with
* `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
* @property backend The path of the Kubernetes Secrets Engine backend mount to create
* the role in.
* @property extraAnnotations Additional annotations to apply to all generated
* Kubernetes objects.
* @property extraLabels Additional labels to apply to all generated Kubernetes
* objects.
* This resource also directly accepts all vault.Mount fields.
* @property generatedRoleRules The Role or ClusterRole rules to use when generating
* a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `service_account_name`
* and `kubernetes_role_name`. If set, the entire chain of Kubernetes objects will be generated
* when credentials are requested.
* @property kubernetesRoleName The pre-existing Role or ClusterRole to bind a
* generated service account to. Mutually exclusive with `service_account_name` and
* `generated_role_rules`. If set, Kubernetes token, service account, and role
* binding objects will be created when credentials are requested.
* @property kubernetesRoleType Specifies whether the Kubernetes role is a Role or
* ClusterRole.
* @property name The name of the role.
* @property nameTemplate The name template to use when generating service accounts,
* roles and role bindings. If unset, a default template is used.
* @property namespace The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
* @property serviceAccountName The pre-existing service account to generate tokens for.
* Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
* Kubernetes token will be created when credentials are requested.
* @property tokenDefaultTtl The default TTL for generated Kubernetes tokens in seconds.
* @property tokenMaxTtl The maximum TTL for generated Kubernetes tokens in seconds.
*/
public data class SecretBackendRoleArgs(
public val allowedKubernetesNamespaceSelector: Output? = null,
public val allowedKubernetesNamespaces: Output>? = null,
public val backend: Output? = null,
public val extraAnnotations: Output>? = null,
public val extraLabels: Output>? = null,
public val generatedRoleRules: Output? = null,
public val kubernetesRoleName: Output? = null,
public val kubernetesRoleType: Output? = null,
public val name: Output? = null,
public val nameTemplate: Output? = null,
public val namespace: Output? = null,
public val serviceAccountName: Output? = null,
public val tokenDefaultTtl: Output? = null,
public val tokenMaxTtl: Output? = null,
) : ConvertibleToJava {
override fun toJava(): com.pulumi.vault.kubernetes.SecretBackendRoleArgs =
com.pulumi.vault.kubernetes.SecretBackendRoleArgs.builder()
.allowedKubernetesNamespaceSelector(
allowedKubernetesNamespaceSelector?.applyValue({ args0 ->
args0
}),
)
.allowedKubernetesNamespaces(
allowedKubernetesNamespaces?.applyValue({ args0 ->
args0.map({ args0 ->
args0
})
}),
)
.backend(backend?.applyValue({ args0 -> args0 }))
.extraAnnotations(
extraAnnotations?.applyValue({ args0 ->
args0.map({ args0 ->
args0.key.to(args0.value)
}).toMap()
}),
)
.extraLabels(
extraLabels?.applyValue({ args0 ->
args0.map({ args0 ->
args0.key.to(args0.value)
}).toMap()
}),
)
.generatedRoleRules(generatedRoleRules?.applyValue({ args0 -> args0 }))
.kubernetesRoleName(kubernetesRoleName?.applyValue({ args0 -> args0 }))
.kubernetesRoleType(kubernetesRoleType?.applyValue({ args0 -> args0 }))
.name(name?.applyValue({ args0 -> args0 }))
.nameTemplate(nameTemplate?.applyValue({ args0 -> args0 }))
.namespace(namespace?.applyValue({ args0 -> args0 }))
.serviceAccountName(serviceAccountName?.applyValue({ args0 -> args0 }))
.tokenDefaultTtl(tokenDefaultTtl?.applyValue({ args0 -> args0 }))
.tokenMaxTtl(tokenMaxTtl?.applyValue({ args0 -> args0 })).build()
}
/**
* Builder for [SecretBackendRoleArgs].
*/
@PulumiTagMarker
public class SecretBackendRoleArgsBuilder internal constructor() {
private var allowedKubernetesNamespaceSelector: Output? = null
private var allowedKubernetesNamespaces: Output>? = null
private var backend: Output? = null
private var extraAnnotations: Output>? = null
private var extraLabels: Output>? = null
private var generatedRoleRules: Output? = null
private var kubernetesRoleName: Output? = null
private var kubernetesRoleType: Output? = null
private var name: Output? = null
private var nameTemplate: Output? = null
private var namespace: Output? = null
private var serviceAccountName: Output? = null
private var tokenDefaultTtl: Output? = null
private var tokenMaxTtl: Output? = null
/**
* @param value A label selector for Kubernetes namespaces
* in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
* of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
* If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
*/
@JvmName("kowexnoxabyekygs")
public suspend fun allowedKubernetesNamespaceSelector(`value`: Output) {
this.allowedKubernetesNamespaceSelector = value
}
/**
* @param value The list of Kubernetes namespaces this role
* can generate credentials for. If set to `*` all namespaces are allowed. If set with
* `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
*/
@JvmName("jaiufdqjyxpwqria")
public suspend fun allowedKubernetesNamespaces(`value`: Output>) {
this.allowedKubernetesNamespaces = value
}
@JvmName("shkhygkapgqwxdrw")
public suspend fun allowedKubernetesNamespaces(vararg values: Output) {
this.allowedKubernetesNamespaces = Output.all(values.asList())
}
/**
* @param values The list of Kubernetes namespaces this role
* can generate credentials for. If set to `*` all namespaces are allowed. If set with
* `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
*/
@JvmName("etbpraaqoqbttmia")
public suspend fun allowedKubernetesNamespaces(values: List>) {
this.allowedKubernetesNamespaces = Output.all(values)
}
/**
* @param value The path of the Kubernetes Secrets Engine backend mount to create
* the role in.
*/
@JvmName("vudomyiqwinrusej")
public suspend fun backend(`value`: Output) {
this.backend = value
}
/**
* @param value Additional annotations to apply to all generated
* Kubernetes objects.
*/
@JvmName("jjjjncqjddkfaxnq")
public suspend fun extraAnnotations(`value`: Output>) {
this.extraAnnotations = value
}
/**
* @param value Additional labels to apply to all generated Kubernetes
* objects.
* This resource also directly accepts all vault.Mount fields.
*/
@JvmName("ajwruahvqrqsrmoa")
public suspend fun extraLabels(`value`: Output>) {
this.extraLabels = value
}
/**
* @param value The Role or ClusterRole rules to use when generating
* a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `service_account_name`
* and `kubernetes_role_name`. If set, the entire chain of Kubernetes objects will be generated
* when credentials are requested.
*/
@JvmName("pbqltqvfshlokrkv")
public suspend fun generatedRoleRules(`value`: Output) {
this.generatedRoleRules = value
}
/**
* @param value The pre-existing Role or ClusterRole to bind a
* generated service account to. Mutually exclusive with `service_account_name` and
* `generated_role_rules`. If set, Kubernetes token, service account, and role
* binding objects will be created when credentials are requested.
*/
@JvmName("noolvyobcxlxtotq")
public suspend fun kubernetesRoleName(`value`: Output) {
this.kubernetesRoleName = value
}
/**
* @param value Specifies whether the Kubernetes role is a Role or
* ClusterRole.
*/
@JvmName("dsyryxuvurbwfmcm")
public suspend fun kubernetesRoleType(`value`: Output) {
this.kubernetesRoleType = value
}
/**
* @param value The name of the role.
*/
@JvmName("hbvmyankgxoupusk")
public suspend fun name(`value`: Output) {
this.name = value
}
/**
* @param value The name template to use when generating service accounts,
* roles and role bindings. If unset, a default template is used.
*/
@JvmName("cykwidxmrnwxsdsx")
public suspend fun nameTemplate(`value`: Output) {
this.nameTemplate = value
}
/**
* @param value The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
@JvmName("fsxatfxtslcstkqx")
public suspend fun namespace(`value`: Output) {
this.namespace = value
}
/**
* @param value The pre-existing service account to generate tokens for.
* Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
* Kubernetes token will be created when credentials are requested.
*/
@JvmName("hxfyadofkhphkfvi")
public suspend fun serviceAccountName(`value`: Output) {
this.serviceAccountName = value
}
/**
* @param value The default TTL for generated Kubernetes tokens in seconds.
*/
@JvmName("jodhsmienanhjpby")
public suspend fun tokenDefaultTtl(`value`: Output) {
this.tokenDefaultTtl = value
}
/**
* @param value The maximum TTL for generated Kubernetes tokens in seconds.
*/
@JvmName("heabuuivuqhkgnmi")
public suspend fun tokenMaxTtl(`value`: Output) {
this.tokenMaxTtl = value
}
/**
* @param value A label selector for Kubernetes namespaces
* in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
* of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
* If set with `allowed_kubernetes_namespace`, the conditions are `OR`ed.
*/
@JvmName("esnqdaefcistdfap")
public suspend fun allowedKubernetesNamespaceSelector(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.allowedKubernetesNamespaceSelector = mapped
}
/**
* @param value The list of Kubernetes namespaces this role
* can generate credentials for. If set to `*` all namespaces are allowed. If set with
* `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
*/
@JvmName("hklujbhqwnjobhbv")
public suspend fun allowedKubernetesNamespaces(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.allowedKubernetesNamespaces = mapped
}
/**
* @param values The list of Kubernetes namespaces this role
* can generate credentials for. If set to `*` all namespaces are allowed. If set with
* `allowed_kubernetes_namespace_selector`, the conditions are `OR`ed.
*/
@JvmName("sxecscnykgwxtyge")
public suspend fun allowedKubernetesNamespaces(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.allowedKubernetesNamespaces = mapped
}
/**
* @param value The path of the Kubernetes Secrets Engine backend mount to create
* the role in.
*/
@JvmName("bnnmnehtihholwre")
public suspend fun backend(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.backend = mapped
}
/**
* @param value Additional annotations to apply to all generated
* Kubernetes objects.
*/
@JvmName("bmygchwrbpkprtga")
public suspend fun extraAnnotations(`value`: Map?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.extraAnnotations = mapped
}
/**
* @param values Additional annotations to apply to all generated
* Kubernetes objects.
*/
@JvmName("xmciwbgxdjsdcbfk")
public fun extraAnnotations(vararg values: Pair) {
val toBeMapped = values.toMap()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.extraAnnotations = mapped
}
/**
* @param value Additional labels to apply to all generated Kubernetes
* objects.
* This resource also directly accepts all vault.Mount fields.
*/
@JvmName("wlllewlfeqnpdaad")
public suspend fun extraLabels(`value`: Map?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.extraLabels = mapped
}
/**
* @param values Additional labels to apply to all generated Kubernetes
* objects.
* This resource also directly accepts all vault.Mount fields.
*/
@JvmName("jqcgryvepulukyei")
public fun extraLabels(vararg values: Pair) {
val toBeMapped = values.toMap()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.extraLabels = mapped
}
/**
* @param value The Role or ClusterRole rules to use when generating
* a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `service_account_name`
* and `kubernetes_role_name`. If set, the entire chain of Kubernetes objects will be generated
* when credentials are requested.
*/
@JvmName("kfguvtqjeyqoqhhp")
public suspend fun generatedRoleRules(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.generatedRoleRules = mapped
}
/**
* @param value The pre-existing Role or ClusterRole to bind a
* generated service account to. Mutually exclusive with `service_account_name` and
* `generated_role_rules`. If set, Kubernetes token, service account, and role
* binding objects will be created when credentials are requested.
*/
@JvmName("dedhxpkwmjmnaxah")
public suspend fun kubernetesRoleName(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.kubernetesRoleName = mapped
}
/**
* @param value Specifies whether the Kubernetes role is a Role or
* ClusterRole.
*/
@JvmName("ihapebapeiqypfwv")
public suspend fun kubernetesRoleType(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.kubernetesRoleType = mapped
}
/**
* @param value The name of the role.
*/
@JvmName("sdftmfgeaneoatla")
public suspend fun name(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.name = mapped
}
/**
* @param value The name template to use when generating service accounts,
* roles and role bindings. If unset, a default template is used.
*/
@JvmName("jauxdcdehspmeghm")
public suspend fun nameTemplate(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.nameTemplate = mapped
}
/**
* @param value The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
@JvmName("cfhnoedryhxqlhhg")
public suspend fun namespace(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.namespace = mapped
}
/**
* @param value The pre-existing service account to generate tokens for.
* Mutually exclusive with `kubernetes_role_name` and `generated_role_rules`. If set, only a
* Kubernetes token will be created when credentials are requested.
*/
@JvmName("xisdvbvydwaewcfn")
public suspend fun serviceAccountName(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.serviceAccountName = mapped
}
/**
* @param value The default TTL for generated Kubernetes tokens in seconds.
*/
@JvmName("ssqgqagrwmdtuemm")
public suspend fun tokenDefaultTtl(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenDefaultTtl = mapped
}
/**
* @param value The maximum TTL for generated Kubernetes tokens in seconds.
*/
@JvmName("sxjtdprrxhxvuodf")
public suspend fun tokenMaxTtl(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenMaxTtl = mapped
}
internal fun build(): SecretBackendRoleArgs = SecretBackendRoleArgs(
allowedKubernetesNamespaceSelector = allowedKubernetesNamespaceSelector,
allowedKubernetesNamespaces = allowedKubernetesNamespaces,
backend = backend,
extraAnnotations = extraAnnotations,
extraLabels = extraLabels,
generatedRoleRules = generatedRoleRules,
kubernetesRoleName = kubernetesRoleName,
kubernetesRoleType = kubernetesRoleType,
name = name,
nameTemplate = nameTemplate,
namespace = namespace,
serviceAccountName = serviceAccountName,
tokenDefaultTtl = tokenDefaultTtl,
tokenMaxTtl = tokenMaxTtl,
)
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy