1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. ssh

Module ssh

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Others

Resources

Resource SecretBackendCa

class SecretBackendCa extends CustomResource

Provides a resource to manage CA information in an SSH secret backend SSH secret backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.Mount("example", {
    type: "ssh",
});
const foo = new vault.ssh.SecretBackendCa("foo", {
    backend: example.path,
});

constructor

new SecretBackendCa(name: string, args?: SecretBackendCaArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackendCa resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendCaState, opts?: pulumi.CustomResourceOptions): SecretBackendCa

Get an existing SecretBackendCa resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackendCa

Returns true if the given object is an instance of SecretBackendCa. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

The path where the SSH secret backend is mounted. Defaults to ‘ssh’

property generateSigningKey

public generateSigningKey: pulumi.Output<boolean | undefined>;

Whether Vault should generate the signing key pair internally. Defaults to true

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property privateKey

public privateKey: pulumi.Output<string>;

The private key part the SSH CA key pair; required if generateSigningKey is false.

property publicKey

public publicKey: pulumi.Output<string>;

The public key part the SSH CA key pair; required if generateSigningKey is false.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretBackendRole

class SecretBackendRole extends CustomResource

Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.Mount("example", {
    type: "ssh",
});
const foo = new vault.ssh.SecretBackendRole("foo", {
    allowUserCertificates: true,
    backend: example.path,
    keyType: "ca",
});
const bar = new vault.ssh.SecretBackendRole("bar", {
    allowedUsers: "default,baz",
    backend: example.path,
    cidrList: "0.0.0.0/0",
    defaultUser: "default",
    keyType: "otp",
});

constructor

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackendRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendRoleState, opts?: pulumi.CustomResourceOptions): SecretBackendRole

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackendRole

Returns true if the given object is an instance of SecretBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowBareDomains

public allowBareDomains: pulumi.Output<boolean | undefined>;

Specifies if host certificates that are requested are allowed to use the base domains listed in allowedDomains.

property allowHostCertificates

public allowHostCertificates: pulumi.Output<boolean | undefined>;

Specifies if certificates are allowed to be signed for use as a ‘host’.

property allowSubdomains

public allowSubdomains: pulumi.Output<boolean | undefined>;

Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowedDomains.

property allowUserCertificates

public allowUserCertificates: pulumi.Output<boolean | undefined>;

Specifies if certificates are allowed to be signed for use as a ‘user’.

property allowUserKeyIds

public allowUserKeyIds: pulumi.Output<boolean | undefined>;

Specifies if users can override the key ID for a signed certificate with the keyId field.

property allowedCriticalOptions

public allowedCriticalOptions: pulumi.Output<string | undefined>;

Specifies a comma-separated list of critical options that certificates can have when signed.

property allowedDomains

public allowedDomains: pulumi.Output<string | undefined>;

The list of domains for which a client can request a host certificate.

property allowedExtensions

public allowedExtensions: pulumi.Output<string | undefined>;

Specifies a comma-separated list of extensions that certificates can have when signed.

property allowedUserKeyLengths

public allowedUserKeyLengths: pulumi.Output<{[key: string]: any} | undefined>;

Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

property allowedUsers

public allowedUsers: pulumi.Output<string | undefined>;

Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

property backend

public backend: pulumi.Output<string>;

The path where the SSH secret backend is mounted.

property cidrList

public cidrList: pulumi.Output<string | undefined>;

The comma-separated string of CIDR blocks for which this role is applicable.

property defaultCriticalOptions

public defaultCriticalOptions: pulumi.Output<{[key: string]: any} | undefined>;

Specifies a map of critical options that certificates have when signed.

property defaultExtensions

public defaultExtensions: pulumi.Output<{[key: string]: any} | undefined>;

Specifies a map of extensions that certificates have when signed.

property defaultUser

public defaultUser: pulumi.Output<string | undefined>;

Specifies the default username for which a credential will be generated.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyIdFormat

public keyIdFormat: pulumi.Output<string | undefined>;

Specifies a custom format for the key id of a signed certificate.

property keyType

public keyType: pulumi.Output<string>;

Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

property maxTtl

public maxTtl: pulumi.Output<string>;

Specifies the maximum Time To Live value.

property name

public name: pulumi.Output<string>;

Specifies the name of the role to create.

property ttl

public ttl: pulumi.Output<string>;

Specifies the Time To Live value.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Others

interface SecretBackendCaArgs

interface SecretBackendCaArgs

The set of arguments for constructing a SecretBackendCa resource.

property backend

backend?: pulumi.Input<string>;

The path where the SSH secret backend is mounted. Defaults to ‘ssh’

property generateSigningKey

generateSigningKey?: pulumi.Input<boolean>;

Whether Vault should generate the signing key pair internally. Defaults to true

property privateKey

privateKey?: pulumi.Input<string>;

The private key part the SSH CA key pair; required if generateSigningKey is false.

property publicKey

publicKey?: pulumi.Input<string>;

The public key part the SSH CA key pair; required if generateSigningKey is false.

interface SecretBackendCaState

interface SecretBackendCaState

Input properties used for looking up and filtering SecretBackendCa resources.

property backend

backend?: pulumi.Input<string>;

The path where the SSH secret backend is mounted. Defaults to ‘ssh’

property generateSigningKey

generateSigningKey?: pulumi.Input<boolean>;

Whether Vault should generate the signing key pair internally. Defaults to true

property privateKey

privateKey?: pulumi.Input<string>;

The private key part the SSH CA key pair; required if generateSigningKey is false.

property publicKey

publicKey?: pulumi.Input<string>;

The public key part the SSH CA key pair; required if generateSigningKey is false.

interface SecretBackendRoleArgs

interface SecretBackendRoleArgs

The set of arguments for constructing a SecretBackendRole resource.

property allowBareDomains

allowBareDomains?: pulumi.Input<boolean>;

Specifies if host certificates that are requested are allowed to use the base domains listed in allowedDomains.

property allowHostCertificates

allowHostCertificates?: pulumi.Input<boolean>;

Specifies if certificates are allowed to be signed for use as a ‘host’.

property allowSubdomains

allowSubdomains?: pulumi.Input<boolean>;

Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowedDomains.

property allowUserCertificates

allowUserCertificates?: pulumi.Input<boolean>;

Specifies if certificates are allowed to be signed for use as a ‘user’.

property allowUserKeyIds

allowUserKeyIds?: pulumi.Input<boolean>;

Specifies if users can override the key ID for a signed certificate with the keyId field.

property allowedCriticalOptions

allowedCriticalOptions?: pulumi.Input<string>;

Specifies a comma-separated list of critical options that certificates can have when signed.

property allowedDomains

allowedDomains?: pulumi.Input<string>;

The list of domains for which a client can request a host certificate.

property allowedExtensions

allowedExtensions?: pulumi.Input<string>;

Specifies a comma-separated list of extensions that certificates can have when signed.

property allowedUserKeyLengths

allowedUserKeyLengths?: pulumi.Input<{[key: string]: any}>;

Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

property allowedUsers

allowedUsers?: pulumi.Input<string>;

Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

property backend

backend: pulumi.Input<string>;

The path where the SSH secret backend is mounted.

property cidrList

cidrList?: pulumi.Input<string>;

The comma-separated string of CIDR blocks for which this role is applicable.

property defaultCriticalOptions

defaultCriticalOptions?: pulumi.Input<{[key: string]: any}>;

Specifies a map of critical options that certificates have when signed.

property defaultExtensions

defaultExtensions?: pulumi.Input<{[key: string]: any}>;

Specifies a map of extensions that certificates have when signed.

property defaultUser

defaultUser?: pulumi.Input<string>;

Specifies the default username for which a credential will be generated.

property keyIdFormat

keyIdFormat?: pulumi.Input<string>;

Specifies a custom format for the key id of a signed certificate.

property keyType

keyType: pulumi.Input<string>;

Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

property maxTtl

maxTtl?: pulumi.Input<string>;

Specifies the maximum Time To Live value.

property name

name?: pulumi.Input<string>;

Specifies the name of the role to create.

property ttl

ttl?: pulumi.Input<string>;

Specifies the Time To Live value.

interface SecretBackendRoleState

interface SecretBackendRoleState

Input properties used for looking up and filtering SecretBackendRole resources.

property allowBareDomains

allowBareDomains?: pulumi.Input<boolean>;

Specifies if host certificates that are requested are allowed to use the base domains listed in allowedDomains.

property allowHostCertificates

allowHostCertificates?: pulumi.Input<boolean>;

Specifies if certificates are allowed to be signed for use as a ‘host’.

property allowSubdomains

allowSubdomains?: pulumi.Input<boolean>;

Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowedDomains.

property allowUserCertificates

allowUserCertificates?: pulumi.Input<boolean>;

Specifies if certificates are allowed to be signed for use as a ‘user’.

property allowUserKeyIds

allowUserKeyIds?: pulumi.Input<boolean>;

Specifies if users can override the key ID for a signed certificate with the keyId field.

property allowedCriticalOptions

allowedCriticalOptions?: pulumi.Input<string>;

Specifies a comma-separated list of critical options that certificates can have when signed.

property allowedDomains

allowedDomains?: pulumi.Input<string>;

The list of domains for which a client can request a host certificate.

property allowedExtensions

allowedExtensions?: pulumi.Input<string>;

Specifies a comma-separated list of extensions that certificates can have when signed.

property allowedUserKeyLengths

allowedUserKeyLengths?: pulumi.Input<{[key: string]: any}>;

Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

property allowedUsers

allowedUsers?: pulumi.Input<string>;

Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

property backend

backend?: pulumi.Input<string>;

The path where the SSH secret backend is mounted.

property cidrList

cidrList?: pulumi.Input<string>;

The comma-separated string of CIDR blocks for which this role is applicable.

property defaultCriticalOptions

defaultCriticalOptions?: pulumi.Input<{[key: string]: any}>;

Specifies a map of critical options that certificates have when signed.

property defaultExtensions

defaultExtensions?: pulumi.Input<{[key: string]: any}>;

Specifies a map of extensions that certificates have when signed.

property defaultUser

defaultUser?: pulumi.Input<string>;

Specifies the default username for which a credential will be generated.

property keyIdFormat

keyIdFormat?: pulumi.Input<string>;

Specifies a custom format for the key id of a signed certificate.

property keyType

keyType?: pulumi.Input<string>;

Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

property maxTtl

maxTtl?: pulumi.Input<string>;

Specifies the maximum Time To Live value.

property name

name?: pulumi.Input<string>;

Specifies the name of the role to create.

property ttl

ttl?: pulumi.Input<string>;

Specifies the Time To Live value.