1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. transit

Module transit

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Others

Resources

Resource SecretBackendKey

class SecretBackendKey extends CustomResource

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    defaultLeaseTtlSeconds: 3600,
    description: "Example description",
    maxLeaseTtlSeconds: 86400,
    path: "transit",
    type: "transit",
});
const key = new vault.transit.SecretBackendKey("key", {
    backend: transit.path,
});

constructor

new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackendKey resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendKeyState, opts?: pulumi.CustomResourceOptions): SecretBackendKey

Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackendKey

Returns true if the given object is an instance of SecretBackendKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowPlaintextBackup

public allowPlaintextBackup: pulumi.Output<boolean | undefined>;

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key

property backend

public backend: pulumi.Output<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property convergentEncryption

public convergentEncryption: pulumi.Output<boolean | undefined>;

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

property deletionAllowed

public deletionAllowed: pulumi.Output<boolean | undefined>;

Specifies if the key is allowed to be deleted.

property derived

public derived: pulumi.Output<boolean | undefined>;

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

property exportable

public exportable: pulumi.Output<boolean | undefined>;

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keys

public keys: pulumi.Output<{[key: string]: any}[]>;

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:

property latestVersion

public latestVersion: pulumi.Output<number>;

Latest key version available. This value is 1-indexed, so if latestVersion is 1, then the key’s information can be referenced from keys by selecting element 0

property minAvailableVersion

public minAvailableVersion: pulumi.Output<number>;

Minimum key version available for use. If keys have been archived by increasing minDecryptionVersion, this attribute will reflect that change.

property minDecryptionVersion

public minDecryptionVersion: pulumi.Output<number | undefined>;

Minimum key version to use for decryption.

property minEncryptionVersion

public minEncryptionVersion: pulumi.Output<number | undefined>;

Minimum key version to use for encryption

property name

public name: pulumi.Output<string>;

The name to identify this key within the backend. Must be unique within the backend.

property supportsDecryption

public supportsDecryption: pulumi.Output<boolean>;

Whether or not the key supports decryption, based on key type.

property supportsDerivation

public supportsDerivation: pulumi.Output<boolean>;

Whether or not the key supports derivation, based on key type.

property supportsEncryption

public supportsEncryption: pulumi.Output<boolean>;

Whether or not the key supports encryption, based on key type.

property supportsSigning

public supportsSigning: pulumi.Output<boolean>;

Whether or not the key supports signing, based on key type.

property type

public type: pulumi.Output<string | undefined>;

Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretCacheConfig

class SecretCacheConfig extends CustomResource

Configure the cache for the Transit Secret Backend in Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    defaultLeaseTtlSeconds: 3600,
    description: "Example description",
    maxLeaseTtlSeconds: 86400,
    path: "transit",
    type: "transit",
});
const cfg = new vault.TransitSecretBackendCacheConfig("cfg", {
    backend: transit.path,
    size: 500,
});

constructor

new SecretCacheConfig(name: string, args: SecretCacheConfigArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretCacheConfig resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretCacheConfigState, opts?: pulumi.CustomResourceOptions): SecretCacheConfig

Get an existing SecretCacheConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretCacheConfig

Returns true if the given object is an instance of SecretCacheConfig. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property size

public size: pulumi.Output<number>;

The number of cache entries. 0 means unlimited.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Others

interface SecretBackendKeyArgs

interface SecretBackendKeyArgs

The set of arguments for constructing a SecretBackendKey resource.

property allowPlaintextBackup

allowPlaintextBackup?: pulumi.Input<boolean>;

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key

property backend

backend: pulumi.Input<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property convergentEncryption

convergentEncryption?: pulumi.Input<boolean>;

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

property deletionAllowed

deletionAllowed?: pulumi.Input<boolean>;

Specifies if the key is allowed to be deleted.

property derived

derived?: pulumi.Input<boolean>;

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

property exportable

exportable?: pulumi.Input<boolean>;

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

property minDecryptionVersion

minDecryptionVersion?: pulumi.Input<number>;

Minimum key version to use for decryption.

property minEncryptionVersion

minEncryptionVersion?: pulumi.Input<number>;

Minimum key version to use for encryption

property name

name?: pulumi.Input<string>;

The name to identify this key within the backend. Must be unique within the backend.

property type

type?: pulumi.Input<string>;

Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

interface SecretBackendKeyState

interface SecretBackendKeyState

Input properties used for looking up and filtering SecretBackendKey resources.

property allowPlaintextBackup

allowPlaintextBackup?: pulumi.Input<boolean>;

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key

property backend

backend?: pulumi.Input<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property convergentEncryption

convergentEncryption?: pulumi.Input<boolean>;

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

property deletionAllowed

deletionAllowed?: pulumi.Input<boolean>;

Specifies if the key is allowed to be deleted.

property derived

derived?: pulumi.Input<boolean>;

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

property exportable

exportable?: pulumi.Input<boolean>;

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

property keys

keys?: pulumi.Input<pulumi.Input<{[key: string]: any}>[]>;

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:

property latestVersion

latestVersion?: pulumi.Input<number>;

Latest key version available. This value is 1-indexed, so if latestVersion is 1, then the key’s information can be referenced from keys by selecting element 0

property minAvailableVersion

minAvailableVersion?: pulumi.Input<number>;

Minimum key version available for use. If keys have been archived by increasing minDecryptionVersion, this attribute will reflect that change.

property minDecryptionVersion

minDecryptionVersion?: pulumi.Input<number>;

Minimum key version to use for decryption.

property minEncryptionVersion

minEncryptionVersion?: pulumi.Input<number>;

Minimum key version to use for encryption

property name

name?: pulumi.Input<string>;

The name to identify this key within the backend. Must be unique within the backend.

property supportsDecryption

supportsDecryption?: pulumi.Input<boolean>;

Whether or not the key supports decryption, based on key type.

property supportsDerivation

supportsDerivation?: pulumi.Input<boolean>;

Whether or not the key supports derivation, based on key type.

property supportsEncryption

supportsEncryption?: pulumi.Input<boolean>;

Whether or not the key supports encryption, based on key type.

property supportsSigning

supportsSigning?: pulumi.Input<boolean>;

Whether or not the key supports signing, based on key type.

property type

type?: pulumi.Input<string>;

Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

interface SecretCacheConfigArgs

interface SecretCacheConfigArgs

The set of arguments for constructing a SecretCacheConfig resource.

property backend

backend: pulumi.Input<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property size

size: pulumi.Input<number>;

The number of cache entries. 0 means unlimited.

interface SecretCacheConfigState

interface SecretCacheConfigState

Input properties used for looking up and filtering SecretCacheConfig resources.

property backend

backend?: pulumi.Input<string>;

The path the transit secret backend is mounted at, with no leading or trailing /s.

property size

size?: pulumi.Input<number>;

The number of cache entries. 0 means unlimited.