1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. ad
  5. SecretBackend
HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

vault.ad.SecretBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.ad.SecretBackend("config", {
        backend: "ad",
        binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        bindpass: "SuperSecretPassw0rd",
        url: "ldaps://ad",
        insecureTls: true,
        userdn: "CN=Users,DC=corp,DC=example,DC=net",
    });
    
    import pulumi
    import pulumi_vault as vault
    
    config = vault.ad.SecretBackend("config",
        backend="ad",
        binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        bindpass="SuperSecretPassw0rd",
        url="ldaps://ad",
        insecure_tls=True,
        userdn="CN=Users,DC=corp,DC=example,DC=net")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ad"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
    			Backend:     pulumi.String("ad"),
    			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
    			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
    			Url:         pulumi.String("ldaps://ad"),
    			InsecureTls: pulumi.Bool(true),
    			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.AD.SecretBackend("config", new()
        {
            Backend = "ad",
            Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
            Bindpass = "SuperSecretPassw0rd",
            Url = "ldaps://ad",
            InsecureTls = true,
            Userdn = "CN=Users,DC=corp,DC=example,DC=net",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.ad.SecretBackend;
    import com.pulumi.vault.ad.SecretBackendArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .backend("ad")
                .binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
                .bindpass("SuperSecretPassw0rd")
                .url("ldaps://ad")
                .insecureTls("true")
                .userdn("CN=Users,DC=corp,DC=example,DC=net")
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:ad:SecretBackend
        properties:
          backend: ad
          binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
          bindpass: SuperSecretPassw0rd
          url: ldaps://ad
          insecureTls: 'true'
          userdn: CN=Users,DC=corp,DC=example,DC=net
    

    Create SecretBackend Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackend(resource_name: str,
                      args: SecretBackendArgs,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackend(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      binddn: Optional[str] = None,
                      bindpass: Optional[str] = None,
                      insecure_tls: Optional[bool] = None,
                      use_token_groups: Optional[bool] = None,
                      case_sensitive_names: Optional[bool] = None,
                      certificate: Optional[str] = None,
                      client_tls_cert: Optional[str] = None,
                      client_tls_key: Optional[str] = None,
                      local: Optional[bool] = None,
                      deny_null_bind: Optional[bool] = None,
                      description: Optional[str] = None,
                      disable_remount: Optional[bool] = None,
                      discoverdn: Optional[bool] = None,
                      groupattr: Optional[str] = None,
                      groupdn: Optional[str] = None,
                      groupfilter: Optional[str] = None,
                      userdn: Optional[str] = None,
                      backend: Optional[str] = None,
                      default_lease_ttl_seconds: Optional[int] = None,
                      max_lease_ttl_seconds: Optional[int] = None,
                      max_ttl: Optional[int] = None,
                      namespace: Optional[str] = None,
                      password_policy: Optional[str] = None,
                      request_timeout: Optional[int] = None,
                      starttls: Optional[bool] = None,
                      tls_max_version: Optional[str] = None,
                      tls_min_version: Optional[str] = None,
                      ttl: Optional[int] = None,
                      upndomain: Optional[str] = None,
                      url: Optional[str] = None,
                      use_pre111_group_cn_behavior: Optional[bool] = None,
                      last_rotation_tolerance: Optional[int] = None,
                      userattr: Optional[str] = None,
                      anonymous_group_search: Optional[bool] = None)
    func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
    public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
    public SecretBackend(String name, SecretBackendArgs args)
    public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
    
    type: vault:ad:SecretBackend
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var secretBackendResource = new Vault.AD.SecretBackend("secretBackendResource", new()
    {
        Binddn = "string",
        Bindpass = "string",
        InsecureTls = false,
        UseTokenGroups = false,
        CaseSensitiveNames = false,
        Certificate = "string",
        ClientTlsCert = "string",
        ClientTlsKey = "string",
        Local = false,
        DenyNullBind = false,
        Description = "string",
        DisableRemount = false,
        Discoverdn = false,
        Groupattr = "string",
        Groupdn = "string",
        Groupfilter = "string",
        Userdn = "string",
        Backend = "string",
        DefaultLeaseTtlSeconds = 0,
        MaxLeaseTtlSeconds = 0,
        MaxTtl = 0,
        Namespace = "string",
        PasswordPolicy = "string",
        RequestTimeout = 0,
        Starttls = false,
        TlsMaxVersion = "string",
        TlsMinVersion = "string",
        Ttl = 0,
        Upndomain = "string",
        Url = "string",
        UsePre111GroupCnBehavior = false,
        LastRotationTolerance = 0,
        Userattr = "string",
        AnonymousGroupSearch = false,
    });
    
    example, err := ad.NewSecretBackend(ctx, "secretBackendResource", &ad.SecretBackendArgs{
    	Binddn:                   pulumi.String("string"),
    	Bindpass:                 pulumi.String("string"),
    	InsecureTls:              pulumi.Bool(false),
    	UseTokenGroups:           pulumi.Bool(false),
    	CaseSensitiveNames:       pulumi.Bool(false),
    	Certificate:              pulumi.String("string"),
    	ClientTlsCert:            pulumi.String("string"),
    	ClientTlsKey:             pulumi.String("string"),
    	Local:                    pulumi.Bool(false),
    	DenyNullBind:             pulumi.Bool(false),
    	Description:              pulumi.String("string"),
    	DisableRemount:           pulumi.Bool(false),
    	Discoverdn:               pulumi.Bool(false),
    	Groupattr:                pulumi.String("string"),
    	Groupdn:                  pulumi.String("string"),
    	Groupfilter:              pulumi.String("string"),
    	Userdn:                   pulumi.String("string"),
    	Backend:                  pulumi.String("string"),
    	DefaultLeaseTtlSeconds:   pulumi.Int(0),
    	MaxLeaseTtlSeconds:       pulumi.Int(0),
    	MaxTtl:                   pulumi.Int(0),
    	Namespace:                pulumi.String("string"),
    	PasswordPolicy:           pulumi.String("string"),
    	RequestTimeout:           pulumi.Int(0),
    	Starttls:                 pulumi.Bool(false),
    	TlsMaxVersion:            pulumi.String("string"),
    	TlsMinVersion:            pulumi.String("string"),
    	Ttl:                      pulumi.Int(0),
    	Upndomain:                pulumi.String("string"),
    	Url:                      pulumi.String("string"),
    	UsePre111GroupCnBehavior: pulumi.Bool(false),
    	LastRotationTolerance:    pulumi.Int(0),
    	Userattr:                 pulumi.String("string"),
    	AnonymousGroupSearch:     pulumi.Bool(false),
    })
    
    var secretBackendResource = new SecretBackend("secretBackendResource", SecretBackendArgs.builder()
        .binddn("string")
        .bindpass("string")
        .insecureTls(false)
        .useTokenGroups(false)
        .caseSensitiveNames(false)
        .certificate("string")
        .clientTlsCert("string")
        .clientTlsKey("string")
        .local(false)
        .denyNullBind(false)
        .description("string")
        .disableRemount(false)
        .discoverdn(false)
        .groupattr("string")
        .groupdn("string")
        .groupfilter("string")
        .userdn("string")
        .backend("string")
        .defaultLeaseTtlSeconds(0)
        .maxLeaseTtlSeconds(0)
        .maxTtl(0)
        .namespace("string")
        .passwordPolicy("string")
        .requestTimeout(0)
        .starttls(false)
        .tlsMaxVersion("string")
        .tlsMinVersion("string")
        .ttl(0)
        .upndomain("string")
        .url("string")
        .usePre111GroupCnBehavior(false)
        .lastRotationTolerance(0)
        .userattr("string")
        .anonymousGroupSearch(false)
        .build());
    
    secret_backend_resource = vault.ad.SecretBackend("secretBackendResource",
        binddn="string",
        bindpass="string",
        insecure_tls=False,
        use_token_groups=False,
        case_sensitive_names=False,
        certificate="string",
        client_tls_cert="string",
        client_tls_key="string",
        local=False,
        deny_null_bind=False,
        description="string",
        disable_remount=False,
        discoverdn=False,
        groupattr="string",
        groupdn="string",
        groupfilter="string",
        userdn="string",
        backend="string",
        default_lease_ttl_seconds=0,
        max_lease_ttl_seconds=0,
        max_ttl=0,
        namespace="string",
        password_policy="string",
        request_timeout=0,
        starttls=False,
        tls_max_version="string",
        tls_min_version="string",
        ttl=0,
        upndomain="string",
        url="string",
        use_pre111_group_cn_behavior=False,
        last_rotation_tolerance=0,
        userattr="string",
        anonymous_group_search=False)
    
    const secretBackendResource = new vault.ad.SecretBackend("secretBackendResource", {
        binddn: "string",
        bindpass: "string",
        insecureTls: false,
        useTokenGroups: false,
        caseSensitiveNames: false,
        certificate: "string",
        clientTlsCert: "string",
        clientTlsKey: "string",
        local: false,
        denyNullBind: false,
        description: "string",
        disableRemount: false,
        discoverdn: false,
        groupattr: "string",
        groupdn: "string",
        groupfilter: "string",
        userdn: "string",
        backend: "string",
        defaultLeaseTtlSeconds: 0,
        maxLeaseTtlSeconds: 0,
        maxTtl: 0,
        namespace: "string",
        passwordPolicy: "string",
        requestTimeout: 0,
        starttls: false,
        tlsMaxVersion: "string",
        tlsMinVersion: "string",
        ttl: 0,
        upndomain: "string",
        url: "string",
        usePre111GroupCnBehavior: false,
        lastRotationTolerance: 0,
        userattr: "string",
        anonymousGroupSearch: false,
    });
    
    type: vault:ad:SecretBackend
    properties:
        anonymousGroupSearch: false
        backend: string
        binddn: string
        bindpass: string
        caseSensitiveNames: false
        certificate: string
        clientTlsCert: string
        clientTlsKey: string
        defaultLeaseTtlSeconds: 0
        denyNullBind: false
        description: string
        disableRemount: false
        discoverdn: false
        groupattr: string
        groupdn: string
        groupfilter: string
        insecureTls: false
        lastRotationTolerance: 0
        local: false
        maxLeaseTtlSeconds: 0
        maxTtl: 0
        namespace: string
        passwordPolicy: string
        requestTimeout: 0
        starttls: false
        tlsMaxVersion: string
        tlsMinVersion: string
        ttl: 0
        upndomain: string
        url: string
        usePre111GroupCnBehavior: false
        useTokenGroups: false
        userattr: string
        userdn: string
    

    SecretBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackend resource accepts the following input properties:

    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    AnonymousGroupSearch bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    Backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    CaseSensitiveNames bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DenyNullBind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    Discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    Groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    Groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    Groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    LastRotationTolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    MaxTtl int
    In seconds, the maximum password time-to-live.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    TlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    TlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    Ttl int
    In seconds, the default password time-to-live.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    UsePre111GroupCnBehavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    UseTokenGroups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    AnonymousGroupSearch bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    Backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    CaseSensitiveNames bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DenyNullBind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    Discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    Groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    Groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    Groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    LastRotationTolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    MaxTtl int
    In seconds, the maximum password time-to-live.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    TlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    TlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    Ttl int
    In seconds, the default password time-to-live.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    UsePre111GroupCnBehavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    UseTokenGroups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    anonymousGroupSearch Boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    caseSensitiveNames Boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds Integer
    Default lease duration for secrets in seconds.
    denyNullBind Boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn Boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr String
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn String
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter String
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance Integer
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for secrets in seconds.
    maxTtl Integer
    In seconds, the maximum password time-to-live.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    requestTimeout Integer
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion String
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion String
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl Integer
    In seconds, the default password time-to-live.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior Boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups Boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn string
    Distinguished name of object to bind when performing user and group search.
    bindpass string
    Password to use along with binddn when performing user search.
    anonymousGroupSearch boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    caseSensitiveNames boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds number
    Default lease duration for secrets in seconds.
    denyNullBind boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description string
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance number
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds number
    Maximum possible lease duration for secrets in seconds.
    maxTtl number
    In seconds, the maximum password time-to-live.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy string
    Name of the password policy to use to generate passwords.
    requestTimeout number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl number
    In seconds, the default password time-to-live.
    upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr string
    Attribute used when searching users. Defaults to cn.
    userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn str
    Distinguished name of object to bind when performing user and group search.
    bindpass str
    Password to use along with binddn when performing user search.
    anonymous_group_search bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    case_sensitive_names bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate str
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    client_tls_cert str
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    client_tls_key str
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    default_lease_ttl_seconds int
    Default lease duration for secrets in seconds.
    deny_null_bind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description str
    Human-friendly description of the mount for the Active Directory backend.
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr str
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn str
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter str
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecure_tls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    last_rotation_tolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    max_lease_ttl_seconds int
    Maximum possible lease duration for secrets in seconds.
    max_ttl int
    In seconds, the maximum password time-to-live.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    password_policy str
    Name of the password policy to use to generate passwords.
    request_timeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    tls_max_version str
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tls_min_version str
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl int
    In seconds, the default password time-to-live.
    upndomain str
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url str
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    use_pre111_group_cn_behavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    use_token_groups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr str
    Attribute used when searching users. Defaults to cn.
    userdn str
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    anonymousGroupSearch Boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    caseSensitiveNames Boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds Number
    Default lease duration for secrets in seconds.
    denyNullBind Boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn Boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr String
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn String
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter String
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance Number
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for secrets in seconds.
    maxTtl Number
    In seconds, the maximum password time-to-live.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    requestTimeout Number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion String
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion String
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl Number
    In seconds, the default password time-to-live.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior Boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups Boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackend Resource

    Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            anonymous_group_search: Optional[bool] = None,
            backend: Optional[str] = None,
            binddn: Optional[str] = None,
            bindpass: Optional[str] = None,
            case_sensitive_names: Optional[bool] = None,
            certificate: Optional[str] = None,
            client_tls_cert: Optional[str] = None,
            client_tls_key: Optional[str] = None,
            default_lease_ttl_seconds: Optional[int] = None,
            deny_null_bind: Optional[bool] = None,
            description: Optional[str] = None,
            disable_remount: Optional[bool] = None,
            discoverdn: Optional[bool] = None,
            groupattr: Optional[str] = None,
            groupdn: Optional[str] = None,
            groupfilter: Optional[str] = None,
            insecure_tls: Optional[bool] = None,
            last_rotation_tolerance: Optional[int] = None,
            local: Optional[bool] = None,
            max_lease_ttl_seconds: Optional[int] = None,
            max_ttl: Optional[int] = None,
            namespace: Optional[str] = None,
            password_policy: Optional[str] = None,
            request_timeout: Optional[int] = None,
            starttls: Optional[bool] = None,
            tls_max_version: Optional[str] = None,
            tls_min_version: Optional[str] = None,
            ttl: Optional[int] = None,
            upndomain: Optional[str] = None,
            url: Optional[str] = None,
            use_pre111_group_cn_behavior: Optional[bool] = None,
            use_token_groups: Optional[bool] = None,
            userattr: Optional[str] = None,
            userdn: Optional[str] = None) -> SecretBackend
    func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
    public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
    public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AnonymousGroupSearch bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    Backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    CaseSensitiveNames bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DenyNullBind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    Discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    Groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    Groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    Groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    LastRotationTolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    MaxTtl int
    In seconds, the maximum password time-to-live.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    TlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    TlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    Ttl int
    In seconds, the default password time-to-live.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    UsePre111GroupCnBehavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    UseTokenGroups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    AnonymousGroupSearch bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    Backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    CaseSensitiveNames bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DenyNullBind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    Discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    Groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    Groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    Groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    LastRotationTolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    MaxTtl int
    In seconds, the maximum password time-to-live.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    TlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    TlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    Ttl int
    In seconds, the default password time-to-live.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    UsePre111GroupCnBehavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    UseTokenGroups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    anonymousGroupSearch Boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    caseSensitiveNames Boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds Integer
    Default lease duration for secrets in seconds.
    denyNullBind Boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn Boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr String
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn String
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter String
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance Integer
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for secrets in seconds.
    maxTtl Integer
    In seconds, the maximum password time-to-live.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    requestTimeout Integer
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion String
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion String
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl Integer
    In seconds, the default password time-to-live.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior Boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups Boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    anonymousGroupSearch boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    binddn string
    Distinguished name of object to bind when performing user and group search.
    bindpass string
    Password to use along with binddn when performing user search.
    caseSensitiveNames boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds number
    Default lease duration for secrets in seconds.
    denyNullBind boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description string
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr string
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn string
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter string
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance number
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds number
    Maximum possible lease duration for secrets in seconds.
    maxTtl number
    In seconds, the maximum password time-to-live.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy string
    Name of the password policy to use to generate passwords.
    requestTimeout number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion string
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion string
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl number
    In seconds, the default password time-to-live.
    upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr string
    Attribute used when searching users. Defaults to cn.
    userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    anonymous_group_search bool
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    binddn str
    Distinguished name of object to bind when performing user and group search.
    bindpass str
    Password to use along with binddn when performing user search.
    case_sensitive_names bool
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate str
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    client_tls_cert str
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    client_tls_key str
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    default_lease_ttl_seconds int
    Default lease duration for secrets in seconds.
    deny_null_bind bool
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description str
    Human-friendly description of the mount for the Active Directory backend.
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn bool
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr str
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn str
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter str
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecure_tls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    last_rotation_tolerance int
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    max_lease_ttl_seconds int
    Maximum possible lease duration for secrets in seconds.
    max_ttl int
    In seconds, the maximum password time-to-live.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    password_policy str
    Name of the password policy to use to generate passwords.
    request_timeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    tls_max_version str
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tls_min_version str
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl int
    In seconds, the default password time-to-live.
    upndomain str
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url str
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    use_pre111_group_cn_behavior bool
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    use_token_groups bool
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr str
    Attribute used when searching users. Defaults to cn.
    userdn str
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    anonymousGroupSearch Boolean
    Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
    backend String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    caseSensitiveNames Boolean
    If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    defaultLeaseTtlSeconds Number
    Default lease duration for secrets in seconds.
    denyNullBind Boolean
    Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    discoverdn Boolean
    Use anonymous bind to discover the bind Distinguished Name of a user.
    groupattr String
    LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
    groupdn String
    LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
    groupfilter String
    Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    lastRotationTolerance Number
    The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for secrets in seconds.
    maxTtl Number
    In seconds, the maximum password time-to-live.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    requestTimeout Number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    tlsMaxVersion String
    Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    tlsMinVersion String
    Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
    ttl Number
    In seconds, the default password time-to-live.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    usePre111GroupCnBehavior Boolean
    In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
    useTokenGroups Boolean
    If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

    Import

    AD secret backend can be imported using the backend, e.g.

    $ pulumi import vault:ad/secretBackend:SecretBackend ad ad
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi