secretBackendRole.go

// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***

package pkisecret

import (
	"context"
	"reflect"

	"errors"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/internal"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// Creates a role on an PKI Secret Backend for Vault.
//
// ## Example Usage
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
//	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkiSecret"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
//				Path:                   pulumi.String("pki"),
//				Type:                   pulumi.String("pki"),
//				DefaultLeaseTtlSeconds: pulumi.Int(3600),
//				MaxLeaseTtlSeconds:     pulumi.Int(86400),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = pkiSecret.NewSecretBackendRole(ctx, "role", &pkiSecret.SecretBackendRoleArgs{
//				Backend:     pki.Path,
//				Ttl:         pulumi.String("3600"),
//				AllowIpSans: pulumi.Bool(true),
//				KeyType:     pulumi.String("rsa"),
//				KeyBits:     pulumi.Int(4096),
//				AllowedDomains: pulumi.StringArray{
//					pulumi.String("example.com"),
//					pulumi.String("my.domain"),
//				},
//				AllowSubdomains: pulumi.Bool(true),
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ## Import
//
// PKI secret backend roles can be imported using the `path`, e.g.
//
// ```sh
// $ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role
// ```
type SecretBackendRole struct {
	pulumi.CustomResourceState

	// Flag to allow any name
	AllowAnyName pulumi.BoolPtrOutput `pulumi:"allowAnyName"`
	// Flag to allow certificates matching the actual domain
	AllowBareDomains pulumi.BoolPtrOutput `pulumi:"allowBareDomains"`
	// Flag to allow names containing glob patterns.
	AllowGlobDomains pulumi.BoolPtrOutput `pulumi:"allowGlobDomains"`
	// Flag to allow IP SANs
	AllowIpSans pulumi.BoolPtrOutput `pulumi:"allowIpSans"`
	// Flag to allow certificates for localhost
	AllowLocalhost pulumi.BoolPtrOutput `pulumi:"allowLocalhost"`
	// Flag to allow certificates matching subdomains
	AllowSubdomains pulumi.BoolPtrOutput `pulumi:"allowSubdomains"`
	// Flag to allow wildcard certificates.
	AllowWildcardCertificates pulumi.BoolPtrOutput `pulumi:"allowWildcardCertificates"`
	// List of allowed domains for certificates
	AllowedDomains pulumi.StringArrayOutput `pulumi:"allowedDomains"`
	// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedDomainsTemplate pulumi.BoolPtrOutput `pulumi:"allowedDomainsTemplate"`
	// Defines allowed custom SANs
	AllowedOtherSans pulumi.StringArrayOutput `pulumi:"allowedOtherSans"`
	// An array of allowed serial numbers to put in Subject
	AllowedSerialNumbers pulumi.StringArrayOutput `pulumi:"allowedSerialNumbers"`
	// Defines allowed URI SANs
	AllowedUriSans pulumi.StringArrayOutput `pulumi:"allowedUriSans"`
	// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedUriSansTemplate pulumi.BoolOutput `pulumi:"allowedUriSansTemplate"`
	// Defines allowed User IDs
	AllowedUserIds pulumi.StringArrayOutput `pulumi:"allowedUserIds"`
	// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
	Backend pulumi.StringOutput `pulumi:"backend"`
	// Flag to mark basic constraints valid when issuing non-CA certificates
	BasicConstraintsValidForNonCa pulumi.BoolPtrOutput `pulumi:"basicConstraintsValidForNonCa"`
	// Flag to specify certificates for client use
	ClientFlag pulumi.BoolPtrOutput `pulumi:"clientFlag"`
	// Flag to specify certificates for code signing use
	CodeSigningFlag pulumi.BoolPtrOutput `pulumi:"codeSigningFlag"`
	// The country of generated certificates
	Countries pulumi.StringArrayOutput `pulumi:"countries"`
	// Flag to specify certificates for email protection use
	EmailProtectionFlag pulumi.BoolPtrOutput `pulumi:"emailProtectionFlag"`
	// Flag to allow only valid host names
	EnforceHostnames pulumi.BoolPtrOutput `pulumi:"enforceHostnames"`
	// Specify the allowed extended key usage OIDs constraint on issued certificates
	ExtKeyUsageOids pulumi.StringArrayOutput `pulumi:"extKeyUsageOids"`
	// Specify the allowed extended key usage constraint on issued certificates
	ExtKeyUsages pulumi.StringArrayOutput `pulumi:"extKeyUsages"`
	// Flag to generate leases with certificates
	GenerateLease pulumi.BoolPtrOutput `pulumi:"generateLease"`
	// Specifies the default issuer of this request. May
	// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
	// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
	// overriding the role's `issuerRef` value.
	IssuerRef pulumi.StringOutput `pulumi:"issuerRef"`
	// The number of bits of generated keys
	KeyBits pulumi.IntPtrOutput `pulumi:"keyBits"`
	// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
	// Defaults to `rsa`
	KeyType pulumi.StringPtrOutput `pulumi:"keyType"`
	// Specify the allowed key usage constraint on issued
	// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
	// To specify no default key usage constraints, set this to an empty list `[]`.
	KeyUsages pulumi.StringArrayOutput `pulumi:"keyUsages"`
	// The locality of generated certificates
	Localities pulumi.StringArrayOutput `pulumi:"localities"`
	// The maximum lease TTL, in seconds, for the role.
	MaxTtl pulumi.StringOutput `pulumi:"maxTtl"`
	// The name to identify this role within the backend. Must be unique within the backend.
	Name pulumi.StringOutput `pulumi:"name"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Flag to not store certificates in the storage backend
	NoStore pulumi.BoolPtrOutput `pulumi:"noStore"`
	// Specifies the duration by which to backdate the NotBefore property.
	NotBeforeDuration pulumi.StringOutput `pulumi:"notBeforeDuration"`
	// The organization unit of generated certificates
	OrganizationUnit pulumi.StringArrayOutput `pulumi:"organizationUnit"`
	// The organization of generated certificates
	Organizations pulumi.StringArrayOutput `pulumi:"organizations"`
	// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
	PolicyIdentifier SecretBackendRolePolicyIdentifierArrayOutput `pulumi:"policyIdentifier"`
	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
	PolicyIdentifiers pulumi.StringArrayOutput `pulumi:"policyIdentifiers"`
	// The postal code of generated certificates
	PostalCodes pulumi.StringArrayOutput `pulumi:"postalCodes"`
	// The province of generated certificates
	Provinces pulumi.StringArrayOutput `pulumi:"provinces"`
	// Flag to force CN usage
	RequireCn pulumi.BoolPtrOutput `pulumi:"requireCn"`
	// Flag to specify certificates for server use
	ServerFlag pulumi.BoolPtrOutput `pulumi:"serverFlag"`
	// The street address of generated certificates
	StreetAddresses pulumi.StringArrayOutput `pulumi:"streetAddresses"`
	// The TTL, in seconds, for any certificate issued against this role.
	Ttl pulumi.StringOutput `pulumi:"ttl"`
	// Flag to use the CN in the CSR
	UseCsrCommonName pulumi.BoolPtrOutput `pulumi:"useCsrCommonName"`
	// Flag to use the SANs in the CSR
	UseCsrSans pulumi.BoolPtrOutput `pulumi:"useCsrSans"`
}

// NewSecretBackendRole registers a new resource with the given unique name, arguments, and options.
func NewSecretBackendRole(ctx *pulumi.Context,
	name string, args *SecretBackendRoleArgs, opts ...pulumi.ResourceOption) (*SecretBackendRole, error) {
	if args == nil {
		return nil, errors.New("missing one or more required arguments")
	}

	if args.Backend == nil {
		return nil, errors.New("invalid value for required argument 'Backend'")
	}
	opts = internal.PkgResourceDefaultOpts(opts)
	var resource SecretBackendRole
	err := ctx.RegisterResource("vault:pkiSecret/secretBackendRole:SecretBackendRole", name, args, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// GetSecretBackendRole gets an existing SecretBackendRole resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetSecretBackendRole(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretBackendRoleState, opts ...pulumi.ResourceOption) (*SecretBackendRole, error) {
	var resource SecretBackendRole
	err := ctx.ReadResource("vault:pkiSecret/secretBackendRole:SecretBackendRole", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// Input properties used for looking up and filtering SecretBackendRole resources.
type secretBackendRoleState struct {
	// Flag to allow any name
	AllowAnyName *bool `pulumi:"allowAnyName"`
	// Flag to allow certificates matching the actual domain
	AllowBareDomains *bool `pulumi:"allowBareDomains"`
	// Flag to allow names containing glob patterns.
	AllowGlobDomains *bool `pulumi:"allowGlobDomains"`
	// Flag to allow IP SANs
	AllowIpSans *bool `pulumi:"allowIpSans"`
	// Flag to allow certificates for localhost
	AllowLocalhost *bool `pulumi:"allowLocalhost"`
	// Flag to allow certificates matching subdomains
	AllowSubdomains *bool `pulumi:"allowSubdomains"`
	// Flag to allow wildcard certificates.
	AllowWildcardCertificates *bool `pulumi:"allowWildcardCertificates"`
	// List of allowed domains for certificates
	AllowedDomains []string `pulumi:"allowedDomains"`
	// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedDomainsTemplate *bool `pulumi:"allowedDomainsTemplate"`
	// Defines allowed custom SANs
	AllowedOtherSans []string `pulumi:"allowedOtherSans"`
	// An array of allowed serial numbers to put in Subject
	AllowedSerialNumbers []string `pulumi:"allowedSerialNumbers"`
	// Defines allowed URI SANs
	AllowedUriSans []string `pulumi:"allowedUriSans"`
	// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedUriSansTemplate *bool `pulumi:"allowedUriSansTemplate"`
	// Defines allowed User IDs
	AllowedUserIds []string `pulumi:"allowedUserIds"`
	// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
	Backend *string `pulumi:"backend"`
	// Flag to mark basic constraints valid when issuing non-CA certificates
	BasicConstraintsValidForNonCa *bool `pulumi:"basicConstraintsValidForNonCa"`
	// Flag to specify certificates for client use
	ClientFlag *bool `pulumi:"clientFlag"`
	// Flag to specify certificates for code signing use
	CodeSigningFlag *bool `pulumi:"codeSigningFlag"`
	// The country of generated certificates
	Countries []string `pulumi:"countries"`
	// Flag to specify certificates for email protection use
	EmailProtectionFlag *bool `pulumi:"emailProtectionFlag"`
	// Flag to allow only valid host names
	EnforceHostnames *bool `pulumi:"enforceHostnames"`
	// Specify the allowed extended key usage OIDs constraint on issued certificates
	ExtKeyUsageOids []string `pulumi:"extKeyUsageOids"`
	// Specify the allowed extended key usage constraint on issued certificates
	ExtKeyUsages []string `pulumi:"extKeyUsages"`
	// Flag to generate leases with certificates
	GenerateLease *bool `pulumi:"generateLease"`
	// Specifies the default issuer of this request. May
	// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
	// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
	// overriding the role's `issuerRef` value.
	IssuerRef *string `pulumi:"issuerRef"`
	// The number of bits of generated keys
	KeyBits *int `pulumi:"keyBits"`
	// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
	// Defaults to `rsa`
	KeyType *string `pulumi:"keyType"`
	// Specify the allowed key usage constraint on issued
	// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
	// To specify no default key usage constraints, set this to an empty list `[]`.
	KeyUsages []string `pulumi:"keyUsages"`
	// The locality of generated certificates
	Localities []string `pulumi:"localities"`
	// The maximum lease TTL, in seconds, for the role.
	MaxTtl *string `pulumi:"maxTtl"`
	// The name to identify this role within the backend. Must be unique within the backend.
	Name *string `pulumi:"name"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// Flag to not store certificates in the storage backend
	NoStore *bool `pulumi:"noStore"`
	// Specifies the duration by which to backdate the NotBefore property.
	NotBeforeDuration *string `pulumi:"notBeforeDuration"`
	// The organization unit of generated certificates
	OrganizationUnit []string `pulumi:"organizationUnit"`
	// The organization of generated certificates
	Organizations []string `pulumi:"organizations"`
	// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
	PolicyIdentifier []SecretBackendRolePolicyIdentifier `pulumi:"policyIdentifier"`
	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
	PolicyIdentifiers []string `pulumi:"policyIdentifiers"`
	// The postal code of generated certificates
	PostalCodes []string `pulumi:"postalCodes"`
	// The province of generated certificates
	Provinces []string `pulumi:"provinces"`
	// Flag to force CN usage
	RequireCn *bool `pulumi:"requireCn"`
	// Flag to specify certificates for server use
	ServerFlag *bool `pulumi:"serverFlag"`
	// The street address of generated certificates
	StreetAddresses []string `pulumi:"streetAddresses"`
	// The TTL, in seconds, for any certificate issued against this role.
	Ttl *string `pulumi:"ttl"`
	// Flag to use the CN in the CSR
	UseCsrCommonName *bool `pulumi:"useCsrCommonName"`
	// Flag to use the SANs in the CSR
	UseCsrSans *bool `pulumi:"useCsrSans"`
}

type SecretBackendRoleState struct {
	// Flag to allow any name
	AllowAnyName pulumi.BoolPtrInput
	// Flag to allow certificates matching the actual domain
	AllowBareDomains pulumi.BoolPtrInput
	// Flag to allow names containing glob patterns.
	AllowGlobDomains pulumi.BoolPtrInput
	// Flag to allow IP SANs
	AllowIpSans pulumi.BoolPtrInput
	// Flag to allow certificates for localhost
	AllowLocalhost pulumi.BoolPtrInput
	// Flag to allow certificates matching subdomains
	AllowSubdomains pulumi.BoolPtrInput
	// Flag to allow wildcard certificates.
	AllowWildcardCertificates pulumi.BoolPtrInput
	// List of allowed domains for certificates
	AllowedDomains pulumi.StringArrayInput
	// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedDomainsTemplate pulumi.BoolPtrInput
	// Defines allowed custom SANs
	AllowedOtherSans pulumi.StringArrayInput
	// An array of allowed serial numbers to put in Subject
	AllowedSerialNumbers pulumi.StringArrayInput
	// Defines allowed URI SANs
	AllowedUriSans pulumi.StringArrayInput
	// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedUriSansTemplate pulumi.BoolPtrInput
	// Defines allowed User IDs
	AllowedUserIds pulumi.StringArrayInput
	// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
	Backend pulumi.StringPtrInput
	// Flag to mark basic constraints valid when issuing non-CA certificates
	BasicConstraintsValidForNonCa pulumi.BoolPtrInput
	// Flag to specify certificates for client use
	ClientFlag pulumi.BoolPtrInput
	// Flag to specify certificates for code signing use
	CodeSigningFlag pulumi.BoolPtrInput
	// The country of generated certificates
	Countries pulumi.StringArrayInput
	// Flag to specify certificates for email protection use
	EmailProtectionFlag pulumi.BoolPtrInput
	// Flag to allow only valid host names
	EnforceHostnames pulumi.BoolPtrInput
	// Specify the allowed extended key usage OIDs constraint on issued certificates
	ExtKeyUsageOids pulumi.StringArrayInput
	// Specify the allowed extended key usage constraint on issued certificates
	ExtKeyUsages pulumi.StringArrayInput
	// Flag to generate leases with certificates
	GenerateLease pulumi.BoolPtrInput
	// Specifies the default issuer of this request. May
	// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
	// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
	// overriding the role's `issuerRef` value.
	IssuerRef pulumi.StringPtrInput
	// The number of bits of generated keys
	KeyBits pulumi.IntPtrInput
	// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
	// Defaults to `rsa`
	KeyType pulumi.StringPtrInput
	// Specify the allowed key usage constraint on issued
	// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
	// To specify no default key usage constraints, set this to an empty list `[]`.
	KeyUsages pulumi.StringArrayInput
	// The locality of generated certificates
	Localities pulumi.StringArrayInput
	// The maximum lease TTL, in seconds, for the role.
	MaxTtl pulumi.StringPtrInput
	// The name to identify this role within the backend. Must be unique within the backend.
	Name pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Flag to not store certificates in the storage backend
	NoStore pulumi.BoolPtrInput
	// Specifies the duration by which to backdate the NotBefore property.
	NotBeforeDuration pulumi.StringPtrInput
	// The organization unit of generated certificates
	OrganizationUnit pulumi.StringArrayInput
	// The organization of generated certificates
	Organizations pulumi.StringArrayInput
	// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
	PolicyIdentifier SecretBackendRolePolicyIdentifierArrayInput
	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
	PolicyIdentifiers pulumi.StringArrayInput
	// The postal code of generated certificates
	PostalCodes pulumi.StringArrayInput
	// The province of generated certificates
	Provinces pulumi.StringArrayInput
	// Flag to force CN usage
	RequireCn pulumi.BoolPtrInput
	// Flag to specify certificates for server use
	ServerFlag pulumi.BoolPtrInput
	// The street address of generated certificates
	StreetAddresses pulumi.StringArrayInput
	// The TTL, in seconds, for any certificate issued against this role.
	Ttl pulumi.StringPtrInput
	// Flag to use the CN in the CSR
	UseCsrCommonName pulumi.BoolPtrInput
	// Flag to use the SANs in the CSR
	UseCsrSans pulumi.BoolPtrInput
}

func (SecretBackendRoleState) ElementType() reflect.Type {
	return reflect.TypeOf((*secretBackendRoleState)(nil)).Elem()
}

type secretBackendRoleArgs struct {
	// Flag to allow any name
	AllowAnyName *bool `pulumi:"allowAnyName"`
	// Flag to allow certificates matching the actual domain
	AllowBareDomains *bool `pulumi:"allowBareDomains"`
	// Flag to allow names containing glob patterns.
	AllowGlobDomains *bool `pulumi:"allowGlobDomains"`
	// Flag to allow IP SANs
	AllowIpSans *bool `pulumi:"allowIpSans"`
	// Flag to allow certificates for localhost
	AllowLocalhost *bool `pulumi:"allowLocalhost"`
	// Flag to allow certificates matching subdomains
	AllowSubdomains *bool `pulumi:"allowSubdomains"`
	// Flag to allow wildcard certificates.
	AllowWildcardCertificates *bool `pulumi:"allowWildcardCertificates"`
	// List of allowed domains for certificates
	AllowedDomains []string `pulumi:"allowedDomains"`
	// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedDomainsTemplate *bool `pulumi:"allowedDomainsTemplate"`
	// Defines allowed custom SANs
	AllowedOtherSans []string `pulumi:"allowedOtherSans"`
	// An array of allowed serial numbers to put in Subject
	AllowedSerialNumbers []string `pulumi:"allowedSerialNumbers"`
	// Defines allowed URI SANs
	AllowedUriSans []string `pulumi:"allowedUriSans"`
	// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedUriSansTemplate *bool `pulumi:"allowedUriSansTemplate"`
	// Defines allowed User IDs
	AllowedUserIds []string `pulumi:"allowedUserIds"`
	// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
	Backend string `pulumi:"backend"`
	// Flag to mark basic constraints valid when issuing non-CA certificates
	BasicConstraintsValidForNonCa *bool `pulumi:"basicConstraintsValidForNonCa"`
	// Flag to specify certificates for client use
	ClientFlag *bool `pulumi:"clientFlag"`
	// Flag to specify certificates for code signing use
	CodeSigningFlag *bool `pulumi:"codeSigningFlag"`
	// The country of generated certificates
	Countries []string `pulumi:"countries"`
	// Flag to specify certificates for email protection use
	EmailProtectionFlag *bool `pulumi:"emailProtectionFlag"`
	// Flag to allow only valid host names
	EnforceHostnames *bool `pulumi:"enforceHostnames"`
	// Specify the allowed extended key usage OIDs constraint on issued certificates
	ExtKeyUsageOids []string `pulumi:"extKeyUsageOids"`
	// Specify the allowed extended key usage constraint on issued certificates
	ExtKeyUsages []string `pulumi:"extKeyUsages"`
	// Flag to generate leases with certificates
	GenerateLease *bool `pulumi:"generateLease"`
	// Specifies the default issuer of this request. May
	// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
	// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
	// overriding the role's `issuerRef` value.
	IssuerRef *string `pulumi:"issuerRef"`
	// The number of bits of generated keys
	KeyBits *int `pulumi:"keyBits"`
	// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
	// Defaults to `rsa`
	KeyType *string `pulumi:"keyType"`
	// Specify the allowed key usage constraint on issued
	// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
	// To specify no default key usage constraints, set this to an empty list `[]`.
	KeyUsages []string `pulumi:"keyUsages"`
	// The locality of generated certificates
	Localities []string `pulumi:"localities"`
	// The maximum lease TTL, in seconds, for the role.
	MaxTtl *string `pulumi:"maxTtl"`
	// The name to identify this role within the backend. Must be unique within the backend.
	Name *string `pulumi:"name"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// Flag to not store certificates in the storage backend
	NoStore *bool `pulumi:"noStore"`
	// Specifies the duration by which to backdate the NotBefore property.
	NotBeforeDuration *string `pulumi:"notBeforeDuration"`
	// The organization unit of generated certificates
	OrganizationUnit []string `pulumi:"organizationUnit"`
	// The organization of generated certificates
	Organizations []string `pulumi:"organizations"`
	// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
	PolicyIdentifier []SecretBackendRolePolicyIdentifier `pulumi:"policyIdentifier"`
	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
	PolicyIdentifiers []string `pulumi:"policyIdentifiers"`
	// The postal code of generated certificates
	PostalCodes []string `pulumi:"postalCodes"`
	// The province of generated certificates
	Provinces []string `pulumi:"provinces"`
	// Flag to force CN usage
	RequireCn *bool `pulumi:"requireCn"`
	// Flag to specify certificates for server use
	ServerFlag *bool `pulumi:"serverFlag"`
	// The street address of generated certificates
	StreetAddresses []string `pulumi:"streetAddresses"`
	// The TTL, in seconds, for any certificate issued against this role.
	Ttl *string `pulumi:"ttl"`
	// Flag to use the CN in the CSR
	UseCsrCommonName *bool `pulumi:"useCsrCommonName"`
	// Flag to use the SANs in the CSR
	UseCsrSans *bool `pulumi:"useCsrSans"`
}

// The set of arguments for constructing a SecretBackendRole resource.
type SecretBackendRoleArgs struct {
	// Flag to allow any name
	AllowAnyName pulumi.BoolPtrInput
	// Flag to allow certificates matching the actual domain
	AllowBareDomains pulumi.BoolPtrInput
	// Flag to allow names containing glob patterns.
	AllowGlobDomains pulumi.BoolPtrInput
	// Flag to allow IP SANs
	AllowIpSans pulumi.BoolPtrInput
	// Flag to allow certificates for localhost
	AllowLocalhost pulumi.BoolPtrInput
	// Flag to allow certificates matching subdomains
	AllowSubdomains pulumi.BoolPtrInput
	// Flag to allow wildcard certificates.
	AllowWildcardCertificates pulumi.BoolPtrInput
	// List of allowed domains for certificates
	AllowedDomains pulumi.StringArrayInput
	// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedDomainsTemplate pulumi.BoolPtrInput
	// Defines allowed custom SANs
	AllowedOtherSans pulumi.StringArrayInput
	// An array of allowed serial numbers to put in Subject
	AllowedSerialNumbers pulumi.StringArrayInput
	// Defines allowed URI SANs
	AllowedUriSans pulumi.StringArrayInput
	// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
	AllowedUriSansTemplate pulumi.BoolPtrInput
	// Defines allowed User IDs
	AllowedUserIds pulumi.StringArrayInput
	// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
	Backend pulumi.StringInput
	// Flag to mark basic constraints valid when issuing non-CA certificates
	BasicConstraintsValidForNonCa pulumi.BoolPtrInput
	// Flag to specify certificates for client use
	ClientFlag pulumi.BoolPtrInput
	// Flag to specify certificates for code signing use
	CodeSigningFlag pulumi.BoolPtrInput
	// The country of generated certificates
	Countries pulumi.StringArrayInput
	// Flag to specify certificates for email protection use
	EmailProtectionFlag pulumi.BoolPtrInput
	// Flag to allow only valid host names
	EnforceHostnames pulumi.BoolPtrInput
	// Specify the allowed extended key usage OIDs constraint on issued certificates
	ExtKeyUsageOids pulumi.StringArrayInput
	// Specify the allowed extended key usage constraint on issued certificates
	ExtKeyUsages pulumi.StringArrayInput
	// Flag to generate leases with certificates
	GenerateLease pulumi.BoolPtrInput
	// Specifies the default issuer of this request. May
	// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
	// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
	// overriding the role's `issuerRef` value.
	IssuerRef pulumi.StringPtrInput
	// The number of bits of generated keys
	KeyBits pulumi.IntPtrInput
	// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
	// Defaults to `rsa`
	KeyType pulumi.StringPtrInput
	// Specify the allowed key usage constraint on issued
	// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
	// To specify no default key usage constraints, set this to an empty list `[]`.
	KeyUsages pulumi.StringArrayInput
	// The locality of generated certificates
	Localities pulumi.StringArrayInput
	// The maximum lease TTL, in seconds, for the role.
	MaxTtl pulumi.StringPtrInput
	// The name to identify this role within the backend. Must be unique within the backend.
	Name pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Flag to not store certificates in the storage backend
	NoStore pulumi.BoolPtrInput
	// Specifies the duration by which to backdate the NotBefore property.
	NotBeforeDuration pulumi.StringPtrInput
	// The organization unit of generated certificates
	OrganizationUnit pulumi.StringArrayInput
	// The organization of generated certificates
	Organizations pulumi.StringArrayInput
	// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
	PolicyIdentifier SecretBackendRolePolicyIdentifierArrayInput
	// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
	PolicyIdentifiers pulumi.StringArrayInput
	// The postal code of generated certificates
	PostalCodes pulumi.StringArrayInput
	// The province of generated certificates
	Provinces pulumi.StringArrayInput
	// Flag to force CN usage
	RequireCn pulumi.BoolPtrInput
	// Flag to specify certificates for server use
	ServerFlag pulumi.BoolPtrInput
	// The street address of generated certificates
	StreetAddresses pulumi.StringArrayInput
	// The TTL, in seconds, for any certificate issued against this role.
	Ttl pulumi.StringPtrInput
	// Flag to use the CN in the CSR
	UseCsrCommonName pulumi.BoolPtrInput
	// Flag to use the SANs in the CSR
	UseCsrSans pulumi.BoolPtrInput
}

func (SecretBackendRoleArgs) ElementType() reflect.Type {
	return reflect.TypeOf((*secretBackendRoleArgs)(nil)).Elem()
}

type SecretBackendRoleInput interface {
	pulumi.Input

	ToSecretBackendRoleOutput() SecretBackendRoleOutput
	ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput
}

func (*SecretBackendRole) ElementType() reflect.Type {
	return reflect.TypeOf((**SecretBackendRole)(nil)).Elem()
}

func (i *SecretBackendRole) ToSecretBackendRoleOutput() SecretBackendRoleOutput {
	return i.ToSecretBackendRoleOutputWithContext(context.Background())
}

func (i *SecretBackendRole) ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput {
	return pulumi.ToOutputWithContext(ctx, i).(SecretBackendRoleOutput)
}

// SecretBackendRoleArrayInput is an input type that accepts SecretBackendRoleArray and SecretBackendRoleArrayOutput values.
// You can construct a concrete instance of `SecretBackendRoleArrayInput` via:
//
//	SecretBackendRoleArray{ SecretBackendRoleArgs{...} }
type SecretBackendRoleArrayInput interface {
	pulumi.Input

	ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput
	ToSecretBackendRoleArrayOutputWithContext(context.Context) SecretBackendRoleArrayOutput
}

type SecretBackendRoleArray []SecretBackendRoleInput

func (SecretBackendRoleArray) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*SecretBackendRole)(nil)).Elem()
}

func (i SecretBackendRoleArray) ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput {
	return i.ToSecretBackendRoleArrayOutputWithContext(context.Background())
}

func (i SecretBackendRoleArray) ToSecretBackendRoleArrayOutputWithContext(ctx context.Context) SecretBackendRoleArrayOutput {
	return pulumi.ToOutputWithContext(ctx, i).(SecretBackendRoleArrayOutput)
}

// SecretBackendRoleMapInput is an input type that accepts SecretBackendRoleMap and SecretBackendRoleMapOutput values.
// You can construct a concrete instance of `SecretBackendRoleMapInput` via:
//
//	SecretBackendRoleMap{ "key": SecretBackendRoleArgs{...} }
type SecretBackendRoleMapInput interface {
	pulumi.Input

	ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput
	ToSecretBackendRoleMapOutputWithContext(context.Context) SecretBackendRoleMapOutput
}

type SecretBackendRoleMap map[string]SecretBackendRoleInput

func (SecretBackendRoleMap) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*SecretBackendRole)(nil)).Elem()
}

func (i SecretBackendRoleMap) ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput {
	return i.ToSecretBackendRoleMapOutputWithContext(context.Background())
}

func (i SecretBackendRoleMap) ToSecretBackendRoleMapOutputWithContext(ctx context.Context) SecretBackendRoleMapOutput {
	return pulumi.ToOutputWithContext(ctx, i).(SecretBackendRoleMapOutput)
}

type SecretBackendRoleOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleOutput) ElementType() reflect.Type {
	return reflect.TypeOf((**SecretBackendRole)(nil)).Elem()
}

func (o SecretBackendRoleOutput) ToSecretBackendRoleOutput() SecretBackendRoleOutput {
	return o
}

func (o SecretBackendRoleOutput) ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput {
	return o
}

// Flag to allow any name
func (o SecretBackendRoleOutput) AllowAnyName() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowAnyName }).(pulumi.BoolPtrOutput)
}

// Flag to allow certificates matching the actual domain
func (o SecretBackendRoleOutput) AllowBareDomains() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowBareDomains }).(pulumi.BoolPtrOutput)
}

// Flag to allow names containing glob patterns.
func (o SecretBackendRoleOutput) AllowGlobDomains() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowGlobDomains }).(pulumi.BoolPtrOutput)
}

// Flag to allow IP SANs
func (o SecretBackendRoleOutput) AllowIpSans() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowIpSans }).(pulumi.BoolPtrOutput)
}

// Flag to allow certificates for localhost
func (o SecretBackendRoleOutput) AllowLocalhost() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowLocalhost }).(pulumi.BoolPtrOutput)
}

// Flag to allow certificates matching subdomains
func (o SecretBackendRoleOutput) AllowSubdomains() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowSubdomains }).(pulumi.BoolPtrOutput)
}

// Flag to allow wildcard certificates.
func (o SecretBackendRoleOutput) AllowWildcardCertificates() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowWildcardCertificates }).(pulumi.BoolPtrOutput)
}

// List of allowed domains for certificates
func (o SecretBackendRoleOutput) AllowedDomains() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.AllowedDomains }).(pulumi.StringArrayOutput)
}

// Flag, if set, `allowedDomains` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
func (o SecretBackendRoleOutput) AllowedDomainsTemplate() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.AllowedDomainsTemplate }).(pulumi.BoolPtrOutput)
}

// Defines allowed custom SANs
func (o SecretBackendRoleOutput) AllowedOtherSans() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.AllowedOtherSans }).(pulumi.StringArrayOutput)
}

// An array of allowed serial numbers to put in Subject
func (o SecretBackendRoleOutput) AllowedSerialNumbers() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.AllowedSerialNumbers }).(pulumi.StringArrayOutput)
}

// Defines allowed URI SANs
func (o SecretBackendRoleOutput) AllowedUriSans() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.AllowedUriSans }).(pulumi.StringArrayOutput)
}

// Flag, if set, `allowedUriSans` can be specified using identity template expressions such as `{{identity.entity.aliases.<mount accessor>.name}}`.
func (o SecretBackendRoleOutput) AllowedUriSansTemplate() pulumi.BoolOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolOutput { return v.AllowedUriSansTemplate }).(pulumi.BoolOutput)
}

// Defines allowed User IDs
func (o SecretBackendRoleOutput) AllowedUserIds() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.AllowedUserIds }).(pulumi.StringArrayOutput)
}

// The path the PKI secret backend is mounted at, with no leading or trailing `/`s.
func (o SecretBackendRoleOutput) Backend() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.Backend }).(pulumi.StringOutput)
}

// Flag to mark basic constraints valid when issuing non-CA certificates
func (o SecretBackendRoleOutput) BasicConstraintsValidForNonCa() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.BasicConstraintsValidForNonCa }).(pulumi.BoolPtrOutput)
}

// Flag to specify certificates for client use
func (o SecretBackendRoleOutput) ClientFlag() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.ClientFlag }).(pulumi.BoolPtrOutput)
}

// Flag to specify certificates for code signing use
func (o SecretBackendRoleOutput) CodeSigningFlag() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.CodeSigningFlag }).(pulumi.BoolPtrOutput)
}

// The country of generated certificates
func (o SecretBackendRoleOutput) Countries() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.Countries }).(pulumi.StringArrayOutput)
}

// Flag to specify certificates for email protection use
func (o SecretBackendRoleOutput) EmailProtectionFlag() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.EmailProtectionFlag }).(pulumi.BoolPtrOutput)
}

// Flag to allow only valid host names
func (o SecretBackendRoleOutput) EnforceHostnames() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.EnforceHostnames }).(pulumi.BoolPtrOutput)
}

// Specify the allowed extended key usage OIDs constraint on issued certificates
func (o SecretBackendRoleOutput) ExtKeyUsageOids() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.ExtKeyUsageOids }).(pulumi.StringArrayOutput)
}

// Specify the allowed extended key usage constraint on issued certificates
func (o SecretBackendRoleOutput) ExtKeyUsages() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.ExtKeyUsages }).(pulumi.StringArrayOutput)
}

// Flag to generate leases with certificates
func (o SecretBackendRoleOutput) GenerateLease() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.GenerateLease }).(pulumi.BoolPtrOutput)
}

// Specifies the default issuer of this request. May
// be the value `default`, a name, or an issuer ID. Use ACLs to prevent access to
// the `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users
// overriding the role's `issuerRef` value.
func (o SecretBackendRoleOutput) IssuerRef() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.IssuerRef }).(pulumi.StringOutput)
}

// The number of bits of generated keys
func (o SecretBackendRoleOutput) KeyBits() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.IntPtrOutput { return v.KeyBits }).(pulumi.IntPtrOutput)
}

// The generated key type, choices: `rsa`, `ec`, `ed25519`, `any`
// Defaults to `rsa`
func (o SecretBackendRoleOutput) KeyType() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringPtrOutput { return v.KeyType }).(pulumi.StringPtrOutput)
}

// Specify the allowed key usage constraint on issued
// certificates. Defaults to `["DigitalSignature", "KeyAgreement", "KeyEncipherment"])`.
// To specify no default key usage constraints, set this to an empty list `[]`.
func (o SecretBackendRoleOutput) KeyUsages() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.KeyUsages }).(pulumi.StringArrayOutput)
}

// The locality of generated certificates
func (o SecretBackendRoleOutput) Localities() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.Localities }).(pulumi.StringArrayOutput)
}

// The maximum lease TTL, in seconds, for the role.
func (o SecretBackendRoleOutput) MaxTtl() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.MaxTtl }).(pulumi.StringOutput)
}

// The name to identify this role within the backend. Must be unique within the backend.
func (o SecretBackendRoleOutput) Name() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput)
}

// The namespace to provision the resource in.
// The value should not contain leading or trailing forward slashes.
// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
// *Available only for Vault Enterprise*.
func (o SecretBackendRoleOutput) Namespace() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringPtrOutput { return v.Namespace }).(pulumi.StringPtrOutput)
}

// Flag to not store certificates in the storage backend
func (o SecretBackendRoleOutput) NoStore() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.NoStore }).(pulumi.BoolPtrOutput)
}

// Specifies the duration by which to backdate the NotBefore property.
func (o SecretBackendRoleOutput) NotBeforeDuration() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.NotBeforeDuration }).(pulumi.StringOutput)
}

// The organization unit of generated certificates
func (o SecretBackendRoleOutput) OrganizationUnit() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.OrganizationUnit }).(pulumi.StringArrayOutput)
}

// The organization of generated certificates
func (o SecretBackendRoleOutput) Organizations() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.Organizations }).(pulumi.StringArrayOutput)
}

// (Vault 1.11+ only) A block for specifying policy identifers. The `policyIdentifier` block can be repeated, and supports the following arguments:
func (o SecretBackendRoleOutput) PolicyIdentifier() SecretBackendRolePolicyIdentifierArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) SecretBackendRolePolicyIdentifierArrayOutput { return v.PolicyIdentifier }).(SecretBackendRolePolicyIdentifierArrayOutput)
}

// Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policyIdentifier` blocks instead
func (o SecretBackendRoleOutput) PolicyIdentifiers() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.PolicyIdentifiers }).(pulumi.StringArrayOutput)
}

// The postal code of generated certificates
func (o SecretBackendRoleOutput) PostalCodes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.PostalCodes }).(pulumi.StringArrayOutput)
}

// The province of generated certificates
func (o SecretBackendRoleOutput) Provinces() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.Provinces }).(pulumi.StringArrayOutput)
}

// Flag to force CN usage
func (o SecretBackendRoleOutput) RequireCn() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.RequireCn }).(pulumi.BoolPtrOutput)
}

// Flag to specify certificates for server use
func (o SecretBackendRoleOutput) ServerFlag() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.ServerFlag }).(pulumi.BoolPtrOutput)
}

// The street address of generated certificates
func (o SecretBackendRoleOutput) StreetAddresses() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringArrayOutput { return v.StreetAddresses }).(pulumi.StringArrayOutput)
}

// The TTL, in seconds, for any certificate issued against this role.
func (o SecretBackendRoleOutput) Ttl() pulumi.StringOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.StringOutput { return v.Ttl }).(pulumi.StringOutput)
}

// Flag to use the CN in the CSR
func (o SecretBackendRoleOutput) UseCsrCommonName() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.UseCsrCommonName }).(pulumi.BoolPtrOutput)
}

// Flag to use the SANs in the CSR
func (o SecretBackendRoleOutput) UseCsrSans() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *SecretBackendRole) pulumi.BoolPtrOutput { return v.UseCsrSans }).(pulumi.BoolPtrOutput)
}

type SecretBackendRoleArrayOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleArrayOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*SecretBackendRole)(nil)).Elem()
}

func (o SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput {
	return o
}

func (o SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutputWithContext(ctx context.Context) SecretBackendRoleArrayOutput {
	return o
}

func (o SecretBackendRoleArrayOutput) Index(i pulumi.IntInput) SecretBackendRoleOutput {
	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *SecretBackendRole {
		return vs[0].([]*SecretBackendRole)[vs[1].(int)]
	}).(SecretBackendRoleOutput)
}

type SecretBackendRoleMapOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleMapOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*SecretBackendRole)(nil)).Elem()
}

func (o SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput {
	return o
}

func (o SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutputWithContext(ctx context.Context) SecretBackendRoleMapOutput {
	return o
}

func (o SecretBackendRoleMapOutput) MapIndex(k pulumi.StringInput) SecretBackendRoleOutput {
	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *SecretBackendRole {
		return vs[0].(map[string]*SecretBackendRole)[vs[1].(string)]
	}).(SecretBackendRoleOutput)
}

func init() {
	pulumi.RegisterInputType(reflect.TypeOf((*SecretBackendRoleInput)(nil)).Elem(), &SecretBackendRole{})
	pulumi.RegisterInputType(reflect.TypeOf((*SecretBackendRoleArrayInput)(nil)).Elem(), SecretBackendRoleArray{})
	pulumi.RegisterInputType(reflect.TypeOf((*SecretBackendRoleMapInput)(nil)).Elem(), SecretBackendRoleMap{})
	pulumi.RegisterOutputType(SecretBackendRoleOutput{})
	pulumi.RegisterOutputType(SecretBackendRoleArrayOutput{})
	pulumi.RegisterOutputType(SecretBackendRoleMapOutput{})
}