Skip to content

Commit

Permalink
Update documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@lawliet89
lawliet89 committed Aug 5, 2019
1 parent 4fc7338 commit 017e08d
Show file tree
Hide file tree
Showing 11 changed files with 621 additions and 146 deletions.
57 changes: 50 additions & 7 deletions website/docs/d/kubernetes_auth_backend_role.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ layout: "vault"
page_title: "Vault: vault_kubernetes_auth_backend_role data source"
sidebar_current: "docs-vault-datasource-kubernetes-auth-backend-role"
description: |-
Manages Kubernetes auth backend roles in Vault.
Reads Kubernetes auth backend roles in Vault.
---

# vault\_kubernetes\_auth\_backend\_role
Expand Down Expand Up @@ -38,18 +38,61 @@ The following arguments are supported:

In addition to the above arguments, the following attributes are exported:

* `bound_cirs` - List of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.
* `bound_cirs` (Deprecated; use `token_bound_cidrs` instead) - List of CIDR blocks. If set,
specifies the blocks of IP addresses which can perform the login operation.

* `bound_service_account_names` - List of service account names able to access this role. If set to "*" all names are allowed, both this and bound_service_account_namespaces can not be "*".

* `bound_service_account_namespaces` - List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and bound_service_account_names can not be set to "*".

* `ttl` - The TTL period of tokens issued using this role in seconds.
* `ttl` (Deprecated; use `token_ttl` instead) - The TTL period of tokens issued using this
role in seconds.

* `max_ttl` - The maximum allowed lifetime of tokens issued in seconds using this role.
* `max_ttl` (Deprecated; use `token_max_ttl` instead) - The maximum allowed lifetime of
tokens issued in seconds using this role.

* `num_uses` - Number of times issued tokens can be used. Setting this to 0 or leaving it unset means unlimited uses.
* `num_uses` (Deprecated' use `token_num_uses` instead) - Number of times issued tokens can
be used. Setting this to 0 or leaving it unset means unlimited uses.

* `period` - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter.
* `period` (Deprecated; use `token_period` instead) - If set, indicates that the token
generated using this role should never expire. The token should be renewed within the
duration specified by this value. At each renewal, the token's TTL will be set to the value
of this parameter.

* `policies` - Policies to be set on tokens issued using this role.
* `policies` (Deprecated; use `token_policies` instead) - Policies to be set on tokens issued
using this role.

### Common Token Attributes

These attributes are common across several Authentication Token resources since Vault 1.2.

* `token_ttl` - The incremental lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_max_ttl` - The maximum lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_policies` - List of policies to encode onto generated tokens. Depending
on the auth method, this list may be supplemented by user/group/other values.

* `token_bound_cidrs` - List of CIDR blocks; if set, specifies blocks of IP
addresses which can authenticate successfully, and ties the resulting token to these blocks
as well.

* `token_explicit_max_ttl` - If set, will encode an
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
`token_max_ttl` would otherwise allow a renewal.

* `token_no_default_policy` - If set, the default policy will not be set on
generated tokens; otherwise it will be added to the policies set in token_policies.

* `token_num_uses` - The
[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
if any, in number of seconds to set on the token.

* `token_type` - The type of token that should be generated. Can be `service`,
`batch`, or `default` to use the mount's tuned default (which unless changed will be
`service` tokens). For token store roles, there are two additional possibilities:
`default-service` and `default-batch` which specify the type to return unless the client
requests a different type at generation time.
74 changes: 54 additions & 20 deletions website/docs/r/approle_auth_backend_role.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ resource "vault_auth_backend" "approle" {
}
resource "vault_approle_auth_backend_role" "example" {
backend = "${vault_auth_backend.approle.path}"
role_name = "test-role"
policies = ["default", "dev", "prod"]
backend = vault_auth_backend.approle.path
role_name = "test-role"
token_policies = ["default", "dev", "prod"]
}
```

Expand All @@ -38,11 +38,8 @@ The following arguments are supported:
* `bind_secret_id` - (Optional) Whether or not to require `secret_id` to be
presented when logging in using this AppRole. Defaults to `true`.

* `bound_cidr_list` - (Optional) If set, specifies blocks of IP addresses which
can perform the login operation.

* `policies` - (Optional) An array of strings specifying the policies to be set
on tokens issued using this role.
* `secret_id_bound_cidrs` - (Optional) If set,
specifies blocks of IP addresses which can perform the login operation.

* `secret_id_num_uses` - (Optional) The number of times any particular SecretID
can be used to fetch a token from this AppRole, after which the SecretID will
Expand All @@ -51,24 +48,61 @@ The following arguments are supported:
* `secret_id_ttl` - (Optional) The number of seconds after which any SecretID
expires.

* `token_num_uses` - (Optional) The number of times issued tokens can be used.
A value of 0 means unlimited uses.
* `backend` - (Optional) The unique name of the auth backend to configure.
Defaults to `approle`.

### Common Token Arguments

These arguments are common across several Authentication Token resources since Vault 1.2.

* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending
on the auth method, this list may be supplemented by user/group/other values.

* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP
addresses which can authenticate successfully, and ties the resulting token to these blocks
as well.

* `token_ttl` - (Optional) The TTL period of tokens issued using this role,
provided as a number of seconds.
* `token_explicit_max_ttl` - (Optional) If set, will encode an
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
`token_max_ttl` would otherwise allow a renewal.

* `token_max_ttl` - (Optional) The maximum allowed lifetime of tokens issued
using this role, provided as a number of seconds.
* `token_no_default_policy` - (Optional) If set, the default policy will not be set on
generated tokens; otherwise it will be added to the policies set in token_policies.

* `period` - (Optional) If set, indicates that the token generated using this
role should never expire. The token should be renewed within the duration
specified by this value. At each renewal, the token's TTL will be set to the
* `token_num_uses` - (Optional) The
[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
if any, in number of seconds to set on the token.

* `token_type` - (Optional) The type of token that should be generated. Can be `service`,
`batch`, or `default` to use the mount's tuned default (which unless changed will be
`service` tokens). For token store roles, there are two additional possibilities:
`default-service` and `default-batch` which specify the type to return unless the client
requests a different type at generation time.

### Deprecated Arguments

* `bound_cidr_list` - (Optional; Deprecated, use `secret_id_bound_cidrs` instead) If set,
specifies blocks of IP addresses which can perform the login operation.

These arguments are deprecated since Vault 1.2 in favour of the common token arguments
documented above.

* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings
specifying the policies to be set on tokens issued using this role.

* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the
token generated using this role should never expire. The token should be renewed within the
duration specified by this value. At each renewal, the token's TTL will be set to the
value of this field. The maximum allowed lifetime of token issued using this
role. Specified as a number of seconds.

* `backend` - (Optional) The unique name of the auth backend to configure.
Defaults to `approle`.

## Attributes Reference

No additional attributes are exported by this resource.
Expand Down
78 changes: 59 additions & 19 deletions website/docs/r/aws_auth_backend_role.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ resource "vault_auth_backend" "aws" {
}
resource "vault_aws_auth_backend_role" "example" {
backend = "${vault_auth_backend.aws.path}"
backend = vault_auth_backend.aws.path
role = "test-role"
auth_type = "iam"
bound_ami_ids = ["ami-8c1be5f6"]
Expand All @@ -33,9 +33,9 @@ resource "vault_aws_auth_backend_role" "example" {
bound_iam_instance_profile_arns = ["arn:aws:iam::123456789012:instance-profile/MyProfile"]
inferred_entity_type = "ec2_instance"
inferred_aws_region = "us-east-1"
ttl = 60
max_ttl = 120
policies = ["default", "dev", "prod"]
token_ttl = 60
token_max_ttl = 120
token_policies = ["default", "dev", "prod"]
}
```

Expand Down Expand Up @@ -118,28 +118,68 @@ The following arguments are supported:
principals of the same name. Defaults to `true`.
Once set to `true`, this cannot be changed to `false` without recreating the role.

* `ttl` - (Optional) The TTL period of tokens issued using this role, provided
as a number of seconds.

* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued using
this role, provided as a number of seconds.

* `period` - (Optional) If set, indicates that the token generated using this
role should never expire. The token should be renewed within the duration
specified by this value. At each renewal, the token's TTL will be set to the
value of this field. The maximum allowed lifetime of token issued using this
role. Specified as a number of seconds.

* `policies` - (Optional) An array of strings specifying the policies to be set
on tokens issued using this role.

* `allow_instance_migration` - (Optional) If set to `true`, allows migration of
the underlying instance where the client resides.

* `disallow_reauthentication` - (Optional) IF set to `true`, only allows a
single token to be granted per instance ID. This can only be set when
`auth_type` is set to `ec2`.

### Common Token Arguments

These arguments are common across several Authentication Token resources since Vault 1.2.

* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending
on the auth method, this list may be supplemented by user/group/other values.

* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP
addresses which can authenticate successfully, and ties the resulting token to these blocks
as well.

* `token_explicit_max_ttl` - (Optional) If set, will encode an
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
`token_max_ttl` would otherwise allow a renewal.

* `token_no_default_policy` - (Optional) If set, the default policy will not be set on
generated tokens; otherwise it will be added to the policies set in token_policies.

* `token_num_uses` - (Optional) The
[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
if any, in number of seconds to set on the token.

* `token_type` - (Optional) The type of token that should be generated. Can be `service`,
`batch`, or `default` to use the mount's tuned default (which unless changed will be
`service` tokens). For token store roles, there are two additional possibilities:
`default-service` and `default-batch` which specify the type to return unless the client
requests a different type at generation time.

### Deprecated Arguments

These arguments are deprecated since Vault 1.2 in favour of the common token arguments
documented above.

* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued
using this role, provided as a number of seconds.

* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens
issued using this role, provided as a number of seconds.

* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings
specifying the policies to be set on tokens issued using this role.

* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the
token generated using this role should never expire. The token should be renewed within the
duration specified by this value. At each renewal, the token's TTL will be set to the
value of this field. The maximum allowed lifetime of token issued using this
role. Specified as a number of seconds.

## Attributes Reference

No additional attributes are exported by this resource.
Expand Down
67 changes: 53 additions & 14 deletions website/docs/r/azure_auth_backend_role.html.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ resource "vault_azure_auth_backend_role" "example" {
role = "test-role"
bound_subscription_ids = ["11111111-2222-3333-4444-555555555555"]
bound_resource_groups = ["123456789012"]
ttl = 60
max_ttl = 120
policies = ["default", "dev", "prod"]
token_ttl = 60
token_max_ttl = 120
token_policies = ["default", "dev", "prod"]
}
```

Expand Down Expand Up @@ -62,21 +62,60 @@ The following arguments are supported:
machines that can perform the login operation that they must match the scale set
specified by this field.

* `ttl` - (Optional) The TTL period of tokens issued using this role, provided
as a number of seconds.
### Common Token Arguments

* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued using
this role, provided as a number of seconds.
These arguments are common across several Authentication Token resources since Vault 1.2.

* `period` - (Optional) If set, indicates that the token generated using this
role should never expire. The token should be renewed within the duration
specified by this value. At each renewal, the token's TTL will be set to the
value of this field. The maximum allowed lifetime of token issued using this
role. Specified as a number of seconds.
* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds.
Its current value will be referenced at renewal time.

* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending
on the auth method, this list may be supplemented by user/group/other values.

* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP
addresses which can authenticate successfully, and ties the resulting token to these blocks
as well.

* `token_explicit_max_ttl` - (Optional) If set, will encode an
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
`token_max_ttl` would otherwise allow a renewal.

* `token_no_default_policy` - (Optional) If set, the default policy will not be set on
generated tokens; otherwise it will be added to the policies set in token_policies.

* `token_num_uses` - (Optional) The
[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
if any, in number of seconds to set on the token.

* `policies` - (Optional) An array of strings specifying the policies to be set
on tokens issued using this role.
* `token_type` - (Optional) The type of token that should be generated. Can be `service`,
`batch`, or `default` to use the mount's tuned default (which unless changed will be
`service` tokens). For token store roles, there are two additional possibilities:
`default-service` and `default-batch` which specify the type to return unless the client
requests a different type at generation time.

### Deprecated Arguments

These arguments are deprecated since Vault 1.2 in favour of the common token arguments
documented above.

* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued
using this role, provided as a number of seconds.

* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens
issued using this role, provided as a number of seconds.

* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings
specifying the policies to be set on tokens issued using this role.

* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the
token generated using this role should never expire. The token should be renewed within the
duration specified by this value. At each renewal, the token's TTL will be set to the
value of this field. The maximum allowed lifetime of token issued using this
role. Specified as a number of seconds.

## Attributes Reference

Expand Down
Loading

0 comments on commit 017e08d

Please sign in to comment.