diff --git a/website/docs/d/kubernetes_auth_backend_role.md b/website/docs/d/kubernetes_auth_backend_role.md index b362c5fda0..8c4d83ab57 100644 --- a/website/docs/d/kubernetes_auth_backend_role.md +++ b/website/docs/d/kubernetes_auth_backend_role.md @@ -3,7 +3,7 @@ layout: "vault" page_title: "Vault: vault_kubernetes_auth_backend_role data source" sidebar_current: "docs-vault-datasource-kubernetes-auth-backend-role" description: |- - Manages Kubernetes auth backend roles in Vault. + Reads Kubernetes auth backend roles in Vault. --- # vault\_kubernetes\_auth\_backend\_role @@ -38,18 +38,61 @@ The following arguments are supported: In addition to the above arguments, the following attributes are exported: -* `bound_cirs` - List of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation. +* `bound_cirs` (Deprecated; use `token_bound_cidrs` instead) - List of CIDR blocks. If set, + specifies the blocks of IP addresses which can perform the login operation. * `bound_service_account_names` - List of service account names able to access this role. If set to "*" all names are allowed, both this and bound_service_account_namespaces can not be "*". * `bound_service_account_namespaces` - List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and bound_service_account_names can not be set to "*". -* `ttl` - The TTL period of tokens issued using this role in seconds. +* `ttl` (Deprecated; use `token_ttl` instead) - The TTL period of tokens issued using this + role in seconds. -* `max_ttl` - The maximum allowed lifetime of tokens issued in seconds using this role. +* `max_ttl` (Deprecated; use `token_max_ttl` instead) - The maximum allowed lifetime of + tokens issued in seconds using this role. -* `num_uses` - Number of times issued tokens can be used. Setting this to 0 or leaving it unset means unlimited uses. +* `num_uses` (Deprecated' use `token_num_uses` instead) - Number of times issued tokens can + be used. Setting this to 0 or leaving it unset means unlimited uses. -* `period` - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter. +* `period` (Deprecated; use `token_period` instead) - If set, indicates that the token + generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the value + of this parameter. -* `policies` - Policies to be set on tokens issued using this role. +* `policies` (Deprecated; use `token_policies` instead) - Policies to be set on tokens issued + using this role. + +### Common Token Attributes + +These attributes are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. diff --git a/website/docs/r/approle_auth_backend_role.html.md b/website/docs/r/approle_auth_backend_role.html.md index 854e3f2bda..f51fb1dbaf 100644 --- a/website/docs/r/approle_auth_backend_role.html.md +++ b/website/docs/r/approle_auth_backend_role.html.md @@ -20,9 +20,9 @@ resource "vault_auth_backend" "approle" { } resource "vault_approle_auth_backend_role" "example" { - backend = "${vault_auth_backend.approle.path}" - role_name = "test-role" - policies = ["default", "dev", "prod"] + backend = vault_auth_backend.approle.path + role_name = "test-role" + token_policies = ["default", "dev", "prod"] } ``` @@ -38,11 +38,8 @@ The following arguments are supported: * `bind_secret_id` - (Optional) Whether or not to require `secret_id` to be presented when logging in using this AppRole. Defaults to `true`. -* `bound_cidr_list` - (Optional) If set, specifies blocks of IP addresses which - can perform the login operation. - -* `policies` - (Optional) An array of strings specifying the policies to be set - on tokens issued using this role. +* `secret_id_bound_cidrs` - (Optional) If set, + specifies blocks of IP addresses which can perform the login operation. * `secret_id_num_uses` - (Optional) The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will @@ -51,24 +48,61 @@ The following arguments are supported: * `secret_id_ttl` - (Optional) The number of seconds after which any SecretID expires. -* `token_num_uses` - (Optional) The number of times issued tokens can be used. - A value of 0 means unlimited uses. +* `backend` - (Optional) The unique name of the auth backend to configure. + Defaults to `approle`. + +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. -* `token_ttl` - (Optional) The TTL period of tokens issued using this role, - provided as a number of seconds. +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. -* `token_max_ttl` - (Optional) The maximum allowed lifetime of tokens issued - using this role, provided as a number of seconds. +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. -* `period` - (Optional) If set, indicates that the token generated using this - role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +* `bound_cidr_list` - (Optional; Deprecated, use `secret_id_bound_cidrs` instead) If set, + specifies blocks of IP addresses which can perform the login operation. + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. The maximum allowed lifetime of token issued using this role. Specified as a number of seconds. -* `backend` - (Optional) The unique name of the auth backend to configure. - Defaults to `approle`. - ## Attributes Reference No additional attributes are exported by this resource. diff --git a/website/docs/r/aws_auth_backend_role.html.md b/website/docs/r/aws_auth_backend_role.html.md index e153f33835..8024ceb553 100644 --- a/website/docs/r/aws_auth_backend_role.html.md +++ b/website/docs/r/aws_auth_backend_role.html.md @@ -22,7 +22,7 @@ resource "vault_auth_backend" "aws" { } resource "vault_aws_auth_backend_role" "example" { - backend = "${vault_auth_backend.aws.path}" + backend = vault_auth_backend.aws.path role = "test-role" auth_type = "iam" bound_ami_ids = ["ami-8c1be5f6"] @@ -33,9 +33,9 @@ resource "vault_aws_auth_backend_role" "example" { bound_iam_instance_profile_arns = ["arn:aws:iam::123456789012:instance-profile/MyProfile"] inferred_entity_type = "ec2_instance" inferred_aws_region = "us-east-1" - ttl = 60 - max_ttl = 120 - policies = ["default", "dev", "prod"] + token_ttl = 60 + token_max_ttl = 120 + token_policies = ["default", "dev", "prod"] } ``` @@ -118,21 +118,6 @@ The following arguments are supported: principals of the same name. Defaults to `true`. Once set to `true`, this cannot be changed to `false` without recreating the role. -* `ttl` - (Optional) The TTL period of tokens issued using this role, provided - as a number of seconds. - -* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued using - this role, provided as a number of seconds. - -* `period` - (Optional) If set, indicates that the token generated using this - role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this field. The maximum allowed lifetime of token issued using this - role. Specified as a number of seconds. - -* `policies` - (Optional) An array of strings specifying the policies to be set - on tokens issued using this role. - * `allow_instance_migration` - (Optional) If set to `true`, allows migration of the underlying instance where the client resides. @@ -140,6 +125,61 @@ The following arguments are supported: single token to be granted per instance ID. This can only be set when `auth_type` is set to `ec2`. +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. + ## Attributes Reference No additional attributes are exported by this resource. diff --git a/website/docs/r/azure_auth_backend_role.html.md b/website/docs/r/azure_auth_backend_role.html.md index 7af456d6e5..fe857bbc51 100644 --- a/website/docs/r/azure_auth_backend_role.html.md +++ b/website/docs/r/azure_auth_backend_role.html.md @@ -26,9 +26,9 @@ resource "vault_azure_auth_backend_role" "example" { role = "test-role" bound_subscription_ids = ["11111111-2222-3333-4444-555555555555"] bound_resource_groups = ["123456789012"] - ttl = 60 - max_ttl = 120 - policies = ["default", "dev", "prod"] + token_ttl = 60 + token_max_ttl = 120 + token_policies = ["default", "dev", "prod"] } ``` @@ -62,21 +62,60 @@ The following arguments are supported: machines that can perform the login operation that they must match the scale set specified by this field. -* `ttl` - (Optional) The TTL period of tokens issued using this role, provided - as a number of seconds. +### Common Token Arguments -* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued using - this role, provided as a number of seconds. +These arguments are common across several Authentication Token resources since Vault 1.2. -* `period` - (Optional) If set, indicates that the token generated using this - role should never expire. The token should be renewed within the duration - specified by this value. At each renewal, the token's TTL will be set to the - value of this field. The maximum allowed lifetime of token issued using this - role. Specified as a number of seconds. +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. -* `policies` - (Optional) An array of strings specifying the policies to be set - on tokens issued using this role. +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. ## Attributes Reference diff --git a/website/docs/r/cert_auth_backend_role.html.md b/website/docs/r/cert_auth_backend_role.html.md index 1ab10376a8..2855f394b4 100644 --- a/website/docs/r/cert_auth_backend_role.html.md +++ b/website/docs/r/cert_auth_backend_role.html.md @@ -19,13 +19,13 @@ resource "vault_auth_backend" "cert" { } resource "vault_cert_auth_backend_role" "cert" { - name = "foo" - certificate = "${file("/path/to/certs/ca-cert.pem")}" - backend = "${vault_auth_backend.cert.path}" - allowed_names = ["foo.example.org", "baz.example.org"] - ttl = 300 - max_ttl = 600 - policies = ["foo"] + name = "foo" + certificate = file("/path/to/certs/ca-cert.pem") + backend = vault_auth_backend.cert.path + allowed_names = ["foo.example.org", "baz.example.org"] + token_ttl = 300 + token_max_ttl = 600 + token_policies = ["foo"] } ``` @@ -51,19 +51,70 @@ The following arguments are supported: * `required_extensions` - (Optional) TLS extensions required on client certificates -* `ttl` - (Optional) Default TTL of tokens issued by the backend +* `display_name` - (Optional) The name to display on tokens issued under this role. -* `max_ttl` - (Optional) Maximum TTL of tokens issued by the backend +* `backend` - (Optional) Path to the mounted Cert auth backend -* `period` - (Optional) Duration in seconds for token. If set, the issued token is a periodic token. +### Common Token Arguments -* `policies` - (Optional) Policies to grant on the issued token +These arguments are common across several Authentication Token resources since Vault 1.2. -* `display_name` - (Optional) The name to display on tokens issued under this role. +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. -* `bound_cidrs` - (Optional) Restriction usage of the certificates to client IPs falling within the range of the specified CIDRs +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. -* `backend` - (Optional) Path to the mounted Cert auth backend +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The number of times issued tokens can be used. + A value of 0 means unlimited uses. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `bound_cidrs` - (Optional; Deprecated, use `token_bound_cidrs` instead) Restriction usage of the + certificates to client IPs falling within the range of the specified CIDRs + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api/auth/cert/index.html). diff --git a/website/docs/r/gcp_auth_backend_role.html.md b/website/docs/r/gcp_auth_backend_role.html.md index 5dfc275f3c..2a0f76898f 100644 --- a/website/docs/r/gcp_auth_backend_role.html.md +++ b/website/docs/r/gcp_auth_backend_role.html.md @@ -19,10 +19,10 @@ resource "vault_auth_backend" "gcp" { } resource "vault_gcp_auth_backend_role" "gcp" { - backend = "${vault_auth_backend.cert.path}" + backend = vault_auth_backend.cert.path project_id = "foo-bar-baz" bound_service_accounts = ["database-server@foo-bar-baz.iam.gserviceaccount.com"] - policies = ["database-server"] + token_policies = ["database-server"] } ``` @@ -39,14 +39,6 @@ The following arguments are supported: * `bound_projects` - (Optional) An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. -* `ttl` - (Optional) Default TTL of tokens issued by the backend - -* `max_ttl` - (Optional) Maximum TTL of tokens issued by the backend - -* `period` - (Optional) Duration in seconds for token. If set, the issued token is a periodic token. - -* `policies` - (Optional) Policies to grant on the issued token - * `backend` - (Optional) Path to the mounted GCP auth backend * `bound_service_accounts` - (Optional) GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`) @@ -73,6 +65,64 @@ The following parameters are only valid when the role is of type `"gce"`: For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api/auth/gcp/index.html). +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The number of times issued tokens can be used. + A value of 0 means unlimited uses. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. + ## Attribute Reference No additional attributes are exposed by this resource. diff --git a/website/docs/r/github_team.html.md b/website/docs/r/github_team.html.md index 0fb6f3069a..99b709e37c 100644 --- a/website/docs/r/github_team.html.md +++ b/website/docs/r/github_team.html.md @@ -8,7 +8,7 @@ description: |- # vault\_github\_team -Manages policy mappings for Github Teams authenticated via Github. See the [Vault +Manages policy mappings for Github Teams authenticated via Github. See the [Vault documentation](https://www.vaultproject.io/docs/auth/github.html) for more information. @@ -20,9 +20,9 @@ resource "vault_github_auth_backend" "example" { } resource "vault_github_team" "tf_devs" { - backend = "${vault_github_auth_backend.example.id}" - team = "terraform-developers" - policies = ["developer", "read-only"] + backend = vault_github_auth_backend.example.id + team = "terraform-developers" + token_policies = ["developer", "read-only"] } ``` @@ -30,12 +30,54 @@ resource "vault_github_team" "tf_devs" { The following arguments are supported: -* `backend` - (Required) Path where the github auth backend is mounted. Defaults to `github` +* `backend` - (Required) Path where the github auth backend is mounted. Defaults to `github` if not specified. -* `team` - (Required) GitHub team name in "slugified" format, for example: Terraform Developers -> `terraform-developers`. +* `team` - (Required) GitHub team name in "slugified" format, for example: Terraform + Developers -> `terraform-developers`. -* `policies` - (Optional) A list of policies to be assigned to this team. +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. ## Attributes Reference diff --git a/website/docs/r/github_user.html.md b/website/docs/r/github_user.html.md index b35c0dcb7d..cf2b41b218 100644 --- a/website/docs/r/github_user.html.md +++ b/website/docs/r/github_user.html.md @@ -8,7 +8,7 @@ description: |- # vault\_github\_user -Manages policy mappings for Github Users authenticated via Github. See the [Vault +Manages policy mappings for Github Users authenticated via Github. See the [Vault documentation](https://www.vaultproject.io/docs/auth/github.html) for more information. @@ -20,9 +20,9 @@ resource "vault_github_auth_backend" "example" { } resource "vault_github_user" "tf_user" { - backend = "${vault_github_auth_backend.example.id}" - user = "john.doe" - policies = ["developer", "read-only"] + backend = vault_github_auth_backend.example.id + user = "john.doe" + token_policies = ["developer", "read-only"] } ``` @@ -30,12 +30,53 @@ resource "vault_github_user" "tf_user" { The following arguments are supported: -* `backend` - (Required) Path where the github auth backend is mounted. Defaults to `github` +* `backend` - (Required) Path where the github auth backend is mounted. Defaults to `github` if not specified. * `user` - (Required) GitHub user name. -* `policies` - (Optional) A list of policies to be assigned to this user. +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. ## Attributes Reference diff --git a/website/docs/r/jwt_auth_backend_role.html.md b/website/docs/r/jwt_auth_backend_role.html.md index bde5551d66..0ad01084e4 100644 --- a/website/docs/r/jwt_auth_backend_role.html.md +++ b/website/docs/r/jwt_auth_backend_role.html.md @@ -22,13 +22,13 @@ resource "vault_jwt_auth_backend" "jwt" { } resource "vault_jwt_auth_backend_role" "example" { - backend = "${vault_jwt_auth_backend.jwt.path}" - role_name = "test-role" - policies = ["default", "dev", "prod"] + backend = vault_jwt_auth_backend.jwt.path + role_name = "test-role" + token+policies = ["default", "dev", "prod"] bound_audiences = ["https://myco.test"] user_claim = "https://vault/user" - role_type = "jwt" + role_type = "jwt" } ``` @@ -41,14 +41,14 @@ resource "vault_jwt_auth_backend" "oidc" { } resource "vault_jwt_auth_backend_role" "example" { - backend = "${vault_jwt_auth_backend.oidc.path}" - role_name = "test-role" - policies = ["default", "dev", "prod"] + backend = vault_jwt_auth_backend.oidc.path + role_name = "test-role" + token_policies = ["default", "dev", "prod"] - bound_audiences = ["https://myco.test"] - user_claim = "https://vault/user" + bound_audiences = ["https://myco.test"] + user_claim = "https://vault/user" + role_type = "oidc" allowed_redirect_uris = ["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"] - role_type = "oidc" } ``` @@ -67,35 +67,16 @@ The following arguments are supported: the user; this will be used as the name for the Identity entity alias created due to a successful login. -* `policies` - (Optional) Policies to be set on tokens issued using this role. - -* `ttl` - (Optional) The initial/renewal TTL of tokens issued using this role, - in seconds. - -* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued using - this role, in seconds. - -* `period` - (Optional) If set, indicates that the token generated - using this role should never expire, but instead always use the value set - here as the TTL for every renewal. - -* `num_uses` - (Optional) If set, puts a use-count limitation on the issued - token. - * `bound_subject` - (Optional) If set, requires that the `sub` claim matches this value. -* `bound_cidrs` - (Optional) If set, a list of CIDRs valid as the source - address for login requests. This value is also encoded into any resulting - token. - -* `bound_claims` - (Optional) If set, a map of claims/values to match against. +* `bound_claims` - (Optional) If set, a map of claims/values to match against. The expected value may be a single string or a list of strings. -* `claim_mappings` - (Optional) If set, a map of claims (keys) to be copied +* `claim_mappings` - (Optional) If set, a map of claims (keys) to be copied to specified metadata fields (values). -* `oidc_scopes` - (Optional) If set, a list of OIDC scopes to be used with an OIDC role. +* `oidc_scopes` - (Optional) If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. * `groups_claim` - (Optional) The claim to use to uniquely identify @@ -119,6 +100,67 @@ The following arguments are supported: * `allowed_redirect_uris` - (Optional) The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles +### Common Token Arguments + +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `num_uses` - (Optional; Deprecated, use `token_num_uses` instead) If set, puts a use-count + limitation on the issued token. + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. + +* `bound_cidrs` - (Optional; Deprecated, use `token_bound_cidrs` instead) If set, a list of + CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. + ## Attributes Reference No additional attributes are exported by this resource. diff --git a/website/docs/r/kubernetes_auth_backend_role.html.md b/website/docs/r/kubernetes_auth_backend_role.html.md index 363386e397..8f8bfaa0b7 100644 --- a/website/docs/r/kubernetes_auth_backend_role.html.md +++ b/website/docs/r/kubernetes_auth_backend_role.html.md @@ -20,12 +20,12 @@ resource "vault_auth_backend" "kubernetes" { } resource "vault_kubernetes_auth_backend_role" "example" { - backend = "${vault_auth_backend.kubernetes.path}" + backend = vault_auth_backend.kubernetes.path role_name = "example-role" bound_service_account_names = ["example"] bound_service_account_namespaces = ["example"] - ttl = 3600 - policies = ["default", "dev", "prod"] + token_ttl = 3600 + token_policies = ["default", "dev", "prod"] } ``` @@ -39,19 +39,68 @@ The following arguments are supported: * `bound_service_account_namespaces` - (Required) List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". -* `bound_cirs` - (Optional) List of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation. +* `backend` - (Optional) Unique name of the kubernetes backend to configure. -* `ttl` - (Optional) The TTL period of tokens issued using this role in seconds. +### Common Token Arguments -* `max_ttl` - (Optional) The maximum allowed lifetime of tokens issued in seconds using this role. +These arguments are common across several Authentication Token resources since Vault 1.2. -* `num_uses` - (Optional) Number of times issued tokens can be used. Setting this to 0 or leaving it unset means unlimited uses. +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. -* `period` - (Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter. +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. -* `policies` - (Optional) Policies to be set on tokens issued using this role. +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. -* `backend` - (Optional) Unique name of the kubernetes backend to configure. +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `num_uses` - (Optional; Deprecated, use `token_num_uses` instead) If set, puts a use-count + limitation on the issued token. + +* `ttl` - (Optional; Deprecated, use `token_ttl` isntead) The TTL period of tokens issued + using this role, provided as a number of seconds. + +* `max_ttl` - (Optional; Deprecated, use `token_max_ttl` instead) The maximum allowed lifetime of tokens + issued using this role, provided as a number of seconds. + +* `policies` - (Optional; Deprecated, use `token_policies` instead) An array of strings + specifying the policies to be set on tokens issued using this role. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. + +* `bound_cidrs` - (Optional; Deprecated, use `token_bound_cidrs` instead) If set, a list of + CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. ## Attributes Reference diff --git a/website/docs/r/token_auth_backend_role.html.md b/website/docs/r/token_auth_backend_role.html.md index d9f92d66bc..294d48a8da 100644 --- a/website/docs/r/token_auth_backend_role.html.md +++ b/website/docs/r/token_auth_backend_role.html.md @@ -39,19 +39,63 @@ The following arguments are supported: * `orphan` (Optional) If true, tokens created against this policy will be orphan tokens. -* `period` (Optional) The duration in which a token should be renewed. At each renewal, the token's TTL will be set to the value of this parameter. - * `renewable` (Optional) Wether to disable the ability of the token to be renewed past its initial TTL. -* `explicit_max_ttl` (Optional) If set, the token will have an explicit max TTL set upon it. - * `path_suffix` (Optional) Tokens created against this role will have the given suffix as part of their path in addition to the role name. -* `bound_cidrs` (Optional) If set, restricts usage of the generated token to client IPs falling within the range of the specified CIDR(s). +-> Due to a [bug](https://github.com/hashicorp/vault/issues/6296) with Vault, updating `path_suffix` or `bound_cidrs` to an empty string or list respectively will not actually update the value in Vault. Upgrade to Vault 1.1 and above to fix this, or [`taint`](https://www.terraform.io/docs/commands/taint.html) the resource. This *will* cause all existing tokens issued by this role to be revoked. -* `token_type` (Optional) Specifies the type of tokens that should be returned by the role. If either service or batch is specified, that kind of token will always be returned. +### Common Token Arguments --> Due to a [bug](https://github.com/hashicorp/vault/issues/6296) with Vault, updating `path_suffix` or `bound_cidrs` to an empty string or list respectively will not actually update the value in Vault. Upgrade to Vault 1.1 and above to fix this, or [`taint`](https://www.terraform.io/docs/commands/taint.html) the resource. This *will* cause all existing tokens issued by this role to be revoked. +These arguments are common across several Authentication Token resources since Vault 1.2. + +* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds. + Its current value will be referenced at renewal time. + +* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending + on the auth method, this list may be supplemented by user/group/other values. + +* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the resulting token to these blocks + as well. + +* `token_explicit_max_ttl` - (Optional) If set, will encode an + [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) + onto the token in number of seconds. This is a hard cap even if `token_ttl` and + `token_max_ttl` would otherwise allow a renewal. + +* `token_no_default_policy` - (Optional) If set, the default policy will not be set on + generated tokens; otherwise it will be added to the policies set in token_policies. + +* `token_num_uses` - (Optional) The + [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), + if any, in number of seconds to set on the token. + +* `token_type` - (Optional) The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which unless changed will be + `service` tokens). For token store roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type to return unless the client + requests a different type at generation time. + +### Deprecated Arguments + +These arguments are deprecated since Vault 1.2 in favour of the common token arguments +documented above. + +* `explicit_max_ttl` (Optional; Deprecated, use `token_explicit_max_ttl` instead) If set, the + token will have an explicit max TTL set upon it. + +* `period` - (Optional; Deprecated, use `token_period` instead) If set, indicates that the + token generated using this role should never expire. The token should be renewed within the + duration specified by this value. At each renewal, the token's TTL will be set to the + value of this field. The maximum allowed lifetime of token issued using this + role. Specified as a number of seconds. + +* `bound_cidrs` - (Optional; Deprecated, use `token_bound_cidrs` instead) If set, a list of + CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. ## Attributes Reference