### Example: Root CA Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Sets up a self-signed root CA for the PKI engine and configures CRL/OCSP URLs. ```typescript const rootCA = new vault.pkisecret.SecretBackendRootSignSelf("root-ca", { backend: pki.path, commonName: "my-ca.example.com", organization: "My Organization", organizationalUnit: "IT", country: "US", locality: "New York", province: "NY", ttl: "87600h", // 10 years type: "rsa", keyBits: 4096, keyType: "rsa", }); const crlUrls = new vault.pkisecret.SecretBackendUrlConfig("config", { backend: pki.path, issueingCertificates: ["https://vault.example.com/v1/pki/ca"], crlDistributionPoints: ["https://vault.example.com/v1/pki/crl"], }); ``` -------------------------------- ### Basic Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/README.md Example of configuring the Pulumi Vault provider and creating a policy resource. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Configure the provider const provider = new vault.Provider("vault", { address: "https://vault.example.com:8200", token: process.env.VAULT_TOKEN, skipTlsVerify: false, }); // Create resources const policy = new vault.Policy("example", { name: "dev", policy: `path "secret/data/dev/*" { capabilities = ["read", "list"] }`, }, { provider }); export const policyName = policy.name; ``` -------------------------------- ### Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating an AppRole role: ```typescript const appRoleRole = new vault.approle.AuthBackendRole("my-role", { roleId: "my-role-id", policies: ["app-policy"], secretIdTtl: "30m", secretIdNumUses: 1, tokenTtl: "1h", tokenMaxTtl: "24h", bindSecretId: true, }); ``` -------------------------------- ### Example import Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Examples of importing existing Vault resources into Pulumi. ```bash pulumi import vault:index/policy:Policy example dev-team pulumi import vault:index/mount:Mount example secret pulumi import vault:kv/secretV2:SecretV2 example secret/data/my-secret ``` -------------------------------- ### Complete Advanced Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md A comprehensive example demonstrating various advanced Vault resources with Pulumi. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // PKI setup const pki = new vault.Mount("pki", { path: "pki", type: "pki", maxLeaseTtlSeconds: 315360000, }); // Transit encryption const transit = new vault.Mount("transit", { path: "transit", type: "transit", forceNoCache: true, }); // Audit logging const fileAudit = new vault.Audit("file-audit", { type: "file", options: { file_path: "/vault/logs/audit.log", }, }); // Rate limiting const rateLimit = new vault.QuotaRateLimit("api-limit", { name: "api-limit", path: "auth/*", rate: 1000, }); // MFA const mfa = new vault.MfaTotp("totp", { name: "totp", period: 30, }); export const pkiPath = pki.path; export const transitPath = transit.path; ``` -------------------------------- ### Auth Method Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of setting up GitHub and AppRole authentication methods in Vault. ```typescript const github = new vault.AuthBackend("github", { type: "github", description: "GitHub authentication", }); const appRole = new vault.AuthBackend("approle", { type: "approle", description: "AppRole authentication", }); ``` -------------------------------- ### Database Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of setting up a database secret backend connection and role in Vault. ```typescript const dbMount = new vault.Mount("database", { path: "database", type: "database", }); const connection = new vault.database.SecretBackendConnection("postgres", { backend: dbMount.path, name: "postgres", pluginName: "postgresql", connectionUrl: "...", username: "...", password: pulumi.secret("..."), }); const role = new vault.database.SecretBackendRole("app", { backend: dbMount.path, name: "app", dbName: connection.name, creationStatements: ["..."], defaultTtl: "1h", maxTtl: "24h", }); ``` -------------------------------- ### AppRole Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/README.md Example of enabling AppRole authentication, creating a role, and generating a secret ID. ```typescript // Enable AppRole auth const appRole = new vault.AuthBackend("approle", { type: "approle", }); // Create a role const role = new vault.approle.AuthBackendRole("my-app", { roleId: "my-app", policies: ["app-policy"], secretIdTtl: "30m", secretIdNumUses: 1, tokenTtl: "1h", bindSecretId: true, }); // Generate a secret ID const secretId = new vault.approle.AuthBackendRoleSecretId("secret", { roleId: role.roleId, ttl: "30m", numUses: 1, }); export const roleId = role.roleId; export const secretIdValue = pulumi.secret(secretId.secretId); ``` -------------------------------- ### Get Nomad Access Token Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Example of how to generate a Nomad access token using the `getNomadAccessToken` data source. ```typescript const token = vault.getNomadAccessToken({ backend: "nomad", role: "my-role", }); token.then(t => { console.log("Access Token:", t.accessToken); }); ``` -------------------------------- ### Complete Example: Auth Backends and Conditional Logic Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md A comprehensive example demonstrating how to fetch all configured auth backends, a specific auth backend (GitHub), combine their results, and use conditional logic based on backend type. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Get all configured auth backends const authBackends = vault.getAuthBackends({}); // Get specific auth backend const githubAuth = vault.getAuthBackend({ path: "github", }); // Combine results const authInfo = pulumi.all([authBackends, githubAuth]).apply(([all, github]) => { return { totalBackends: Object.keys(all.backends).length, githubAccessor: github.accessor, allPaths: Object.keys(all.backends).join(", "), }; }); export const authSummary = authInfo; // Use in conditional logic const hasGithub = githubAuth.then(auth => { if (auth.type === "github") { console.log("GitHub auth is configured"); return true; } return false; }); export const githubConfigured = hasGithub; ``` -------------------------------- ### Complete Example: Enabling Multiple Auth Methods Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example demonstrating how to enable and configure multiple authentication methods (GitHub, AppRole, Kubernetes) and create an AppRole role with a secret ID. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Enable multiple auth methods const github = new vault.AuthBackend("github", { type: "github", description: "GitHub authentication", }); const appRole = new vault.AuthBackend("approle", { type: "approle", description: "AppRole authentication", }); const kubernetes = new vault.AuthBackend("kubernetes", { type: "kubernetes", description: "Kubernetes authentication", }); // Create AppRole role const role = new vault.approle.AuthBackendRole("my-app", { roleId: "my-app", policies: ["app-policy"], secretIdTtl: "30m", secretIdNumUses: 1, tokenTtl: "1h", bindSecretId: true, }); // Create secret ID const secretId = new vault.approle.AuthBackendRoleSecretId("secret", { roleId: role.roleId, ttl: "30m", numUses: 1, }); export const appRoleId = role.roleId; export const appSecretId = secretId.secretId; ``` -------------------------------- ### Get Policy Document Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Example of how to render a policy document from HCL rules using the `getPolicyDocument` data source, and then use it to create a `vault.Policy` resource. ```typescript const policy = vault.getPolicyDocument({ rules: [ { path: "secret/data/*", capabilities: ["read", "list"], }, { path: "secret/metadata/*", capabilities: ["list"], }, ], }); policy.then(p => { console.log(p.hcl); }); // Use in a Policy resource const docPolicy = new vault.Policy("generated", { policy: policy.then(p => p.hcl), }); ``` -------------------------------- ### Go Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to create a Vault Policy resource using Go. ```go import "github.com/pulumi/pulumi-vault/sdk/v6/go/vault" policy, err := vault.NewPolicy(ctx, "example", &vault.PolicyArgs{ Name: pulumi.String("dev"), Policy: pulumi.String("..."), }) ``` -------------------------------- ### Provider Constructor Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/configuration.md Example of how to instantiate the Vault provider with basic configuration. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; const provider = new vault.Provider("my-vault", { address: "https://vault.example.com:8200", token: "s.xxxxxxxxxxxxxxxx", namespace: "admin", skipTlsVerify: false, }); // Use provider in resources const policy = new vault.Policy("example", { name: "dev-team", policy: "...", }, { provider }); ``` -------------------------------- ### Get Raft Autopilot State Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Example of how to read the Raft autopilot state using the `getRaftAutopilotState` data source. ```typescript const autopilot = vault.getRaftAutopilotState({}); autopilot.then(state => { console.log("Peers:", state.peers); console.log("Leader:", state.leaderNode); }); ``` -------------------------------- ### Multi-Vault Setup Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/README.md Example demonstrating how to configure multiple Vault providers and replicate policies across them. ```typescript const vaults = { primary: new vault.Provider("primary", { address: "https://vault1.example.com:8200", token: process.env.VAULT_PRIMARY_TOKEN, }), secondary: new vault.Provider("secondary", { address: "https://vault2.example.com:8200", token: process.env.VAULT_SECONDARY_TOKEN, }), }; // Replicate policies across vaults for (const [name, vault] of Object.entries(vaults)) { new vault.Policy(`policy-${name}`, { name: "shared-policy", policy: "...", }, { provider: vault }); } ``` -------------------------------- ### Vault Auth Login Example (Go) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi Config in Go. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: go ``` ```go package main import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { cfg := config.New(ctx, "") var loginUsername interface{} cfg.RequireObject("loginUsername", &loginUsername) var loginPassword interface{} cfg.RequireObject("loginPassword", &loginPassword) return nil }) } ``` -------------------------------- ### getAuthBackends Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Lists all configured authentication methods and logs their paths and types. ```typescript const allAuth = vault.getAuthBackends({}); allAuth.then(result => { for (const [path, auth] of Object.entries(result.backends)) { console.log(`${path}: ${auth.type}`); } }); ``` -------------------------------- ### Example Usage Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example usage of the Vault provider with different languages. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: nodejs ``` ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; const example = new vault.generic.Secret("example", { path: "secret/foo", dataJson: JSON.stringify({ foo: "bar", pizza: "cheese", }), }); ``` ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: python ``` ```python import pulumi import json import pulumi_vault as vault example = vault.generic.Secret("example", path="secret/foo", data_json=json.dumps({ "foo": "bar", "pizza": "cheese", })) ``` ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: dotnet ``` ```csharp using System.Collections.Generic; using System.Linq; using System.Text.Json; using Pulumi; using Vault = Pulumi.Vault; return await Deployment.RunAsync(() => { var example = new Vault.Generic.Secret("example", new() { Path = "secret/foo", DataJson = JsonSerializer.Serialize(new Dictionary { ["foo"] = "bar", ["pizza"] = "cheese", }), }); }); ``` ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: go ``` ```go package main import ( "encoding/json" "github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { tmpJSON0, err := json.Marshal(map[string]interface{}{ "foo": "bar", "pizza": "cheese", }) if err != nil { return err } json0 := string(tmpJSON0) _, err = generic.NewSecret(ctx, "example", &generic.SecretArgs{ Path: pulumi.String("secret/foo"), DataJson: pulumi.String(pulumi.String(json0)), }) if err != nil { return err } return nil }) } ``` ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: yaml ``` ```yaml resources: example: type: vault:generic:Secret properties: path: secret/foo dataJson: fn::toJSON: foo: bar pizza: cheese ``` -------------------------------- ### Complete Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/database-secrets.md This TypeScript example demonstrates mounting the database secrets engine, configuring a PostgreSQL connection, and creating read-only, read-write, and static roles. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Mount the database secrets engine const dbMount = new vault.Mount("database", { path: "database", type: "database", description: "Dynamic database credentials", }); // Configure PostgreSQL connection const pgConnection = new vault.database.SecretBackendConnection("postgres", { backend: dbMount.path, name: "postgres", pluginName: "postgresql", allowedRoles: ["readonly", "readwrite"], connectionUrl: "postgresql://{{username}}:{{password}}@postgres.example.com:5432/postgres", username: pulumi.secret("vault"), password: pulumi.secret("vault-password"), rootRotationStatements: [ "ALTER USER \"{{username}}\" WITH PASSWORD '{{password}}';", ], }); // Create read-only role const readonlyRole = new vault.database.SecretBackendRole("readonly", { backend: dbMount.path, name: "readonly", dbName: pgConnection.name, creationStatements: [ `CREATE USER "{{name}}" WITH PASSWORD '{{password}}'`, `GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"`, ], revocationStatements: [ `DROP USER IF EXISTS "{{name}}"`, ], defaultTtl: "1h", maxTtl: "24h", }, { dependsOn: [pgConnection] }); // Create read-write role const readwriteRole = new vault.database.SecretBackendRole("readwrite", { backend: dbMount.path, name: "readwrite", dbName: pgConnection.name, creationStatements: [ `CREATE USER "{{name}}" WITH PASSWORD '{{password}}'`, `GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "{{name}}"`, ], revocationStatements: [ `DROP USER IF EXISTS "{{name}}"`, ], defaultTtl: "1h", maxTtl: "24h", }, { dependsOn: [pgConnection] }); // Create static role for application user const appUserStatic = new vault.database.SecretBackendStaticRole("app-user", { backend: dbMount.path, name: "app-user", dbName: pgConnection.name, username: "app", rotationStatements: [ `ALTER USER "{{name}}" WITH PASSWORD '{{password}}'`, ], rotationPeriod: "30d", }, { dependsOn: [pgConnection] }); export const readonlyRoleName = readonlyRole.name; export const readwriteRoleName = readwriteRole.name; export const appUserRoleName = appUserStatic.name; ``` -------------------------------- ### Example: File Audit Device Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Configures a file-based audit device for logging. ```typescript const fileAudit = new vault.Audit("file-audit", { type: "file", path: "file", description: "File-based audit logging", options: { file_path: "/vault/logs/audit.log", }, }); ``` -------------------------------- ### Vault Auth Login Example (C#) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi Config in C#. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: dotnet ``` ```csharp using System.Collections.Generic; using System.Linq; using Pulumi; return await Deployment.RunAsync(() => { var config = new Config(); var loginUsername = config.RequireObject("loginUsername"); var loginPassword = config.RequireObject("loginPassword"); }); ``` -------------------------------- ### .NET Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to create a Vault Policy resource using .NET. ```csharp using Pulumi; using Pulumi.Vault; var policy = new Policy("example", new PolicyArgs { Name = "dev", PolicyValue = "...", }); ``` -------------------------------- ### Example: Syslog Audit Device Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Configures a syslog-based audit device for logging. ```typescript const syslogAudit = new vault.Audit("syslog-audit", { type: "syslog", path: "syslog", description: "Syslog audit logging", options: { facility: "LOCAL7", tag: "vault", }, }); ``` -------------------------------- ### Java Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to create a Vault Policy resource using Java. ```java import com.pulumi.vault.*; var policy = new Policy("example", PolicyArgs.builder() .name("dev") .policy("...") .build()); ``` -------------------------------- ### Azure Auth Backend Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating an Azure authentication backend. ```typescript const azure = new vault.AuthBackend("azure", { type: "azure", path: "auth/azure", description: "Azure authentication", }); ``` -------------------------------- ### Vault Auth Login Example (Java) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi Config in Java. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: java ``` ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import java.util.ArrayList; import java.util.Arrays; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { final var config = ctx.config(); final var loginUsername = config.require("loginUsername"); final var loginPassword = config.require("loginPassword"); } } ``` -------------------------------- ### Example: Create Encryption Key Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Creates an AES-256-GCM encryption key for the Transit engine. ```typescript const dataKey = new vault.transit.SecretEngineKey("data-key", { backend: transit.path, name: "my-key", type: "aes256-gcm96", convergentEncryption: false, derived: false, exportable: false, allowPlaintextBackup: false, }); ``` -------------------------------- ### Client Authentication Configuration Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/configuration.md Example of configuring the Vault provider with client certificate authentication. ```typescript const provider = new vault.Provider("my-vault", { address: "https://vault.example.com:8200", clientAuth: { certFile: "/path/to/client-cert.pem", keyFile: "/path/to/client-key.pem", }, }); ``` -------------------------------- ### Python Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to create a Vault Policy resource using Python. ```python import pulumi_vault as vault policy = vault.Policy("example", name="dev", policy="...") ``` -------------------------------- ### OCI Auth Backend Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating an OCI authentication backend. ```typescript const oci = new vault.OciAuthBackend("oci", { path: "auth/oci", description: "OCI authentication", }); ``` -------------------------------- ### Vault Auth Login Example (Python) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi Config in Python. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: python ``` ```python import pulumi config = pulumi.Config() login_username = config.require_object("loginUsername") login_password = config.require_object("loginPassword") ``` -------------------------------- ### Vault Auth Login Example (YAML) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials in Pulumi YAML. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: yaml ``` ```yaml configuration: loginUsername: type: object loginPassword: type: object ``` -------------------------------- ### GCP Auth Backend Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating a GCP authentication backend. ```typescript const gcp = new vault.AuthBackend("gcp", { type: "gcp", path: "auth/gcp", description: "GCP authentication", }); ``` -------------------------------- ### Example: Splunk Audit Device Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Configures a Splunk-based audit device for logging. ```typescript const splunkAudit = new vault.Audit("splunk-audit", { type: "splunk", path: "splunk", description: "Splunk audit logging", options: { token: pulumi.secret("splunk-hec-token"), address: "https://splunk.example.com:8088", }, }); ``` -------------------------------- ### Secrets Management Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to manage secrets using the `vault.kv.SecretV2` resource. ```typescript const secret = new vault.kv.SecretV2("db-creds", { mount: "secret", name: "database", dataJson: pulumi.secret(JSON.stringify({ username: "admin", password: "secret", })), }); export const secretPath = secret.path; ``` -------------------------------- ### Example `authLogin` With AWS Signing Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example configuration for `authLogin` with AWS signing, including setting the Vault server ID. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: config: vault:address: value: http://127.0.0.1:8200 ``` ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: config: vault:address: value: http://127.0.0.1:8200 ``` -------------------------------- ### TypeScript/JavaScript Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of how to create a Vault Policy resource using TypeScript/JavaScript. ```typescript import * as vault from "@pulumi/vault"; const policy = new vault.Policy("example", { name: "dev", policy: "...", }); ``` -------------------------------- ### Vault Auth Login Example (HCL) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi variables in HCL. ```hcl variable "loginUsername" { } variable "loginPassword" { } ``` -------------------------------- ### getNamespaces Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Lists all namespaces (Vault Enterprise) and logs the list of namespace paths. ```typescript const allNamespaces = vault.getNamespaces({}); allNamespaces.then(result => { console.log("Namespaces:", result.namespaces); }); ``` -------------------------------- ### Azure Auth Backend Config Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of configuring the Azure authentication backend. ```typescript const azureConfig = new vault.azure.AuthBackendConfig("config", { backend: "azure", tenantId: "tenant-id", resource: "https://management.azure.com", clientId: "client-id", clientSecret: pulumi.secret("client-secret"), }); ``` -------------------------------- ### Vault Auth Login Example (TypeScript) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring userpass login credentials using Pulumi Config in TypeScript. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: nodejs ``` ```typescript import * as pulumi from "@pulumi/pulumi"; const config = new pulumi.Config(); const loginUsername = config.requireObject("loginUsername"); const loginPassword = config.requireObject("loginPassword"); ``` -------------------------------- ### GCP Auth Backend Config Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of configuring the GCP authentication backend. ```typescript const gcpConfig = new vault.gcp.AuthBackendConfig("config", { backend: "gcp", credentials: pulumi.secret(gcpServiceAccountKey), }); ``` -------------------------------- ### JWT Auth Backend Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating a JWT authentication backend. ```typescript const jwt = new vault.AuthBackend("jwt", { type: "jwt", path: "auth/jwt", description: "JWT authentication", }); ``` -------------------------------- ### Import Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/core-resources.md Example of how to import an existing Vault policy. ```bash $ pulumi import vault:index/policy:Policy example dev-team ``` -------------------------------- ### Python Source: https://github.com/pulumi/pulumi-vault/blob/master/README.md To use from Python, install using pip. ```bash pip install pulumi_vault ``` -------------------------------- ### Complete KV v2 Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/kv-secrets.md This example demonstrates how to create a KV v2 mount, configure its backend, create a secret, and read it back using Pulumi Vault. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Create KV v2 mount const kvMount = new vault.Mount("secret", { path: "secret", type: "kv-v2", description: "KV Version 2 secret engine", options: { version: "2" }, }); // Configure KV v2 backend const kvConfig = new vault.kv.SecretBackendV2("backend-config", { mount: kvMount.path, maxVersions: 10, casRequired: false, }); // Create a database credentials secret const dbSecret = new vault.kv.SecretV2("db-creds", { mount: kvMount.path, name: "production/postgres", dataJson: JSON.stringify({ username: "postgres", password: pulumi.secret("super-secret-password"), host: "postgres.example.com", port: 5432, }), customMetadata: { maxVersions: 5, data: { owner: "platform", env: "production", }, }, }, { dependsOn: [kvConfig] }); // Read the secret back (in a separate stack) const retrieved = vault.kv.getSecretV2({ mount: kvMount.path, name: "production/postgres", }); export const dbPath = dbSecret.path; ``` -------------------------------- ### Vault Generic Secret Example (Java) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of creating a generic secret in Vault using the Pulumi Java SDK. ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.generic.Secret; import com.pulumi.vault.generic.SecretArgs; import static com.pulumi.codegen.internal.Serialization.*; import java.util.ArrayList; import java.util.Arrays; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new Secret("example", SecretArgs.builder() .path("secret/foo") .dataJson(serializeJson( jsonObject( jsonProperty("foo", "bar"), jsonProperty("pizza", "cheese") ))) .build()); } } ``` -------------------------------- ### Vault Auth Login Example (TypeScript) - AppRole Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring approle login credentials using Pulumi Config in TypeScript. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: nodejs ``` ```typescript import * as pulumi from "@pulumi/pulumi"; const config = new pulumi.Config(); const loginApproleRoleId = config.requireObject("loginApproleRoleId"); const loginApproleSecretId = config.requireObject("loginApproleSecretId"); ``` -------------------------------- ### Azure Auth Backend Role Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating an Azure authentication backend role. ```typescript const azureRole = new vault.azure.AuthBackendRole("vm-role", { backend: "azure", role: "azure-vms", boundSubscriptionIds: ["subscription-id"], boundResourceGroups: ["rg-name"], policies: ["app-policy"], }); ``` -------------------------------- ### AWS Auth Backend Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating an AWS IAM authentication backend. ```typescript const aws = new vault.AuthBackend("aws", { type: "aws", path: "auth/aws", description: "AWS IAM authentication", }); ``` -------------------------------- ### GCP Auth Backend Role Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/auth-methods.md Example of creating a GCP authentication backend role. ```typescript const gcpRole = new vault.gcp.AuthBackendRole("gce-role", { backend: "gcp", role: "gce-instances", type: "gce", boundProjects: ["my-project"], boundServiceAccounts: ["my-sa@my-project.iam.gserviceaccount.com"], policies: ["app-policy"], }); ``` -------------------------------- ### getNamespace Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Reads information about a Vault Enterprise namespace and logs its ID. ```typescript const ns = vault.getNamespace({ path: "team-a", }); ns.then(n => { console.log("Namespace ID:", n.namespaceId); }); ``` -------------------------------- ### .NET Source: https://github.com/pulumi/pulumi-vault/blob/master/README.md To use from .NET, install using dotnet add package. ```bash dotnet add package Pulumi.Vault ``` -------------------------------- ### Go Configuration Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring Vault provider with AppRole credentials in Go. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: go ``` ```go package main import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { cfg := config.New(ctx, "") var loginApproleRoleId interface{} cfg.RequireObject("loginApproleRoleId", &loginApproleRoleId) var loginApproleSecretId interface{} cfg.RequireObject("loginApproleSecretId", &loginApproleSecretId) return nil }) } ``` -------------------------------- ### Python Configuration Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring Vault provider with AppRole credentials in Python. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: python ``` ```python import pulumi config = pulumi.Config() login_approle_role_id = config.require_object("loginApproleRoleId") login_approle_secret_id = config.require_object("loginApproleSecretId") ``` -------------------------------- ### Java Configuration Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring Vault provider with AppRole credentials in Java. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: java ``` ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import java.util.ArrayList; import java.util.Arrays; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { final var config = ctx.config(); final var loginApproleRoleId = config.require("loginApproleRoleId"); final var loginApproleSecretId = config.require("loginApproleSecretId"); } } ``` -------------------------------- ### C# Configuration Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of configuring Vault provider with AppRole credentials in C#. ```yaml # Pulumi.yaml provider configuration file name: configuration-example runtime: dotnet ``` ```csharp using System.Collections.Generic; using System.Linq; using Pulumi; return await Deployment.RunAsync(() => { var config = new Config(); var loginApproleRoleId = config.RequireObject("loginApproleRoleId"); var loginApproleSecretId = config.RequireObject("loginApproleSecretId"); }); ``` -------------------------------- ### Get Secret V2 Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/kv-secrets.md Example of reading a secret from KV v2. ```typescript const secret = vault.kv.getSecretV2({ mount: "secret", name: "my-app/database", version: 1, // Specific version }); secret.then(s => { console.log(s.data); }); ``` -------------------------------- ### Get Secret (KV v1) Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/kv-secrets.md Example of reading a secret from KV v1. ```typescript const secret = vault.kv.getSecret({ path: "secret/my-app", }); secret.then(s => { console.log(s.data); }); ``` -------------------------------- ### getAuthBackend Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/data-sources.md Read existing auth backend information and log its accessor and type. Also demonstrates using Output for reactive data. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Read existing auth backend information const githubAuth = vault.getAuthBackend({ path: "github", }); githubAuth.then(auth => { console.log("GitHub auth accessor:", auth.accessor); console.log("Auth type:", auth.type); }); // Or use with Output for reactive data const authInfo = vault.getAuthBackendOutput({ path: pulumi.output("github"), }).apply(auth => { return auth.accessor; }); export const accessor = authInfo; ``` -------------------------------- ### RGP Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Example of a Role Governing Policy (RGP) enforcing rules on identity-based access. ```typescript const rgp = new vault.RgpPolicy("break-glass", { name: "break-glass", policy: "\n rule {\n when {\n vault.request.auth.token.metadata.user == \"emergency-admin\"\n } then {\n true\n }\n }\n ", }); ``` -------------------------------- ### Error Handling Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Example of handling potential errors during resource creation in Vault. ```typescript try { const policy = new vault.Policy("example", { policy: "invalid-hcl", }); } catch (error) { console.error("Policy creation failed:", error.message); } ``` -------------------------------- ### Vault Generic Secret Example (HCL) Source: https://github.com/pulumi/pulumi-vault/blob/master/docs/_index.md Example of creating a generic secret in Vault using Pulumi HCL. ```hcl pulumi { required_providers { vault = { source = "pulumi/vault" } } } resource "vault_generic_secret" "example" { path = "secret/foo" data_json = jsonencode({ "foo" = "bar" "pizza" = "cheese" }) } ``` -------------------------------- ### EGP Policy Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Example of an Engine Guard Policy (EGP) enforcing Sentinel rules on secret engine operations. ```typescript class EgpPolicy extends pulumi.CustomResource { constructor(name: string, args: EgpPolicyArgs, opts?: pulumi.CustomResourceOptions) } const egp = new vault.EgpPolicy("secret-protection", { name: "secret-protection", paths: "secret/data/*", enforcementLevel: "hard-mandatory", policy: "\n rule {\n main = rule.max_ttl\n }\n \n rule \"max_ttl\" {\n vault.request.data.ttl < \"24h\" or\n vault.request.data.ttl is empty\n }\n ", }); ``` -------------------------------- ### Example: Encrypt Data Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Illustrates that encryption/decryption is typically done via the Vault API or SDK, not directly as Pulumi resources. ```typescript // Encryption/decryption is typically done in application code // using the Vault HTTP API or Vault SDK ``` -------------------------------- ### Testing: Mocking Vault Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/README.md Starts a Vault development server for testing. ```bash vault server -dev ``` -------------------------------- ### Example: Sync Secrets to AWS Secrets Manager Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/advanced-resources.md Demonstrates syncing Vault secrets to AWS Secrets Manager. ```typescript const awsSync = new vault.secrets.SyncAwsDestination("aws-sync", { name: "aws-destination", accessKeyId: pulumi.secret("AWS_ACCESS_KEY_ID"), secretAccessKey: pulumi.secret("AWS_SECRET_ACCESS_KEY"), region: "us-west-2", }); const association = new vault.secrets.SyncAssociation("secret-sync", { mount: "secret", secretName: "my-secret", destinations: ["aws-destination"], }); ``` -------------------------------- ### Composition with Outputs Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/types.md Example showing how to combine multiple outputs using `pulumi.all()` or `.apply()` for reactive composition. ```typescript const dbPassword = new vault.Token("db-token", { policies: ["db-role"], }); const secret = new vault.kv.SecretV2("db-creds", { mount: "secret", name: "database", dataJson: pulumi.all([dbPassword.clientToken]).apply(([token]) => { return JSON.stringify({ password: token, }); }), }); ``` -------------------------------- ### String as Sensitive Data Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/types.md Example demonstrating how to handle sensitive data like passwords or API keys using `pulumi.secret`. ```typescript import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; const secret = new vault.kv.SecretV2("api-secret", { mount: "secret", name: "api-key", dataJson: pulumi.secret(JSON.stringify({ apiKey: "sk-xxxxxxxxxxxx", apiSecret: "sk-yyyyyyyyyyyyyy", })), }); // Or mark output as secret export const secretValue = pulumi.secret(secret.dataJson); ``` -------------------------------- ### Error Handling Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/provider-resource.md Demonstrates basic error handling when creating a Vault provider with invalid credentials. ```typescript try { const provider = new vault.Provider("my-vault", { address: "https://vault.example.com:8200", token: "invalid-token", }); } catch (error) { // Handle authentication error console.error("Failed to create provider:", error.message); } ``` -------------------------------- ### Multi-Vault Deployments Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/API-INDEX.md Demonstrates how to configure multiple Pulumi Vault Provider instances for different Vault deployments. ```typescript const primary = new vault.Provider("primary", { address: "https://vault1.example.com", token: "...", }); const secondary = new vault.Provider("secondary", { address: "https://vault2.example.com", token: "...", }); const policy1 = new vault.Policy("policy1", { name: "policy", policy: "...", }, { provider: primary }); const policy2 = new vault.Policy("policy2", { name: "policy", policy: "...", }, { provider: secondary }); ``` -------------------------------- ### Error Handling Example Source: https://github.com/pulumi/pulumi-vault/blob/master/_autodocs/README.md Demonstrates error handling when creating a Vault policy with invalid syntax. ```typescript try { const policy = new vault.Policy("example", { name: "dev", policy: "invalid", // This will error on creation }); } catch (error) { console.error("Failed to create policy:", error); } ``` -------------------------------- ### Generate and Check-in SDKs Source: https://github.com/pulumi/pulumi-vault/blob/master/CONTRIBUTING.md Instructions for generating and checking in SDKs as part of a pull request. ```bash make build_sdks ```