Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcp = new vault.secrets.SyncGcpDestination("gcp", {
name: "gcp-dest",
projectId: "gcp-project-id",
credentials: std.file({
input: credentialsFile,
}).then(invoke => invoke.result),
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
customTags: {
foo: "bar",
},
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp = vault.secrets.SyncGcpDestination("gcp",
name="gcp-dest",
project_id="gcp-project-id",
credentials=std.file(input=credentials_file).result,
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
custom_tags={
"foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: credentialsFile,
}, nil)
if err != nil {
return err
}
_, err = secrets.NewSyncGcpDestination(ctx, "gcp", &secrets.SyncGcpDestinationArgs{
Name: pulumi.String("gcp-dest"),
ProjectId: pulumi.String("gcp-project-id"),
Credentials: pulumi.String(invokeFile.Result),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
CustomTags: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcp = new Vault.Secrets.SyncGcpDestination("gcp", new()
{
Name = "gcp-dest",
ProjectId = "gcp-project-id",
Credentials = Std.File.Invoke(new()
{
Input = credentialsFile,
}).Apply(invoke => invoke.Result),
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
CustomTags =
{
{ "foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcp = new SyncGcpDestination("gcp", SyncGcpDestinationArgs.builder()
.name("gcp-dest")
.projectId("gcp-project-id")
.credentials(StdFunctions.file(FileArgs.builder()
.input(credentialsFile)
.build()).result())
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
.customTags(Map.of("foo", "bar"))
.build());
}
}
resources:
gcp:
type: vault:secrets:SyncGcpDestination
properties:
name: gcp-dest
projectId: gcp-project-id
credentials:
fn::invoke:
function: std:file
arguments:
input: ${credentialsFile}
return: result
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
customTags:
foo: bar
With Networking Configuration (Vault 1.19+)
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcpNetworking = new vault.secrets.SyncGcpDestination("gcp_networking", {
name: "gcp-dest-networking",
projectId: "gcp-project-id",
credentials: std.file({
input: credentialsFile,
}).then(invoke => invoke.result),
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
allowedIpv4Addresses: [
"10.0.0.0/8",
"192.168.0.0/16",
],
allowedIpv6Addresses: ["2001:db8::/32"],
allowedPorts: [
443,
8443,
],
disableStrictNetworking: false,
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp_networking = vault.secrets.SyncGcpDestination("gcp_networking",
name="gcp-dest-networking",
project_id="gcp-project-id",
credentials=std.file(input=credentials_file).result,
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
allowed_ipv4_addresses=[
"10.0.0.0/8",
"192.168.0.0/16",
],
allowed_ipv6_addresses=["2001:db8::/32"],
allowed_ports=[
443,
8443,
],
disable_strict_networking=False)
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: credentialsFile,
}, nil)
if err != nil {
return err
}
_, err = secrets.NewSyncGcpDestination(ctx, "gcp_networking", &secrets.SyncGcpDestinationArgs{
Name: pulumi.String("gcp-dest-networking"),
ProjectId: pulumi.String("gcp-project-id"),
Credentials: pulumi.String(invokeFile.Result),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
AllowedIpv4Addresses: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
pulumi.String("192.168.0.0/16"),
},
AllowedIpv6Addresses: pulumi.StringArray{
pulumi.String("2001:db8::/32"),
},
AllowedPorts: pulumi.IntArray{
pulumi.Int(443),
pulumi.Int(8443),
},
DisableStrictNetworking: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcpNetworking = new Vault.Secrets.SyncGcpDestination("gcp_networking", new()
{
Name = "gcp-dest-networking",
ProjectId = "gcp-project-id",
Credentials = Std.File.Invoke(new()
{
Input = credentialsFile,
}).Apply(invoke => invoke.Result),
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
AllowedIpv4Addresses = new[]
{
"10.0.0.0/8",
"192.168.0.0/16",
},
AllowedIpv6Addresses = new[]
{
"2001:db8::/32",
},
AllowedPorts = new[]
{
443,
8443,
},
DisableStrictNetworking = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcpNetworking = new SyncGcpDestination("gcpNetworking", SyncGcpDestinationArgs.builder()
.name("gcp-dest-networking")
.projectId("gcp-project-id")
.credentials(StdFunctions.file(FileArgs.builder()
.input(credentialsFile)
.build()).result())
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
.allowedIpv4Addresses(
"10.0.0.0/8",
"192.168.0.0/16")
.allowedIpv6Addresses("2001:db8::/32")
.allowedPorts(
443,
8443)
.disableStrictNetworking(false)
.build());
}
}
resources:
gcpNetworking:
type: vault:secrets:SyncGcpDestination
name: gcp_networking
properties:
name: gcp-dest-networking
projectId: gcp-project-id
credentials:
fn::invoke:
function: std:file
arguments:
input: ${credentialsFile}
return: result
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
allowedIpv4Addresses:
- 10.0.0.0/8
- 192.168.0.0/16
allowedIpv6Addresses:
- 2001:db8::/32
allowedPorts:
- 443
- 8443
disableStrictNetworking: false
With Global Encryption (Vault 1.19+)
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcpEncryption = new vault.secrets.SyncGcpDestination("gcp_encryption", {
name: "gcp-dest-encryption",
projectId: "gcp-project-id",
credentials: std.file({
input: credentialsFile,
}).then(invoke => invoke.result),
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
globalKmsKey: "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key",
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp_encryption = vault.secrets.SyncGcpDestination("gcp_encryption",
name="gcp-dest-encryption",
project_id="gcp-project-id",
credentials=std.file(input=credentials_file).result,
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
global_kms_key="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: credentialsFile,
}, nil)
if err != nil {
return err
}
_, err = secrets.NewSyncGcpDestination(ctx, "gcp_encryption", &secrets.SyncGcpDestinationArgs{
Name: pulumi.String("gcp-dest-encryption"),
ProjectId: pulumi.String("gcp-project-id"),
Credentials: pulumi.String(invokeFile.Result),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
GlobalKmsKey: pulumi.String("projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcpEncryption = new Vault.Secrets.SyncGcpDestination("gcp_encryption", new()
{
Name = "gcp-dest-encryption",
ProjectId = "gcp-project-id",
Credentials = Std.File.Invoke(new()
{
Input = credentialsFile,
}).Apply(invoke => invoke.Result),
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
GlobalKmsKey = "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcpEncryption = new SyncGcpDestination("gcpEncryption", SyncGcpDestinationArgs.builder()
.name("gcp-dest-encryption")
.projectId("gcp-project-id")
.credentials(StdFunctions.file(FileArgs.builder()
.input(credentialsFile)
.build()).result())
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
.globalKmsKey("projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")
.build());
}
}
resources:
gcpEncryption:
type: vault:secrets:SyncGcpDestination
name: gcp_encryption
properties:
name: gcp-dest-encryption
projectId: gcp-project-id
credentials:
fn::invoke:
function: std:file
arguments:
input: ${credentialsFile}
return: result
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
globalKmsKey: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key
With Multi-Region Replication and Regional Encryption (Vault 1.19+)
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcpReplicationEncryption = new vault.secrets.SyncGcpDestination("gcp_replication_encryption", {
name: "gcp-dest-replication-encryption",
projectId: "gcp-project-id",
credentials: std.file({
input: credentialsFile,
}).then(invoke => invoke.result),
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
granularity: "secret-key",
locationalKmsKeys: {
"us-central1": "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key",
"us-east1": "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key",
},
replicationLocations: [
"us-central1",
"us-east1",
],
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp_replication_encryption = vault.secrets.SyncGcpDestination("gcp_replication_encryption",
name="gcp-dest-replication-encryption",
project_id="gcp-project-id",
credentials=std.file(input=credentials_file).result,
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
granularity="secret-key",
locational_kms_keys={
"us-central1": "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key",
"us-east1": "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key",
},
replication_locations=[
"us-central1",
"us-east1",
])
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: credentialsFile,
}, nil)
if err != nil {
return err
}
_, err = secrets.NewSyncGcpDestination(ctx, "gcp_replication_encryption", &secrets.SyncGcpDestinationArgs{
Name: pulumi.String("gcp-dest-replication-encryption"),
ProjectId: pulumi.String("gcp-project-id"),
Credentials: pulumi.String(invokeFile.Result),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}"),
Granularity: pulumi.String("secret-key"),
LocationalKmsKeys: pulumi.StringMap{
"us-central1": pulumi.String("projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key"),
"us-east1": pulumi.String("projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key"),
},
ReplicationLocations: pulumi.StringArray{
pulumi.String("us-central1"),
pulumi.String("us-east1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcpReplicationEncryption = new Vault.Secrets.SyncGcpDestination("gcp_replication_encryption", new()
{
Name = "gcp-dest-replication-encryption",
ProjectId = "gcp-project-id",
Credentials = Std.File.Invoke(new()
{
Input = credentialsFile,
}).Apply(invoke => invoke.Result),
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
Granularity = "secret-key",
LocationalKmsKeys =
{
{ "us-central1", "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key" },
{ "us-east1", "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key" },
},
ReplicationLocations = new[]
{
"us-central1",
"us-east1",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcpReplicationEncryption = new SyncGcpDestination("gcpReplicationEncryption", SyncGcpDestinationArgs.builder()
.name("gcp-dest-replication-encryption")
.projectId("gcp-project-id")
.credentials(StdFunctions.file(FileArgs.builder()
.input(credentialsFile)
.build()).result())
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}")
.granularity("secret-key")
.locationalKmsKeys(Map.ofEntries(
Map.entry("us-central1", "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key"),
Map.entry("us-east1", "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key")
))
.replicationLocations(
"us-central1",
"us-east1")
.build());
}
}
resources:
gcpReplicationEncryption:
type: vault:secrets:SyncGcpDestination
name: gcp_replication_encryption
properties:
name: gcp-dest-replication-encryption
projectId: gcp-project-id
credentials:
fn::invoke:
function: std:file
arguments:
input: ${credentialsFile}
return: result
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}
granularity: secret-key
locationalKmsKeys:
us-central1: projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key
us-east1: projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key
replicationLocations:
- us-central1
- us-east1
Create SyncGcpDestination Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SyncGcpDestination(name: string, args?: SyncGcpDestinationArgs, opts?: CustomResourceOptions);@overload
def SyncGcpDestination(resource_name: str,
args: Optional[SyncGcpDestinationArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def SyncGcpDestination(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_ipv4_addresses: Optional[Sequence[str]] = None,
allowed_ipv6_addresses: Optional[Sequence[str]] = None,
allowed_ports: Optional[Sequence[int]] = None,
credentials: Optional[str] = None,
custom_tags: Optional[Mapping[str, str]] = None,
disable_strict_networking: Optional[bool] = None,
global_kms_key: Optional[str] = None,
granularity: Optional[str] = None,
locational_kms_keys: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
project_id: Optional[str] = None,
replication_locations: Optional[Sequence[str]] = None,
secret_name_template: Optional[str] = None)func NewSyncGcpDestination(ctx *Context, name string, args *SyncGcpDestinationArgs, opts ...ResourceOption) (*SyncGcpDestination, error)public SyncGcpDestination(string name, SyncGcpDestinationArgs? args = null, CustomResourceOptions? opts = null)
public SyncGcpDestination(String name, SyncGcpDestinationArgs args)
public SyncGcpDestination(String name, SyncGcpDestinationArgs args, CustomResourceOptions options)
type: vault:secrets:SyncGcpDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SyncGcpDestinationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SyncGcpDestinationArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SyncGcpDestinationArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SyncGcpDestinationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SyncGcpDestinationArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var syncGcpDestinationResource = new Vault.Secrets.SyncGcpDestination("syncGcpDestinationResource", new()
{
AllowedIpv4Addresses = new[]
{
"string",
},
AllowedIpv6Addresses = new[]
{
"string",
},
AllowedPorts = new[]
{
0,
},
Credentials = "string",
CustomTags =
{
{ "string", "string" },
},
DisableStrictNetworking = false,
GlobalKmsKey = "string",
Granularity = "string",
LocationalKmsKeys =
{
{ "string", "string" },
},
Name = "string",
Namespace = "string",
ProjectId = "string",
ReplicationLocations = new[]
{
"string",
},
SecretNameTemplate = "string",
});
example, err := secrets.NewSyncGcpDestination(ctx, "syncGcpDestinationResource", &secrets.SyncGcpDestinationArgs{
AllowedIpv4Addresses: pulumi.StringArray{
pulumi.String("string"),
},
AllowedIpv6Addresses: pulumi.StringArray{
pulumi.String("string"),
},
AllowedPorts: pulumi.IntArray{
pulumi.Int(0),
},
Credentials: pulumi.String("string"),
CustomTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
DisableStrictNetworking: pulumi.Bool(false),
GlobalKmsKey: pulumi.String("string"),
Granularity: pulumi.String("string"),
LocationalKmsKeys: pulumi.StringMap{
"string": pulumi.String("string"),
},
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
ProjectId: pulumi.String("string"),
ReplicationLocations: pulumi.StringArray{
pulumi.String("string"),
},
SecretNameTemplate: pulumi.String("string"),
})
var syncGcpDestinationResource = new SyncGcpDestination("syncGcpDestinationResource", SyncGcpDestinationArgs.builder()
.allowedIpv4Addresses("string")
.allowedIpv6Addresses("string")
.allowedPorts(0)
.credentials("string")
.customTags(Map.of("string", "string"))
.disableStrictNetworking(false)
.globalKmsKey("string")
.granularity("string")
.locationalKmsKeys(Map.of("string", "string"))
.name("string")
.namespace("string")
.projectId("string")
.replicationLocations("string")
.secretNameTemplate("string")
.build());
sync_gcp_destination_resource = vault.secrets.SyncGcpDestination("syncGcpDestinationResource",
allowed_ipv4_addresses=["string"],
allowed_ipv6_addresses=["string"],
allowed_ports=[0],
credentials="string",
custom_tags={
"string": "string",
},
disable_strict_networking=False,
global_kms_key="string",
granularity="string",
locational_kms_keys={
"string": "string",
},
name="string",
namespace="string",
project_id="string",
replication_locations=["string"],
secret_name_template="string")
const syncGcpDestinationResource = new vault.secrets.SyncGcpDestination("syncGcpDestinationResource", {
allowedIpv4Addresses: ["string"],
allowedIpv6Addresses: ["string"],
allowedPorts: [0],
credentials: "string",
customTags: {
string: "string",
},
disableStrictNetworking: false,
globalKmsKey: "string",
granularity: "string",
locationalKmsKeys: {
string: "string",
},
name: "string",
namespace: "string",
projectId: "string",
replicationLocations: ["string"],
secretNameTemplate: "string",
});
type: vault:secrets:SyncGcpDestination
properties:
allowedIpv4Addresses:
- string
allowedIpv6Addresses:
- string
allowedPorts:
- 0
credentials: string
customTags:
string: string
disableStrictNetworking: false
globalKmsKey: string
granularity: string
locationalKmsKeys:
string: string
name: string
namespace: string
projectId: string
replicationLocations:
- string
secretNameTemplate: string
SyncGcpDestination Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SyncGcpDestination resource accepts the following input properties:
- Allowed
Ipv4Addresses List<string> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- Allowed
Ipv6Addresses List<string> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- Allowed
Ports List<int> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- Credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Dictionary<string, string>
- Custom tags to set on the secret managed at the destination.
- Disable
Strict boolNetworking - Disable strict networking requirements.
- Global
Kms stringKey - Global KMS key for encryption.
- Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - Locational
Kms Dictionary<string, string>Keys - Locational KMS keys for encryption.
- Name string
- Unique name of the GCP destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - Project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- Replication
Locations List<string> - Replication locations for secrets.
- Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Allowed
Ipv4Addresses []string - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- Allowed
Ipv6Addresses []string - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- Allowed
Ports []int - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- Credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - map[string]string
- Custom tags to set on the secret managed at the destination.
- Disable
Strict boolNetworking - Disable strict networking requirements.
- Global
Kms stringKey - Global KMS key for encryption.
- Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - Locational
Kms map[string]stringKeys - Locational KMS keys for encryption.
- Name string
- Unique name of the GCP destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - Project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- Replication
Locations []string - Replication locations for secrets.
- Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- allowed
Ipv4Addresses List<String> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses List<String> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports List<Integer> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials String
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Map<String,String>
- Custom tags to set on the secret managed at the destination.
- disable
Strict BooleanNetworking - Disable strict networking requirements.
- global
Kms StringKey - Global KMS key for encryption.
- granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms Map<String,String>Keys - Locational KMS keys for encryption.
- name String
- Unique name of the GCP destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id String - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations List<String> - Replication locations for secrets.
- secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- allowed
Ipv4Addresses string[] - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses string[] - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports number[] - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - {[key: string]: string}
- Custom tags to set on the secret managed at the destination.
- disable
Strict booleanNetworking - Disable strict networking requirements.
- global
Kms stringKey - Global KMS key for encryption.
- granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms {[key: string]: string}Keys - Locational KMS keys for encryption.
- name string
- Unique name of the GCP destination.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations string[] - Replication locations for secrets.
- secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- allowed_
ipv4_ Sequence[str]addresses - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed_
ipv6_ Sequence[str]addresses - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed_
ports Sequence[int] - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials str
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Mapping[str, str]
- Custom tags to set on the secret managed at the destination.
- disable_
strict_ boolnetworking - Disable strict networking requirements.
- global_
kms_ strkey - Global KMS key for encryption.
- granularity str
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational_
kms_ Mapping[str, str]keys - Locational KMS keys for encryption.
- name str
- Unique name of the GCP destination.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project_
id str - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication_
locations Sequence[str] - Replication locations for secrets.
- secret_
name_ strtemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- allowed
Ipv4Addresses List<String> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses List<String> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports List<Number> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials String
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Map<String>
- Custom tags to set on the secret managed at the destination.
- disable
Strict BooleanNetworking - Disable strict networking requirements.
- global
Kms StringKey - Global KMS key for encryption.
- granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms Map<String>Keys - Locational KMS keys for encryption.
- name String
- Unique name of the GCP destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id String - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations List<String> - Replication locations for secrets.
- secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Outputs
All input properties are implicitly available as output properties. Additionally, the SyncGcpDestination resource produces the following output properties:
Look up Existing SyncGcpDestination Resource
Get an existing SyncGcpDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SyncGcpDestinationState, opts?: CustomResourceOptions): SyncGcpDestination@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_ipv4_addresses: Optional[Sequence[str]] = None,
allowed_ipv6_addresses: Optional[Sequence[str]] = None,
allowed_ports: Optional[Sequence[int]] = None,
credentials: Optional[str] = None,
custom_tags: Optional[Mapping[str, str]] = None,
disable_strict_networking: Optional[bool] = None,
global_kms_key: Optional[str] = None,
granularity: Optional[str] = None,
locational_kms_keys: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
project_id: Optional[str] = None,
replication_locations: Optional[Sequence[str]] = None,
secret_name_template: Optional[str] = None,
type: Optional[str] = None) -> SyncGcpDestinationfunc GetSyncGcpDestination(ctx *Context, name string, id IDInput, state *SyncGcpDestinationState, opts ...ResourceOption) (*SyncGcpDestination, error)public static SyncGcpDestination Get(string name, Input<string> id, SyncGcpDestinationState? state, CustomResourceOptions? opts = null)public static SyncGcpDestination get(String name, Output<String> id, SyncGcpDestinationState state, CustomResourceOptions options)resources: _: type: vault:secrets:SyncGcpDestination get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Ipv4Addresses List<string> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- Allowed
Ipv6Addresses List<string> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- Allowed
Ports List<int> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- Credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Dictionary<string, string>
- Custom tags to set on the secret managed at the destination.
- Disable
Strict boolNetworking - Disable strict networking requirements.
- Global
Kms stringKey - Global KMS key for encryption.
- Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - Locational
Kms Dictionary<string, string>Keys - Locational KMS keys for encryption.
- Name string
- Unique name of the GCP destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - Project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- Replication
Locations List<string> - Replication locations for secrets.
- Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Type string
- The type of the secrets destination (
gcp-sm).
- Allowed
Ipv4Addresses []string - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- Allowed
Ipv6Addresses []string - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- Allowed
Ports []int - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- Credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - map[string]string
- Custom tags to set on the secret managed at the destination.
- Disable
Strict boolNetworking - Disable strict networking requirements.
- Global
Kms stringKey - Global KMS key for encryption.
- Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - Locational
Kms map[string]stringKeys - Locational KMS keys for encryption.
- Name string
- Unique name of the GCP destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - Project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- Replication
Locations []string - Replication locations for secrets.
- Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Type string
- The type of the secrets destination (
gcp-sm).
- allowed
Ipv4Addresses List<String> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses List<String> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports List<Integer> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials String
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Map<String,String>
- Custom tags to set on the secret managed at the destination.
- disable
Strict BooleanNetworking - Disable strict networking requirements.
- global
Kms StringKey - Global KMS key for encryption.
- granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms Map<String,String>Keys - Locational KMS keys for encryption.
- name String
- Unique name of the GCP destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id String - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations List<String> - Replication locations for secrets.
- secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type String
- The type of the secrets destination (
gcp-sm).
- allowed
Ipv4Addresses string[] - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses string[] - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports number[] - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials string
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - {[key: string]: string}
- Custom tags to set on the secret managed at the destination.
- disable
Strict booleanNetworking - Disable strict networking requirements.
- global
Kms stringKey - Global KMS key for encryption.
- granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms {[key: string]: string}Keys - Locational KMS keys for encryption.
- name string
- Unique name of the GCP destination.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id string - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations string[] - Replication locations for secrets.
- secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type string
- The type of the secrets destination (
gcp-sm).
- allowed_
ipv4_ Sequence[str]addresses - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed_
ipv6_ Sequence[str]addresses - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed_
ports Sequence[int] - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials str
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Mapping[str, str]
- Custom tags to set on the secret managed at the destination.
- disable_
strict_ boolnetworking - Disable strict networking requirements.
- global_
kms_ strkey - Global KMS key for encryption.
- granularity str
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational_
kms_ Mapping[str, str]keys - Locational KMS keys for encryption.
- name str
- Unique name of the GCP destination.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project_
id str - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication_
locations Sequence[str] - Replication locations for secrets.
- secret_
name_ strtemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type str
- The type of the secrets destination (
gcp-sm).
- allowed
Ipv4Addresses List<String> - Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
- allowed
Ipv6Addresses List<String> - Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
- allowed
Ports List<Number> - Allowed ports for outbound network connectivity. If not set, all ports are allowed.
- credentials String
- JSON-encoded credentials to use to connect to GCP.
Can be omitted and directly provided to Vault using the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. - Map<String>
- Custom tags to set on the secret managed at the destination.
- disable
Strict BooleanNetworking - Disable strict networking requirements.
- global
Kms StringKey - Global KMS key for encryption.
- granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-pathandsecret-key. - locational
Kms Map<String>Keys - Locational KMS keys for encryption.
- name String
- Unique name of the GCP destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. - project
Id String - The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
- replication
Locations List<String> - Replication locations for secrets.
- secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type String
- The type of the secrets destination (
gcp-sm).
Import
GCP Secrets sync destinations can be imported using the name, e.g.
$ pulumi import vault:secrets/syncGcpDestination:SyncGcpDestination gcp gcp-dest
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
