vault.secrets.SyncGhDestination

HashiCorp Vault v7.7.0, Feb 6 26

HashiCorp Vault v7.7.0 published on Friday, Feb 6, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

HashiCorp Vault v7.7.0 published on Friday, Feb 6, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const gh = new vault.secrets.SyncGhDestination("gh", {
    name: "gh-dest",
    accessToken: accessToken,
    repositoryOwner: repoOwner,
    repositoryName: "repo-name-example",
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    secretsLocation: "repository",
    environmentName: "production",
    allowedIpv4Addresses: [
        "192.168.1.0/24",
        "10.0.0.0/8",
    ],
    allowedIpv6Addresses: ["2001:db8::/32"],
    allowedPorts: [
        443,
        80,
        22,
    ],
    disableStrictNetworking: false,
});

import pulumi
import pulumi_vault as vault

gh = vault.secrets.SyncGhDestination("gh",
    name="gh-dest",
    access_token=access_token,
    repository_owner=repo_owner,
    repository_name="repo-name-example",
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    secrets_location="repository",
    environment_name="production",
    allowed_ipv4_addresses=[
        "192.168.1.0/24",
        "10.0.0.0/8",
    ],
    allowed_ipv6_addresses=["2001:db8::/32"],
    allowed_ports=[
        443,
        80,
        22,
    ],
    disable_strict_networking=False)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secrets.NewSyncGhDestination(ctx, "gh", &secrets.SyncGhDestinationArgs{
			Name:               pulumi.String("gh-dest"),
			AccessToken:        pulumi.Any(accessToken),
			RepositoryOwner:    pulumi.Any(repoOwner),
			RepositoryName:     pulumi.String("repo-name-example"),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			SecretsLocation:    pulumi.String("repository"),
			EnvironmentName:    pulumi.String("production"),
			AllowedIpv4Addresses: pulumi.StringArray{
				pulumi.String("192.168.1.0/24"),
				pulumi.String("10.0.0.0/8"),
			},
			AllowedIpv6Addresses: pulumi.StringArray{
				pulumi.String("2001:db8::/32"),
			},
			AllowedPorts: pulumi.IntArray{
				pulumi.Int(443),
				pulumi.Int(80),
				pulumi.Int(22),
			},
			DisableStrictNetworking: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gh = new Vault.Secrets.SyncGhDestination("gh", new()
    {
        Name = "gh-dest",
        AccessToken = accessToken,
        RepositoryOwner = repoOwner,
        RepositoryName = "repo-name-example",
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        SecretsLocation = "repository",
        EnvironmentName = "production",
        AllowedIpv4Addresses = new[]
        {
            "192.168.1.0/24",
            "10.0.0.0/8",
        },
        AllowedIpv6Addresses = new[]
        {
            "2001:db8::/32",
        },
        AllowedPorts = new[]
        {
            443,
            80,
            22,
        },
        DisableStrictNetworking = false,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGhDestination;
import com.pulumi.vault.secrets.SyncGhDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gh = new SyncGhDestination("gh", SyncGhDestinationArgs.builder()
            .name("gh-dest")
            .accessToken(accessToken)
            .repositoryOwner(repoOwner)
            .repositoryName("repo-name-example")
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .secretsLocation("repository")
            .environmentName("production")
            .allowedIpv4Addresses(            
                "192.168.1.0/24",
                "10.0.0.0/8")
            .allowedIpv6Addresses("2001:db8::/32")
            .allowedPorts(            
                443,
                80,
                22)
            .disableStrictNetworking(false)
            .build());

    }
}

resources:
  gh:
    type: vault:secrets:SyncGhDestination
    properties:
      name: gh-dest
      accessToken: ${accessToken}
      repositoryOwner: ${repoOwner}
      repositoryName: repo-name-example
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      secretsLocation: repository
      environmentName: production
      allowedIpv4Addresses:
        - 192.168.1.0/24
        - 10.0.0.0/8
      allowedIpv6Addresses:
        - 2001:db8::/32
      allowedPorts:
        - 443
        - 80
        - 22
      disableStrictNetworking: false

Create SyncGhDestination Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SyncGhDestination(name: string, args?: SyncGhDestinationArgs, opts?: CustomResourceOptions);

@overload
def SyncGhDestination(resource_name: str,
                      args: Optional[SyncGhDestinationArgs] = None,
                      opts: Optional[ResourceOptions] = None)

@overload
def SyncGhDestination(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      access_token: Optional[str] = None,
                      allowed_ipv4_addresses: Optional[Sequence[str]] = None,
                      allowed_ipv6_addresses: Optional[Sequence[str]] = None,
                      allowed_ports: Optional[Sequence[int]] = None,
                      app_name: Optional[str] = None,
                      disable_strict_networking: Optional[bool] = None,
                      environment_name: Optional[str] = None,
                      granularity: Optional[str] = None,
                      installation_id: Optional[int] = None,
                      name: Optional[str] = None,
                      namespace: Optional[str] = None,
                      repository_name: Optional[str] = None,
                      repository_owner: Optional[str] = None,
                      secret_name_template: Optional[str] = None,
                      secrets_location: Optional[str] = None)

func NewSyncGhDestination(ctx *Context, name string, args *SyncGhDestinationArgs, opts ...ResourceOption) (*SyncGhDestination, error)

public SyncGhDestination(string name, SyncGhDestinationArgs? args = null, CustomResourceOptions? opts = null)

public SyncGhDestination(String name, SyncGhDestinationArgs args)
public SyncGhDestination(String name, SyncGhDestinationArgs args, CustomResourceOptions options)

type: vault:secrets:SyncGhDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SyncGhDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SyncGhDestinationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SyncGhDestinationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SyncGhDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SyncGhDestinationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var syncGhDestinationResource = new Vault.Secrets.SyncGhDestination("syncGhDestinationResource", new()
{
    AccessToken = "string",
    AllowedIpv4Addresses = new[]
    {
        "string",
    },
    AllowedIpv6Addresses = new[]
    {
        "string",
    },
    AllowedPorts = new[]
    {
        0,
    },
    AppName = "string",
    DisableStrictNetworking = false,
    EnvironmentName = "string",
    Granularity = "string",
    InstallationId = 0,
    Name = "string",
    Namespace = "string",
    RepositoryName = "string",
    RepositoryOwner = "string",
    SecretNameTemplate = "string",
    SecretsLocation = "string",
});

example, err := secrets.NewSyncGhDestination(ctx, "syncGhDestinationResource", &secrets.SyncGhDestinationArgs{
	AccessToken: pulumi.String("string"),
	AllowedIpv4Addresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedIpv6Addresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedPorts: pulumi.IntArray{
		pulumi.Int(0),
	},
	AppName:                 pulumi.String("string"),
	DisableStrictNetworking: pulumi.Bool(false),
	EnvironmentName:         pulumi.String("string"),
	Granularity:             pulumi.String("string"),
	InstallationId:          pulumi.Int(0),
	Name:                    pulumi.String("string"),
	Namespace:               pulumi.String("string"),
	RepositoryName:          pulumi.String("string"),
	RepositoryOwner:         pulumi.String("string"),
	SecretNameTemplate:      pulumi.String("string"),
	SecretsLocation:         pulumi.String("string"),
})

var syncGhDestinationResource = new SyncGhDestination("syncGhDestinationResource", SyncGhDestinationArgs.builder()
    .accessToken("string")
    .allowedIpv4Addresses("string")
    .allowedIpv6Addresses("string")
    .allowedPorts(0)
    .appName("string")
    .disableStrictNetworking(false)
    .environmentName("string")
    .granularity("string")
    .installationId(0)
    .name("string")
    .namespace("string")
    .repositoryName("string")
    .repositoryOwner("string")
    .secretNameTemplate("string")
    .secretsLocation("string")
    .build());

sync_gh_destination_resource = vault.secrets.SyncGhDestination("syncGhDestinationResource",
    access_token="string",
    allowed_ipv4_addresses=["string"],
    allowed_ipv6_addresses=["string"],
    allowed_ports=[0],
    app_name="string",
    disable_strict_networking=False,
    environment_name="string",
    granularity="string",
    installation_id=0,
    name="string",
    namespace="string",
    repository_name="string",
    repository_owner="string",
    secret_name_template="string",
    secrets_location="string")

const syncGhDestinationResource = new vault.secrets.SyncGhDestination("syncGhDestinationResource", {
    accessToken: "string",
    allowedIpv4Addresses: ["string"],
    allowedIpv6Addresses: ["string"],
    allowedPorts: [0],
    appName: "string",
    disableStrictNetworking: false,
    environmentName: "string",
    granularity: "string",
    installationId: 0,
    name: "string",
    namespace: "string",
    repositoryName: "string",
    repositoryOwner: "string",
    secretNameTemplate: "string",
    secretsLocation: "string",
});

type: vault:secrets:SyncGhDestination
properties:
    accessToken: string
    allowedIpv4Addresses:
        - string
    allowedIpv6Addresses:
        - string
    allowedPorts:
        - 0
    appName: string
    disableStrictNetworking: false
    environmentName: string
    granularity: string
    installationId: 0
    name: string
    namespace: string
    repositoryName: string
    repositoryOwner: string
    secretNameTemplate: string
    secretsLocation: string

SyncGhDestination Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SyncGhDestination resource accepts the following input properties:

AccessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
AllowedIpv4Addresses List<string>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
AllowedIpv6Addresses List<string>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
AllowedPorts List<int>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
AppName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
DisableStrictNetworking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
EnvironmentName string: Environment name for the destination. Requires Vault 1.18+.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
InstallationId int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
Name string: Unique name of the GitHub destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
RepositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
RepositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
SecretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.

AccessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
AllowedIpv4Addresses []string: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
AllowedIpv6Addresses []string: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
AllowedPorts []int: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
AppName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
DisableStrictNetworking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
EnvironmentName string: Environment name for the destination. Requires Vault 1.18+.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
InstallationId int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
Name string: Unique name of the GitHub destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
RepositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
RepositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
SecretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.

accessToken String: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses List<String>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses List<String>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts List<Integer>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName String: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking Boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName String: Environment name for the destination. Requires Vault 1.18+.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId Integer: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name String: Unique name of the GitHub destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName String: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner String: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation String: Location where secrets are stored in the destination. Requires Vault 1.18+.

accessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses string[]: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses string[]: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts number[]: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName string: Environment name for the destination. Requires Vault 1.18+.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId number: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name string: Unique name of the GitHub destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.

access_token str: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowed_ipv4_addresses Sequence[str]: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowed_ipv6_addresses Sequence[str]: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowed_ports Sequence[int]: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
app_name str: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disable_strict_networking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environment_name str: Environment name for the destination. Requires Vault 1.18+.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installation_id int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name str: Unique name of the GitHub destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repository_name str: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repository_owner str: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secrets_location str: Location where secrets are stored in the destination. Requires Vault 1.18+.

accessToken String: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses List<String>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses List<String>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts List<Number>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName String: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking Boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName String: Environment name for the destination. Requires Vault 1.18+.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId Number: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name String: Unique name of the GitHub destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName String: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner String: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation String: Location where secrets are stored in the destination. Requires Vault 1.18+.

Outputs

All input properties are implicitly available as output properties. Additionally, the SyncGhDestination resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (gh).

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (gh).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (gh).

id string: The provider-assigned unique ID for this managed resource.
type string: The type of the secrets destination (gh).

id str: The provider-assigned unique ID for this managed resource.
type str: The type of the secrets destination (gh).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (gh).

Look up Existing SyncGhDestination Resource

Get an existing SyncGhDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SyncGhDestinationState, opts?: CustomResourceOptions): SyncGhDestination

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_token: Optional[str] = None,
        allowed_ipv4_addresses: Optional[Sequence[str]] = None,
        allowed_ipv6_addresses: Optional[Sequence[str]] = None,
        allowed_ports: Optional[Sequence[int]] = None,
        app_name: Optional[str] = None,
        disable_strict_networking: Optional[bool] = None,
        environment_name: Optional[str] = None,
        granularity: Optional[str] = None,
        installation_id: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        repository_name: Optional[str] = None,
        repository_owner: Optional[str] = None,
        secret_name_template: Optional[str] = None,
        secrets_location: Optional[str] = None,
        type: Optional[str] = None) -> SyncGhDestination

func GetSyncGhDestination(ctx *Context, name string, id IDInput, state *SyncGhDestinationState, opts ...ResourceOption) (*SyncGhDestination, error)

public static SyncGhDestination Get(string name, Input<string> id, SyncGhDestinationState? state, CustomResourceOptions? opts = null)

public static SyncGhDestination get(String name, Output<String> id, SyncGhDestinationState state, CustomResourceOptions options)

resources:  _:    type: vault:secrets:SyncGhDestination    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
AllowedIpv4Addresses List<string>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
AllowedIpv6Addresses List<string>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
AllowedPorts List<int>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
AppName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
DisableStrictNetworking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
EnvironmentName string: Environment name for the destination. Requires Vault 1.18+.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
InstallationId int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
Name string: Unique name of the GitHub destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
RepositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
RepositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
SecretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.
Type string: The type of the secrets destination (gh).

AccessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
AllowedIpv4Addresses []string: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
AllowedIpv6Addresses []string: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
AllowedPorts []int: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
AppName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
DisableStrictNetworking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
EnvironmentName string: Environment name for the destination. Requires Vault 1.18+.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
InstallationId int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
Name string: Unique name of the GitHub destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
RepositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
RepositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
SecretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.
Type string: The type of the secrets destination (gh).

accessToken String: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses List<String>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses List<String>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts List<Integer>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName String: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking Boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName String: Environment name for the destination. Requires Vault 1.18+.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId Integer: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name String: Unique name of the GitHub destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName String: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner String: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation String: Location where secrets are stored in the destination. Requires Vault 1.18+.
type String: The type of the secrets destination (gh).

accessToken string: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses string[]: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses string[]: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts number[]: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName string: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName string: Environment name for the destination. Requires Vault 1.18+.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId number: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name string: Unique name of the GitHub destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName string: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner string: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation string: Location where secrets are stored in the destination. Requires Vault 1.18+.
type string: The type of the secrets destination (gh).

access_token str: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowed_ipv4_addresses Sequence[str]: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowed_ipv6_addresses Sequence[str]: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowed_ports Sequence[int]: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
app_name str: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disable_strict_networking bool: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environment_name str: Environment name for the destination. Requires Vault 1.18+.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installation_id int: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name str: Unique name of the GitHub destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repository_name str: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repository_owner str: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secrets_location str: Location where secrets are stored in the destination. Requires Vault 1.18+.
type str: The type of the secrets destination (gh).

accessToken String: Fine-grained or personal access token. Can be omitted and directly provided to Vault using the GITHUB_ACCESS_TOKEN environment variable.
allowedIpv4Addresses List<String>: Set of allowed IPv4 addresses in CIDR notation (e.g., 192.168.1.1/32) for outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed. Requires Vault 1.19+.
allowedIpv6Addresses List<String>: Set of allowed IPv6 addresses in CIDR notation (e.g., 2001:db8::1/128) for outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed. Requires Vault 1.19+.
allowedPorts List<Number>: Set of allowed ports for outbound connections from Vault to the destination. If not set, all ports are allowed. Requires Vault 1.19+.
appName String: The user-defined name of the GitHub App configuration. This is a reference to the name used
on the new endpoint when configuring the GitHub app on the Vault Server. Can be modified. Takes precedence over the access_token field.
disableStrictNetworking Boolean: If set to true, disables strict networking enforcement for this destination. When disabled, Vault will not enforce allowed IP addresses and ports. Defaults to false. Requires Vault 1.19+.
environmentName String: Environment name for the destination. Requires Vault 1.18+.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
installationId Number: The ID of the installation generated by GitHub when the app referenced by the app_name was installed in the user's GitHub account. Can be modified. Necessary if the app_name field is also provided.
name String: Unique name of the GitHub destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
repositoryName String: Name of the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_NAME environment variable.
repositoryOwner String: GitHub organization or username that owns the repository. Can be omitted and directly provided to Vault using the GITHUB_REPOSITORY_OWNER environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
secretsLocation String: Location where secrets are stored in the destination. Requires Vault 1.18+.
type String: The type of the secrets destination (gh).

Import

GitHub Secrets sync destinations can be imported using the name, e.g.

$ pulumi import vault:secrets/syncGhDestination:SyncGhDestination gh gh-dest

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v7.7.0 published on Friday, Feb 6, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.secrets.SyncGhDestination

On this page

On this page

Example Usage

Create SyncGhDestination Resource

Constructor syntax

Parameters

Constructor example

SyncGhDestination Resource Properties

Inputs

Outputs

Look up Existing SyncGhDestination Resource

Import

Package Details

On this page

On this page