import * as pulumi from "@pulumi/pulumi";
/**
 * Manages an OpenID Connect authentication realm in Proxmox VE.
 *
 * OpenID Connect realms allow Proxmox to authenticate users against an external OpenID Connect provider.
 *
 * ## Privileges Required
 *
 * | Path            | Attribute      |
 * |-----------------|----------------|
 * | /access/domains | Realm.Allocate |
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
 *
 * const example = new proxmoxve.realm.Openid("example", {
 *     realm: "example-oidc",
 *     issuerUrl: "https://auth.example.com",
 *     clientId: "your-client-id",
 *     clientKey: oidcClientSecret,
 *     usernameClaim: "email",
 *     autocreate: true,
 *     groupsClaim: "groups",
 *     groupsAutocreate: true,
 *     groupsOverwrite: false,
 *     scopes: "openid email profile",
 *     queryUserinfo: true,
 *     comment: "Example OpenID Connect realm managed by Terraform",
 * });
 * ```
 *
 * ## Notes
 *
 * ### Client Key Security
 *
 * The `clientKey` is sent to Proxmox and stored securely, but it's never returned by the API. This means:
 *
 * - Terraform cannot detect if the client key was changed outside of Terraform
 * - You must maintain the client key in your Terraform configuration or use a variable
 * - The client key will be marked as sensitive in Terraform state
 *
 * #### Minimal Configuration
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
 *
 * const minimal = new proxmoxve.realm.Openid("minimal", {
 *     realm: "my-oidc",
 *     issuerUrl: "https://auth.example.com",
 *     clientId: oidcClientId,
 *     clientKey: oidcClientSecret,
 * });
 * ```
 *
 * #### With User and Group Provisioning
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
 *
 * const full = new proxmoxve.realm.Openid("full", {
 *     realm: "corporate-oidc",
 *     issuerUrl: "https://auth.example.com/realms/my-realm",
 *     clientId: oidcClientId,
 *     clientKey: oidcClientSecret,
 *     usernameClaim: "email",
 *     autocreate: true,
 *     groupsClaim: "groups",
 *     groupsAutocreate: true,
 *     scopes: "openid email profile",
 *     queryUserinfo: true,
 * });
 * ```
 *
 * ## See Also
 *
 * - [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management)
 * - [Proxmox VE OpenID Connect Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_openid)
 * - [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains)
 *
 * ## Import
 *
 * !/usr/bin/env sh
 * OpenID realms can be imported using the realm identifier, e.g.:
 *
 * ```sh
 * $ pulumi import proxmoxve:realm/openid:Openid example example-oidc
 * ```
 *
 * > When importing, the `clientKey` attribute cannot be imported since it's not returned by the Proxmox API. You'll need to set this attribute in your Terraform configuration after the import to manage it with Terraform.
 */
export declare class Openid extends pulumi.CustomResource {
    /**
     * Get an existing Openid resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OpenidState, opts?: pulumi.CustomResourceOptions): Openid;
    /**
     * Returns true if the given object is an instance of Openid.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Openid;
    /**
     * Authentication Context Class Reference values for the OpenID provider.
     */
    readonly acrValues: pulumi.Output<string | undefined>;
    /**
     * Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
     */
    readonly audiences: pulumi.Output<string | undefined>;
    /**
     * Automatically create users on the Proxmox cluster if they do not exist.
     */
    readonly autocreate: pulumi.Output<boolean>;
    /**
     * OpenID Connect Client ID.
     */
    readonly clientId: pulumi.Output<string>;
    /**
     * OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
     */
    readonly clientKey: pulumi.Output<string | undefined>;
    /**
     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
     * OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
     */
    readonly clientKeyWo: pulumi.Output<string | undefined>;
    /**
     * Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
     */
    readonly clientKeyWoVersion: pulumi.Output<number | undefined>;
    /**
     * Description of the realm.
     */
    readonly comment: pulumi.Output<string | undefined>;
    /**
     * Use this realm as the default for login.
     */
    readonly default: pulumi.Output<boolean>;
    /**
     * Automatically create groups from claims rather than using existing Proxmox VE groups.
     */
    readonly groupsAutocreate: pulumi.Output<boolean>;
    /**
     * OpenID claim used to retrieve user group memberships.
     */
    readonly groupsClaim: pulumi.Output<string | undefined>;
    /**
     * Replace assigned groups on login instead of appending to existing ones.
     */
    readonly groupsOverwrite: pulumi.Output<boolean>;
    /**
     * OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
     */
    readonly issuerUrl: pulumi.Output<string>;
    /**
     * Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
     */
    readonly prompt: pulumi.Output<string | undefined>;
    /**
     * Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
     */
    readonly queryUserinfo: pulumi.Output<boolean>;
    /**
     * Realm identifier (e.g., 'my-oidc').
     */
    readonly realm: pulumi.Output<string>;
    /**
     * Space-separated list of OpenID scopes to request.
     */
    readonly scopes: pulumi.Output<string>;
    /**
     * OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
     */
    readonly usernameClaim: pulumi.Output<string | undefined>;
    /**
     * Create a Openid resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: OpenidArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Openid resources.
 */
export interface OpenidState {
    /**
     * Authentication Context Class Reference values for the OpenID provider.
     */
    acrValues?: pulumi.Input<string | undefined>;
    /**
     * Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
     */
    audiences?: pulumi.Input<string | undefined>;
    /**
     * Automatically create users on the Proxmox cluster if they do not exist.
     */
    autocreate?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID Connect Client ID.
     */
    clientId?: pulumi.Input<string | undefined>;
    /**
     * OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
     */
    clientKey?: pulumi.Input<string | undefined>;
    /**
     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
     * OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
     */
    clientKeyWo?: pulumi.Input<string | undefined>;
    /**
     * Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
     */
    clientKeyWoVersion?: pulumi.Input<number | undefined>;
    /**
     * Description of the realm.
     */
    comment?: pulumi.Input<string | undefined>;
    /**
     * Use this realm as the default for login.
     */
    default?: pulumi.Input<boolean | undefined>;
    /**
     * Automatically create groups from claims rather than using existing Proxmox VE groups.
     */
    groupsAutocreate?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID claim used to retrieve user group memberships.
     */
    groupsClaim?: pulumi.Input<string | undefined>;
    /**
     * Replace assigned groups on login instead of appending to existing ones.
     */
    groupsOverwrite?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
     */
    issuerUrl?: pulumi.Input<string | undefined>;
    /**
     * Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
     */
    prompt?: pulumi.Input<string | undefined>;
    /**
     * Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
     */
    queryUserinfo?: pulumi.Input<boolean | undefined>;
    /**
     * Realm identifier (e.g., 'my-oidc').
     */
    realm?: pulumi.Input<string | undefined>;
    /**
     * Space-separated list of OpenID scopes to request.
     */
    scopes?: pulumi.Input<string | undefined>;
    /**
     * OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
     */
    usernameClaim?: pulumi.Input<string | undefined>;
}
/**
 * The set of arguments for constructing a Openid resource.
 */
export interface OpenidArgs {
    /**
     * Authentication Context Class Reference values for the OpenID provider.
     */
    acrValues?: pulumi.Input<string | undefined>;
    /**
     * Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
     */
    audiences?: pulumi.Input<string | undefined>;
    /**
     * Automatically create users on the Proxmox cluster if they do not exist.
     */
    autocreate?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID Connect Client ID.
     */
    clientId: pulumi.Input<string>;
    /**
     * OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
     */
    clientKey?: pulumi.Input<string | undefined>;
    /**
     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
     * OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
     */
    clientKeyWo?: pulumi.Input<string | undefined>;
    /**
     * Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
     */
    clientKeyWoVersion?: pulumi.Input<number | undefined>;
    /**
     * Description of the realm.
     */
    comment?: pulumi.Input<string | undefined>;
    /**
     * Use this realm as the default for login.
     */
    default?: pulumi.Input<boolean | undefined>;
    /**
     * Automatically create groups from claims rather than using existing Proxmox VE groups.
     */
    groupsAutocreate?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID claim used to retrieve user group memberships.
     */
    groupsClaim?: pulumi.Input<string | undefined>;
    /**
     * Replace assigned groups on login instead of appending to existing ones.
     */
    groupsOverwrite?: pulumi.Input<boolean | undefined>;
    /**
     * OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
     */
    issuerUrl: pulumi.Input<string>;
    /**
     * Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
     */
    prompt?: pulumi.Input<string | undefined>;
    /**
     * Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
     */
    queryUserinfo?: pulumi.Input<boolean | undefined>;
    /**
     * Realm identifier (e.g., 'my-oidc').
     */
    realm: pulumi.Input<string>;
    /**
     * Space-separated list of OpenID scopes to request.
     */
    scopes?: pulumi.Input<string | undefined>;
    /**
     * OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
     */
    usernameClaim?: pulumi.Input<string | undefined>;
}
//# sourceMappingURL=openid.d.ts.map